From fe1384a5a255912441ddbfaf52ee6947631bd844 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 17 Sep 2024 00:44:27 +0000
Subject: [PATCH] Added chart versions:   codefresh/cf-runtime:     - 6.3.61  
 confluent/confluent-for-kubernetes:     - 0.1033.33  
 speedscale/speedscale-operator:     - 2.2.419

---
 assets/codefresh/cf-runtime-6.3.61.tgz        |   Bin 0 -> 43676 bytes
 .../confluent-for-kubernetes-0.1033.33.tgz    |   Bin 0 -> 369990 bytes
 .../speedscale-operator-2.2.419.tgz           |   Bin 0 -> 16996 bytes
 .../codefresh/cf-runtime/6.3.61/.helmignore   |     3 +
 charts/codefresh/cf-runtime/6.3.61/Chart.yaml |    28 +
 charts/codefresh/cf-runtime/6.3.61/README.md  |  1228 ++
 .../cf-runtime/6.3.61/README.md.gotmpl        |  1007 ++
 .../6.3.61/files/cleanup-runtime.sh           |    37 +
 .../6.3.61/files/configure-dind-certs.sh      |   132 +
 .../cf-runtime/6.3.61/files/init-runtime.sh   |    80 +
 .../6.3.61/files/reconcile-runtime.sh         |    38 +
 .../_components/app-proxy/_deployment.yaml    |    70 +
 .../_components/app-proxy/_env-vars.yaml      |    19 +
 .../_components/app-proxy/_helpers.tpl        |    43 +
 .../_components/app-proxy/_ingress.yaml       |    32 +
 .../_components/app-proxy/_rbac.yaml          |    47 +
 .../_components/app-proxy/_service.yaml       |    17 +
 .../event-exporter/_deployment.yaml           |    62 +
 .../_components/event-exporter/_env-vars.yaml |    14 +
 .../_components/event-exporter/_helpers.tpl   |    43 +
 .../_components/event-exporter/_rbac.yaml     |    47 +
 .../_components/event-exporter/_service.yaml  |    17 +
 .../event-exporter/_serviceMontor.yaml        |    14 +
 .../_components/monitor/_deployment.yaml      |    70 +
 .../_components/monitor/_env-vars.yaml        |    26 +
 .../_components/monitor/_helpers.tpl          |    42 +
 .../templates/_components/monitor/_rbac.yaml  |    56 +
 .../_components/monitor/_service.yaml         |    17 +
 .../_components/runner/_deployment.yaml       |   103 +
 .../templates/_components/runner/_helpers.tpl |    42 +
 .../templates/_components/runner/_rbac.yaml   |    53 +
 .../_init-container.yaml                      |    30 +
 .../_main-container.yaml                      |    28 +
 .../_sidecar-container.yaml                   |    22 +
 .../volume-provisioner/_cronjob.yaml          |    58 +
 .../volume-provisioner/_daemonset.yaml        |    98 +
 .../volume-provisioner/_deployment.yaml       |    67 +
 .../volume-provisioner/_env-vars.yaml         |    88 +
 .../volume-provisioner/_helpers.tpl           |    93 +
 .../_components/volume-provisioner/_rbac.yaml |    71 +
 .../volume-provisioner/_secret.yaml           |    22 +
 .../volume-provisioner/_storageclass.yaml     |    47 +
 .../cf-runtime/6.3.61/templates/_helpers.tpl  |    51 +
 .../templates/app-proxy/deployment.yaml       |     9 +
 .../6.3.61/templates/app-proxy/ingress.yaml   |     9 +
 .../6.3.61/templates/app-proxy/rbac.yaml      |     9 +
 .../6.3.61/templates/app-proxy/service.yaml   |     9 +
 .../templates/event-exporter/deployment.yaml  |     9 +
 .../6.3.61/templates/event-exporter/rbac.yaml |     9 +
 .../templates/event-exporter/service.yaml     |    11 +
 .../templates/extra/extra-resources.yaml      |     6 +
 .../templates/extra/runtime-images-cm.yaml    |    19 +
 .../hooks/post-install/cm-update-runtime.yaml |    18 +
 .../hooks/post-install/job-gencerts-dind.yaml |    68 +
 .../post-install/job-update-runtime.yaml      |    77 +
 .../post-install/rbac-gencerts-dind.yaml      |    37 +
 .../pre-delete/job-cleanup-resources.yaml     |    73 +
 .../pre-delete/rbac-cleanup-resources.yaml    |    46 +
 .../6.3.61/templates/monitor/deployment.yaml  |     9 +
 .../6.3.61/templates/monitor/rbac.yaml        |     9 +
 .../6.3.61/templates/monitor/service.yaml     |     9 +
 .../templates/other/external-secrets.yaml     |     2 +
 .../6.3.61/templates/other/podMonitor.yaml    |     2 +
 .../templates/other/serviceMonitor.yaml       |     2 +
 .../6.3.61/templates/runner/deployment.yaml   |     9 +
 .../6.3.61/templates/runner/rbac.yaml         |     9 +
 .../6.3.61/templates/runtime/_helpers.tpl     |   123 +
 .../templates/runtime/cm-dind-daemon.yaml     |    10 +
 .../6.3.61/templates/runtime/rbac.yaml        |    48 +
 .../runtime/runtime-env-spec-tmpl.yaml        |   211 +
 .../6.3.61/templates/runtime/secret.yaml      |    11 +
 .../6.3.61/templates/runtime/svc-dind.yaml    |    16 +
 .../templates/volume-provisioner/cronjob.yaml |    11 +
 .../volume-provisioner/daemonset.yaml         |    11 +
 .../volume-provisioner/deployment.yaml        |    10 +
 .../templates/volume-provisioner/rbac.yaml    |     9 +
 .../templates/volume-provisioner/secret.yaml  |    10 +
 .../volume-provisioner/storageclass.yaml      |    10 +
 .../codefresh/cf-runtime/6.3.61/values.yaml   |   947 ++
 .../0.1033.33/Chart.yaml                      |    23 +
 .../0.1033.33/README.md                       |    72 +
 .../0.1033.33/app-readme.md                   |     3 +
 .../platform.confluent.io_clusterlinks.yaml   |   883 ++
 ...rm.confluent.io_confluentrolebindings.yaml |   296 +
 .../platform.confluent.io_connectors.yaml     |   496 +
 .../crds/platform.confluent.io_connects.yaml  |  6941 ++++++++++
 .../platform.confluent.io_controlcenters.yaml |  6394 +++++++++
 ...latform.confluent.io_kafkarestclasses.yaml |   557 +
 ...latform.confluent.io_kafkarestproxies.yaml |  5834 ++++++++
 .../crds/platform.confluent.io_kafkas.yaml    | 10948 ++++++++++++++++
 .../platform.confluent.io_kafkatopics.yaml    |   410 +
 ...latform.confluent.io_kraftcontrollers.yaml |  5752 ++++++++
 ...tform.confluent.io_kraftmigrationjobs.yaml |   194 +
 .../crds/platform.confluent.io_ksqldbs.yaml   |  6646 ++++++++++
 ...platform.confluent.io_schemaexporters.yaml |   688 +
 ...latform.confluent.io_schemaregistries.yaml |  5801 ++++++++
 .../crds/platform.confluent.io_schemas.yaml   |   590 +
 .../platform.confluent.io_zookeepers.yaml     |  4713 +++++++
 .../0.1033.33/templates/NOTES.txt             |     4 +
 .../0.1033.33/templates/_helpers.tpl          |    42 +
 .../0.1033.33/templates/clusterrole.yaml      |   172 +
 .../templates/clusterrolebinding.yaml         |    56 +
 .../0.1033.33/templates/deployment.yaml       |   238 +
 .../0.1033.33/templates/licensing.yaml        |    19 +
 .../0.1033.33/templates/service.yaml          |    28 +
 .../0.1033.33/templates/serviceaccount.yaml   |    18 +
 .../validatingwebhookconfiguration.yaml       |   184 +
 .../0.1033.33/values.yaml                     |   269 +
 .../speedscale-operator/2.2.419/.helmignore   |    23 +
 .../speedscale-operator/2.2.419/Chart.yaml    |    27 +
 .../speedscale-operator/2.2.419/LICENSE       |   201 +
 .../speedscale-operator/2.2.419/README.md     |   111 +
 .../speedscale-operator/2.2.419/app-readme.md |   111 +
 .../2.2.419/questions.yaml                    |     9 +
 .../2.2.419/templates/NOTES.txt               |    12 +
 .../2.2.419/templates/admission.yaml          |   209 +
 .../2.2.419/templates/configmap.yaml          |    43 +
 .../templates/crds/trafficreplays.yaml        |   523 +
 .../2.2.419/templates/deployments.yaml        |   132 +
 .../2.2.419/templates/hooks.yaml              |    73 +
 .../2.2.419/templates/rbac.yaml               |   244 +
 .../2.2.419/templates/secrets.yaml            |    18 +
 .../2.2.419/templates/services.yaml           |    22 +
 .../2.2.419/templates/tls.yaml                |   183 +
 .../speedscale-operator/2.2.419/values.yaml   |   138 +
 index.yaml                                    |    92 +-
 126 files changed, 66390 insertions(+), 1 deletion(-)
 create mode 100644 assets/codefresh/cf-runtime-6.3.61.tgz
 create mode 100644 assets/confluent/confluent-for-kubernetes-0.1033.33.tgz
 create mode 100644 assets/speedscale/speedscale-operator-2.2.419.tgz
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/.helmignore
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/Chart.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/README.md
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/README.md.gotmpl
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/files/cleanup-runtime.sh
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/files/configure-dind-certs.sh
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/files/init-runtime.sh
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/files/reconcile-runtime.sh
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_env-vars.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_helpers.tpl
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_ingress.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_service.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_env-vars.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_helpers.tpl
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_service.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_serviceMontor.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_env-vars.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_helpers.tpl
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_service.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_helpers.tpl
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_init-container.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_main-container.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_sidecar-container.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_cronjob.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_daemonset.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_env-vars.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_helpers.tpl
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_secret.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_storageclass.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/_helpers.tpl
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/ingress.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/service.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/service.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/extra/extra-resources.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/extra/runtime-images-cm.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/cm-update-runtime.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/job-gencerts-dind.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/job-update-runtime.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/rbac-gencerts-dind.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/hooks/pre-delete/job-cleanup-resources.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/hooks/pre-delete/rbac-cleanup-resources.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/monitor/deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/monitor/rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/monitor/service.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/other/external-secrets.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/other/podMonitor.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/other/serviceMonitor.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/runner/deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/runner/rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/runtime/_helpers.tpl
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/runtime/cm-dind-daemon.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/runtime/rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/runtime/runtime-env-spec-tmpl.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/runtime/secret.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/runtime/svc-dind.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/cronjob.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/daemonset.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/deployment.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/rbac.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/secret.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/storageclass.yaml
 create mode 100644 charts/codefresh/cf-runtime/6.3.61/values.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/Chart.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/README.md
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/app-readme.md
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_clusterlinks.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_confluentrolebindings.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_connectors.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_connects.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_controlcenters.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkarestclasses.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkarestproxies.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkas.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkatopics.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kraftcontrollers.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kraftmigrationjobs.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_ksqldbs.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemaexporters.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemaregistries.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemas.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_zookeepers.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/NOTES.txt
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/_helpers.tpl
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/clusterrole.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/clusterrolebinding.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/deployment.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/licensing.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/service.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/serviceaccount.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/templates/validatingwebhookconfiguration.yaml
 create mode 100644 charts/confluent/confluent-for-kubernetes/0.1033.33/values.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/.helmignore
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/Chart.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/LICENSE
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/README.md
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/app-readme.md
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/questions.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/NOTES.txt
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/admission.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/configmap.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/crds/trafficreplays.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/deployments.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/hooks.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/rbac.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/secrets.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/services.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/templates/tls.yaml
 create mode 100644 charts/speedscale/speedscale-operator/2.2.419/values.yaml

diff --git a/assets/codefresh/cf-runtime-6.3.61.tgz b/assets/codefresh/cf-runtime-6.3.61.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..5dea8e26a70bd09ede268670fbc7ca0d0e26bf55
GIT binary patch
literal 43676
zcmV*IKxe-niwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POwia@)AlFbY4vbro33yfwC;kUIF3(YI!Ok0L9MCO+tu<jl%5
zm6B-^k}#$S4naB5WK#9s!T0~Gy{q<R?CW`NVBf+noJf!aB}%qsXCkax84Cm&jRw$Y
zG#cIZ$OvX$h^Da8npi<-&aJ8Y9}k<V)oS(V;DG(NTCJx4TRS+c{YUNK=(t`xtkw>W
z|D#&luOHU`15_Uv4{e%}&<g&edhfQ<o%=?T<#{-?LWDiiC;?yvAsShBIGNp;2v_Wh
z<&7a}fWJxr0APSy<T(v6LZ6|-asY53u><5&2n|q%-WYihps6*6VCIhl%YhCEF}SOl
zwc`V`RtKL@IH3?|u8kcy3Lu$)VCDhCaItN<z{b<5<vC>yKG+K_<dHtKX8{W5SH5F~
z6u<JwatWk0Y%8=}JT`4B3|+`7K?(#xrvZE`2t62Ri#dq+t~ED2YYH2nB{9>My`9}a
z;|>Od_4>zu{aiC^uZ-%C+QI>Jp+%qo951+%<)il!#$CPSKp%Pz^lSu4qhx@nJf#Qr
zN&p1V#{`8qnA0(EVWUzp=@<nesi@^5%&KPX$gGwUW7Gt1p*sbv8W`aq?kecbJW8Dj
zrVUTR&?k*bB^o2zmlCom4AHnn2n<Pu<}n0B$4uWFmu}(w6Am2KlL$n~paV_YpcH(s
zA>h<PY=~i?(m)xES>S4LGY~e%NKTVdhSUVl0-KXn))mEVJWYV9+(8d}Rw<(4k-2Xk
z)k;sjP#-BN{Qu5!XOKL?2C$g_AMGC>*VFv}uzs}V|C>lJfMI}s7$9#<88T&%$a38|
zz;`eRkOP%fWR7O8OP3Z1;na7n5Q3dg$aR5Sv>=>7AlMySy1Q&8UJ6hRP%f8J4N{N=
z8!O421UwG#)WtWJOVPKcFoXdqy#W8^z>zg`L)IXK;0C(*Q)$df(!EZtc!KR)7>Io<
zfMZ0$U|s?|qbGi|_O$h64M3nBz>xKw0E+-C2&@QBcjmf%R)93XZy!q%)>ZEe;E}?I
zyRH?Ea4-cs0sLcz0_gl>mu@Yxz*|hh1}I0I%v5=FgyI!}0SNIe^Z@dJ@3H}cpTig`
zKqGL?2@-=C&>9@gcW~Z=qicW&z*7{40*@D<2S+gzPBvee5g1em3`69N3D_YJf@Ze^
z-oZKHmCuofrk2ZcZ{Zve8~bz*=ev*5@knU7E|W=i0%$q^`6)ml+<gg}W9WsNETZPA
zbYfjmM@=C~II%(yz!40fXVby*0Q`&y#afP{kTz(J#I*qFGUUpqYy*7x%4b2_9GmQq
z1%=snAhyKm+=zEA%SQ(5l_+ux=gOw3e3o=*+BTkfA?Tc>rq~P6vOI7D0ls0oumdJA
zfO$h*H>(wkgEHiZM;XYYQ<x1S736qs$Ki`s;PLJiVN|BGlCAahglC_k5mcxoKKKE4
zj2Wy+u3^;TKGLZHE*MnIWFN~Fee8_n0KH@^YlK}Ff1=~eQ3i~w-9RuS&;i$9z5w$*
z-yEY6=Qw};I;0<aoaLFcG2&Y`1Yf^i(@s+qF4%abd!T$;(1#w+5wv-{UQ`zKLZGGZ
zN8)3)ClyZui~4lZ?)KWP=AeBdhDgJrIP8D?;~(Jssy_g)+Z6O2a`?KNqH$ocg*poG
z6#Nq$nV*F`E2K6_`wRofX?!ha@SsR$*g|%;ti%y$1%soW!xUHv!4_VqgyDP=T&HGB
zVk^7`$Ri=NoRY(Kz{D207@U|JF@ykeJ}76r2ZJITIX_558+qHaZd}ME5Prk}0J1!%
z0m5JgWx+n(pJ&q>7|>1E#}45qD;L=oX;CKC0JUht;73?M!oUjQm~Q1WcINDhj0QUf
zhjSk`Ko7ev^2Yp7sy63i2Pg;a5}-Lv<>Vdh1EK<>wG<n86G24bKW5h4L|Ej;C&FlK
z<q?KqW{n%5X4a}^J!+xjp=drcIw22*ycMOvye9J+wOu5>vo@>dt3$JD1Q>@dB%~zJ
zjSgbGsEej3jD7(yg;NIhuvR}uQLgRJ8sNv;k5T)7%plQKs~;X^s#VSUk1=tP18plv
z^qz_{Huh}fLL&JYAU?GD%8kV`y6)+L*$L1n1P%<LEp|7;!E%J6S;uq|_a<w!V#x%$
zZj!`wRC$wk5_+%Qy1Zz0&f3Gy#h~4L-#lx8{c1Hues#h%9S2yBgZSn`VSzg<ASDhq
z!;3^)l%@Q7*?afq?DE$kZStzuYhScJG{9jMya0m<R94w19Ndmv{0Z0rWK$kko&!P{
zOp(WbhZeadZ1oBbU|SxTSf1lTwl!FR<+{){!3pODgdQFatIDbg?vM>5$wpxy01*CB
zeB+d2wOSM%D8EY~g?(q3!iaT<3i9ZYuEKaQE9S-9WK3U4+jOlYQvmAk#1QpfH(SXr
z1vi$R?FcIujq-wi&@s1XB*aq?%qZK$oO5EA7owTTLkeX}M5x^&nT@UnTF=K0E2rnw
zjNM6<T}y~=$)yru7tFjSp<;Ri)T-5LEzUd*@XS|pN6D;+R?u>g2MM9u@eQQ7j?j1(
zNJ%sw%Rtub(uy3zk%in@00$Gg1hMNhz#(7J9-;^36X;s=K4l*ck)M1RAl6?slgw-z
z5~9H2ouJGH&qAfNN^r^P*mB{#vXoxN>b8d2%ygk0V#?X*@4on%E*oMO2GP`0ez8$k
z3R<HP?JV8;<e$oZ{T{osDFj_A`B0&z*xr4|YAKb{+c+;^_;HCR*v=teJ5RZjJIHek
zEit04egDv`-k+5Z-uBwflg>rE-*13}3<K}JZ^e_5uJ|0p7~A#(Oy_z&-#+-8vuzGT
zkeSn0-<Nb{B^v;EOH6BO{fRy66JdI4%AO4?peGvoul0#EkTq>I{@HA`F0U>I!_LXS
z8njU5pPlCUuy=XZ9$qxh+y5$m-#f{ERSH1LMiOO?5;^PgQ<YY^4Ep{|SCqMC>(9M2
zrr4uQ;~Jb;aEd*~qtwxT0e1MM8egjf*e<j@80;>jateALiSHrSs{CUXBA2LwZOyFz
zWFGL%G|OH^wssomu*?V*A~zvF@EI;o1!>r_*_exF2U$Bkl7lQSQRzwi$0RM}*#`Tx
zG_C(*`!gaTkssh_1nsZ^e!Readjg%A3;8Fpmr_}pkhmE=B@!d1ju}73$D@`UH_P>r
z2cu7HkoL{mt7wSRqyW(hPYq9EFz7+SnuVB8>uYsRuxUE;uR$xo-Y@tjGppg}5C+~_
z6Fb?&BTsJ8N@{wW)y#aNN6=XiK+m3cv5V|^1H8e(4dNH=M2vX@l=mvND%j)yE33lg
zXy*QcZ^&CjI70i81Ph(ShnlEGeCQ?4sSmQ+Mi~y9!+7;PTDyu8OfbEy*yi#A^g|q2
zW2np&wyS8Qr@Z+=IE04EiEk|X7J7~V!$d={bIo|_b>$k~5dN=W6Lej<9^24C<o3F9
zZT&e5_}_F!3MdW0Dyr~D$c1E1LO7MM;pgz+x^n$_L|D}k88C6QO!LJ?p6Y5q0Q_uC
zeHXGGCmBBG*K+S(^%-f2+Tso}p$V=<zfFPV&%AehB}vu)?d%2y9t<I2#uC^j6*^;~
zACiiwUlC1KUc|l3TZpWLB6d(x2on2NIFVRSFi}aQGCV7QUU-6n2B_RwLB&Nk73~Tn
zT9UyO&8$xZz#9VSh><+H@X^-fve8e{i^^<VdSjv+ydjmu_rygCBPaU@DYsvW?uV;1
zD=(~1#1QR945sk;7T%B)#oMp@sfj)I>vS6X``49gglpHk@s-T3LVYnM$9}z>2ay2l
z&O)wrgIp@;{fRx8hNTwxZ|qTsGh#rCghtI$0E<H*^z2~H?m*(ZkX^w?*%!))VoM+e
zt9R#pwe~HXv#YNpklQJF2j}q(l~TX?Yk$~mwc7pu@Ll`Euyc~bS<)a=H>K;1dCpPG
z@Z&9?Q<H51aTj9pEx5`^cg#$K(p*fW4mWv)qr(h4TSdR9^rInfzuoG!2MRLJk;I&U
zP1)g<$eih*4&riZFRD<0;tC{%9VD0a*x!%xvr9Bup>|YAS$?rBK|dhulLjasR;$%=
zl=%X5DwjggrIZCe3~0Bo=a}HqbLULf4bdG0pC-_w=p>jFB1}8aO!`a(s?ab1X2%2!
zCQ+#0&#lkE0JWo+QqrK=;UvJb@x-5n98VR^LG%qE51gad6`~+$-yg$T{ZNCTg7$(T
zs;@mn%K1IP^lJ6}1M9|ij9T5gG4>B^$2dHKBZKB29v#2>scPNC<VkXy^AGRZA37&x
zMc<KLDd!*f)PL9hpqFCOTk_b3d^=9=n=YO?<{0C#3x)CC)Srb=EOuJ{h3`=ElLy#u
z$G6bnZ5gouWN<6j^*3T6C8jpx(^gl`A}Mr=P1$!0LY(Ug`y;eG#|oTl&34Som2<&n
zHsl4n@Fz&Znqj4ZF<O9r6a3P@ykHw?F*cplfBizRSD1M!e?DOI%Q<aol#;aOq+YxR
zZRmx8<<<;4M-9ly@RyNL`vCyHq%%O7&V+IUlm&pHP(_wsW{dg({vF!k5IMAhX`1>%
z=*|k^@D|Ps7hF)vb`kW#A)H#sU0!TqgVrpZ3}*paP=r}6EGfgl2!o7Z`1!E<)6j-N
zIGhCq5Y!gWl>S<XjWy{(5S(Ng*;))qd^XZw4D1=~$f@!vF<A^tG@ZwfqO)p>BZ-ra
zWJBEmPSI>SJnQuZ_aV14Zuz5p;>rxmo*-|0jvd$l7n0Mw(5w>=2jK+H0_;PhCQ3<t
z5?2_AOiIDdWw+mhmh)?XLf8O@(MC=`p1<~q^0CI1xl_7K*ckBD#s!p8thW^x{snHW
zN}_B+KM<?$>6ul$e@I<xWNjvM2H$d~$V2RQDsTAd(nj9cpeI2q@QeVvkQm4du@O$7
zVY@RDvI`>JjYCF-{|((-2-P<9;xP*`K;8rfNEnRuCwS&Mz{4T9fj~T7F+n$33vrvn
z0J|=9(l#ChIna!a-rAo-=sA(*mTMs@Vs=y}^P2!UmD^Wj=;BYq=z=z3yQe(9D5amv
zZ2n$GOwa|_Gdq-NU3vyv(gXtRx$|9l1ZP%b(r_(#5v#Aq?m)d3pOuoT%;ZSq6#>#D
z1dTm;{l=~k<zVi(h=c%-qPscdFf(IWHqo_iQZsmhyc4j)HQxsE4F1<HyX4)mZY@w2
zt(0ljt||1#DJDs?xU$%M2)(hYD6SuwHS@rzne|uZF>P{2Ah>p|5Rx#mtg1wRB#KAh
zuPH3vVVPwp4f!+ImHOt+=mLk`01_x}Q<I&HrXBBS#+WOz%L3jkvQ$c2crl}_gKBje
z<w)bLSJkR8-r|Gx9@wshrrZ=uE)CJPe`iN9xnZYZ*bLF``_x*ZDIPkdi554l^#eFU
zpH1cKI|zM#BXJEZ0>p~{2ROmrkD*{K|A@--+hc{QN&|8ewOxx4R#I)J#UO#pi?a^^
zjldkwfCu@LIXc+M$`_Y|G{4HR4PcuyuiK(k`7ZtAmoET$wmWkmDCg)r%yhLfFu~Wa
zKWaLL{#3fcA@$Lpbn87jMd|V&fUHA8v#-+N0Tei*AFK_-XVW=qfMs$!mH1vkwT|~+
zBCHs;3)XQVO#{*}a1dSw4&_`v@}Y}7I7FFoS2xGFue$9PL|d*pJ2QJL5c_L_K2f(r
z=<zM(*hwy2jWviVRHl*1;K^m{UAs4IUo>BzwTH3k?y!4xb~fy{-nP%1!`iTO-aKum
zw;7F5j98)itE5CF*SdjjT>gyx%oa^t!}HSGOCsIvx#sFfcN@>4W-sJbVOZS21<D$Z
z@-8ywBiza%X*WW7u#bgGC?!`ZGm`JoF(}T9DBTmhh!vO-7;r6%P5^+P!@!dI_^3Re
z$7z92Zfk0ZNU96q*bZH>LmJVprbvC91?tNw#rW|)DK4TAPE!(ObWLt@P+Yh2J7F?Z
z@)YJ<;iMs~{LD-V-rhwq<N%ObgJs0z$BHyb&xOdbgs!64!xNVw)n)XkOz;#|EZ=9(
zu>=(>O4$Hf&ZXzhMNe}?q&629V~I$zyfVOnJ%Q|~f&(TS@oAfqjvhuZQdUH4($1cf
zuO!7p_8szxIY&(Vkf<5J^QY0@!OV;PCZQFiKo*vXk^)doCjiyzuOjPpt=Lqn>Z;YN
z2d`AYiE$owP}#Y$2;7YiK6C(xJlSc_xS|)lLWh-?IJ7R$yO;g8+y=z3Ra8s$sgDV4
z+|{W7S~F_qp;?V8UksX^i*|2#c6oZ*?k#{aGNNHJTs$7bpiwhxHS;LBTfM&OoSiHI
zBv#7J47m;ivv1b+lVIo;R}2cBVlZgDGOK3oI1Qx#wkQxXfkESl0!ejf&^%oMP-u-M
zFxIUD0qjkGc-igeLl_YQ`=n7b>!zf{X=gBOon2lm8rqRDMxkN5%vQHnHR%~cRDXB%
znh6bOmml&_hQ5pEiejo!qbHSGO+e^&y6v;h1%>kZYU%87;LS|Tiv4JQ4ch13v*w^Z
zY+syqF0@sBbc<cwsG79{Q?}gd4UcNa$HO<Bf46%L@ME?Xw|r_qXAGqXeA-G+K21GJ
zF*}-hRrAo?|1nw%{m$tHuRElFE(2s^di*um@-^t6Flf}x1G8$_BeVYF>H?p51r);I
z&T^R_jtR7Hxqjd?v?-qpXUu+=W~G;7-jZ(ryWJYL-nLusqNgXr^M1nQjx{{sChy?W
z1i2767<psGwwS9a#Jg&T88s%?Nw57suiE{=aL_q#UtSGZ6Z_Rv8=Vm-(|xV{5^%P}
zXd*aZ^e~bwX$KJ6xX0hU%Vl)gYqf`x<@MXWPV<cM3iXClv~>pWpbPK_Q1Xc9mmslY
z2?Cw9-?z^ifK6Z(fY7b5e8XkXBq%%rcovQsjouCh-3tAuACW7DKfJseoL+V=PKUIF
zBvN04t~92YBKBYxOko%xoA85W0`2qmpx0^jhuz-gd3*4-ebpCdgp-85mkQN|W6PdP
zn9JY{&)TQW)`y`ekdLg5U6<=UBjfU=O|&l0&f2X3&0;t1`Hj3~Mn*UQ-2hKvIDxYW
zJd@I+DX(ee?PY(!9+|QK{iuTN;$UsC-OJvf0e-4Q3U0BwqlZ*nKHw``W}YQv23F_X
z`i!QtDSKuDEZ4=KxNbpF1%?=WvXEkd9YBMG&?iFT>+qK@=ub-hE~kEZmsVqDhtT=|
zh|BxvoO|B<cjx@-eAqlYyZp6%!dB|=b^Fa_uRZMc+Qa^!-R%$iSL`~t0gjSOH-R!m
zD(W-kO*6WVm$n!^OrtDTv^;3{&N~;)LFe+K0bU&)ENE3BRMa@_uMa(ka>X(`c|xbm
zI3>(Qr%fkd`()T3(5;E$A`onVpY+WKFbw9v3PU*cLlPmPk|EtluRZ8}7&ZrV3mo+0
z7V7utU-UB18;d>yDiXRB5gSGi_ZEzOMD2^y6}rDRcAro<p?ivp#{^h*i0)80e^8u<
zzjg+1>3(z7J!uZw@uNy*R|5ojHh+WcS|kJ$Xu07;?5^}=6NJDTg)pFdpFN4YhsYxQ
z*!tmu&9HOPYz;c^+rz7iLFX(vsUH9%g)i`H5`r8UKnKh`UUj|-c2^f~+s(7V+YfY+
zFGDS6ZHX~lmtKnqRX<Mi)vXHaaaC9p6xW|9Z_>Exr0w0kw*nPg<@!-AAfX9u$Z2Qr
z_UiR;aQUu%5$QFUW!0MiPa7GXQ`$xjM0yqO2`uuU5`ShIsHEqVlz!w|db;qf(4Jfa
zACu4!e($8t8cZ<0UHqttR(^zc2uq&ivx?Czqpoe8zB)4*wG&zMWFY_HjBe6~p(`H6
zHYo>qgFHkg6uH`~YWh6$_VT>l0F`j+=Z@1DdNvF~e)YBPI7uLnFjVw#Y=>@A#Z`YL
zUO|1EqZBz^LEZ^tmi#y;bhS(0>F^hAyxSA3=+F!>^U&u;rNRvVgPB(mua^k6Z=*7y
z?KdhFA(%I6a&rt_at8x6nkxhhU6TA|TXdWopaMg?LWs*w;mkCsVq2y!9wN|!>0%Ww
z*&FnOT9C04O}Se*kBT9WJ(_}2wTqzA<=Rhmvv%~#{OKpNR;@M;<$+h6C=APS0`3xm
zcK4_KI#=(&&pr&$6nbH#)GoaMP2V@V0scHsn!P;0MV#gPhEE|IYQbES8q4<?9_jbr
z5tx$3pT_s%#>E~PDjgKB9|y<9Uwm`R7%EaoSO9tBfH_D=zNyPwjG}l-v(KLC@QZWC
zVkOX>TL^tX&oA6KQv$uNT(dgda*Y1fWtFoshlIo~z1b)BSGM5EMW1m7?j~>oqnb>?
zGZUx$3HO$ls(bs2&~+*8P37rVLclk_LpzkKmm7;_fpC#VnG*?0C@_}VS*2*4B2Z!~
z#D<8HEL7O~9A}FTPv;JvT8O<ria)Bo30=Y%l@4}}aTjaK6xf={M`52PD1<H|p~1Hf
zBe1+NY=ByQ-&FozsqKFgep{{xq`Uy`P*A%SVXqYDMAevoGe>h}`0U)i+`mf?|JFZ8
z2HCoE*|<BGbN<@Dh$*b%7(m^&MRs9(*Mi2*0xa^z2Gizy{AM>L7<^xn!R;$zNNdd4
z7Yx6eTtzZ?-aL5AME@Qva0!!trp{KP@e*@SFvxuW0f}Oi+*JNjrkY@raw-eH#>Hgh
zIg(jveF!E!Uq`m4l4A0tIJH81BGix~3sBKtsRBL6$0#yEGK2|LC3&S5TEQ5GT}%(S
z(M1#`H&b~cZ>$_nEt^{(vQJaXj~Wi(7=CVm;cyB=YZ!}*LmxXsR(iN&{^zbjY9Bjt
zAKHm8QW<4-a|s_;$|pMI(JH|ez{N<e=roHHJ+^pfi{PA-xV_#8@OKHqUE1Q_1;URi
zc8YZ_@|jw&bBPVz^4aFf=YRs~J{^8l<r<`{h4S*wXWYvbr$dfC^*w2l1NHv&;Z(ST
z9zBctI0%dR--EP<A#0?ixa8NT(7-&p=e?x6qa2m&D`I3wAw(_y24gE~eP?b;H3yC7
zDzyZGHK*&6tEjjtikVk&Ydju?Nr~4{Vg-9KTEBfP2@TZ?korcO0BZCiI?Sdu3nw^0
ze=>B<+gD5{bXO}eHv=qglp-p#Tq+beR%kU!s+qHL4wMD?IEzxOY4$XfVhPH7<&UKo
zk-QP(pZIVGgBzAPhGF?7D7%QT|9+y3oc_TlApMK;CHj{yKRVEbA!Oi^9Zz(xpIE<z
zdN?D@9aZAQ&;aE;cl_lCp!{p(ImjEYh8`UWc6%ybeu@ED(7q_CANU1BO=f(m@}`V@
z(mnz)Q=`e8=f8+{rKGYmdRr~RUGQt-qC{1S7e_YDdZWp`5HnM-`XmBn5ztDB|0Lt=
zkjgO9vXDxo8m<gE=a@oo#VCPG;{P2S@9!t$Kh^iEwc~C4r%j|UUku>D5j_c&qoFqA
zR}Jx)mx1y1Yw61u@Pj>Su}E_R-|fTc9SlI@XW$3O3rC<F#i29)2PuOc<T>y&F#EF`
z9;Z$zP~J6p$VsvOz}K&dka(8w6UxQ-ay*F;Da8v+E-v+5W84cFFN(ilECFGx!}oOB
zaZMdwgx2^Acocar1P8P>@gb9Bq=3sBjbd7;QZH|dXyjU@MpF1SnTG{lFLBb)oHKF|
zm-Wsx9XR5k<pOWWi{prjG`XqM%o^>y;_b-VOvI2KPD<->LG43FT06uatf{*QKJ*-!
zAx9^T_>P>G|AX)VCZ-<;;VSE<@@`&>N$LDz!Mw|sjAmej-$*4)O6W9&ys5UG)}4JZ
zSn!_(P(WFLDTBWxF^iB=af7R9c=$R?UPpt-<V7V!mgIa5YH7XWAUgzQR<0a%hKFG*
z3-P@S%-t9{C6=0e@TDxPc#Qc+@K<#ITyDCbtT`#GpcEUT+zAi8I}~7#avtN(3J|4f
z{=BD$h(LX~B}q34!&oh*(3qd*6`!bjt*z*~PDh*ILuyS^Q(VO~qu9-dlqi^lk=FO-
z14))lLdj~A^Wmh+CLv|@+xd{vWs{KTke$L%9RT^<w8E`nlV8|KCdN7Q91x_KTZEP<
zr%b9^9jNHsWuA@#9h+q*HT9WkvP;VutA-zB8c`3qak0eFcYRi_X-}SSm0d%gcptPK
z<+L4_$~f>|(Av?0*6!3d)r&`tq=%z$Q}RzLsuhy|R+0aqcW1EoWGjY<T^9fQa6c9Q
zwO-#p-p2plNYcyy+C9${J1O5n`3ohsZz=Pyv<f`ia_t$NaSnsnx;$yW>9zZB#iJ@!
zxROC(rMa~Vkjj3s`wnA*Nhsv4%o>w+OR;ekE!OOIhTZ1i?XcTxzv=v&Zy4Y&@W%{?
zP+e8YKUe8%S=N2b!xMuq2Z@5+DJsq=LrXh83h<ONoZT4fXsA|$s}8XqvJCyp5RQ1E
zcNZ0y!e9&?{(+WZzc24#z~a4v9rj!4w}R`g3SPj|iK&vY>4elsM&%fkQwXJn)Odb8
z^~x@mR^k5>==v}qX6UaLAbbh`uh(m7{ZGACKiu;FO{6bhDto2&XP?F6n}|rWc*Gxm
zGX_)ItB84><#qgIX9!7zmWfxDWMP6+D3QH|PG(nu#LlR}%(KDKKKm0*`?C?{&t;>W
z<-3)=lDJB;qVpY(B>u<Da+%*{dR7(BoPLEIHY*>}7HH21xPi9Cd{W^l1n(jpDyP8+
zLDwO`3Lv-Clka8`0XsKy{z(0zPs=i|wLY|W%~EHS2!Ae5c|-($WqBwSnAak}V#o_@
z7mzzvXst?eMHO~WvNP@|ltqhhm5MZ>G}Iv#>)O74E#+UH$4Z9`HqjwuIX-E<)dIY-
zDy}u~OU%;r%1U3ba&K>o(a-9X47sJn%A{m5lV56q7%E#Sy6rnLL2{t69>_`Ik__Ck
z_@i71Kt`T=YF7ANrd9TTDLt=v{9AhdJFeF<=fCRycK_c*T6X^<#+)-7^>)UC;U^s2
zB5$l*IP<HT4zF|XdzzK+Xf#?CIcKf(-9zTyAxF=m02X{o-Zco;OC_gtYusJu4q+#V
z7M}W4j41!>=bBl2WmL<+Y*{|{f{h?Cspui-YM!D{{3&$a0;J-_Q&o2-+DjvvxoVKb
zqc=d}UdWBi&Jyn|X@;gT7L!T6nur|iDTPx_B(M_J9C3@<J|&x(grOhfMbGaEovJjL
z)4);A`pRWMrJPiZa+ut=e`o5ukUg2C)1%KLdDw}<GM-l=GrA*6XRkQ@lZmO7Gr2&R
z-Zj9h>grm*IIY6}nXSjF%)h|-@32-)@&DT4{`UO0k+h8e(=lI7(o7lDXzh23?hFfV
zQtxw@uh}P3-Fd+6Liy7$j5Hb9nu>|Xsij_6(eLqN5_(93foBDCQ0`$DmO)vuttzMK
zztB4DNz5oB-k-MOD}#^17B{xw17#v_>iI`$#Rr%fANZKn@UkAWM&v-~MyZ~E3Q@*L
z-P!fi{eebNnB*k~Gs=ASV;Y<6<r?fQ+XEMxOepqodFFAY$Usq=@AbHi@Jd7|V%B({
z%eH5jR@wi>AU*W?uX=cNls^B}kGJ-J8%fLde=+9S^Iv*ve_E?NZeJ(3XQx|I%y2RW
zIKFs4!+!)g#5Q&tV9@G{_Z{&g8)24{w8>k;Fzz75E}nYS<Fs`BCttv<Wdyv;{<n5;
zm|Fh_)q{iW`rkxS*MD-TziA`jR9A}goK(ec%p5p{{o~pMuh7_cZ5W)P)8ExPSo2sC
zeDfy4RxqX~PJ=lmLEhLvo(!`0a~RCv#{$O0sTuG<7RAZ8!60i?{8O!3-<qOsO;MlR
z6!ocvoNdZYE6e|D7y&Q4|J|=<-v1rcj<)juCei}=zkm^No;7SCNGbE*`@ni?^V$_D
zx0;RZ%Ea6n+HO<Pv@-u+!w7h({ck<P|7(X^{=bp5j{R?nA>G#qI0<fR37l^UoU7Hk
zpE>Zo2Vk*HaE?l?s9`X3qn1)FtZoRrL|L_}HSjW|9>n^$fa2)>Ccycc(yblvcaT=z
z|JN`ATekln)YJDr^~3G^&&{Ml_dicz1Xf&Ye($@S=WY(Bde3?wOQ1);AIq`xDwnfX
zUJN8j8hDLi_!78?gf9W}(DuA7y)@p{zLjxW+jeV}TdlPWxYSv{4r#taW3DyQ%KQHs
zMqtbAzmDo@{}227_3C#2-$W|3|38!w*v70f3Ydebx2Jycx>U6QOB74liY+h;TfsKs
zX>G&SUH|9U3vp143oKp#)%5$1gTvbP{oh8?D(hdk*w3<oI6jMM;{ak}+IU(?GY1(x
z;hFG=L=*%=@PK%^FEPBjm)X@bx*A`){>9j?@BOua|JT|<=KO!K)&FlKsq0@1^*3$!
zDf>{IZ^#<on5m~k`*CeNi?s4x8+XP8`ny_n#xdP^`nJtE^Nlp+NN&X6>rd7C*5B*5
z<nPt;QN>5zIQdOCmRmF1t(mPlfX~~^wz&MiuJ_jh_CE(1|39^@{%<o$C;t~P{Oq@T
z?>nvb@S=I%E+l|+cd?9BzHOhK?~6!J7ndjP;bnKwxxDB%K-n;+*5@I1ogupy7!vd+
z{Q02z(@{CsJajSADI3#fw=*1EzH49Tz00cMXnBMdL(F>PjxO19_G+nhcGVxWd&ADj
z$_{IpsADKJqS#&a&K|(?E!(bcUlAEOmuvAzso82>UR?|%wvrKzU3_D?rm#opFe1~D
z?RT54_JTVb-Q}g?<>2erQt$GtJ$&7{IO$xRiXqou#uXpar?&Mix=L0v@-04%x7NMe
z^l+*8{=csG-{t#%?I>;kQ#(4^>i;*A*0KMUyz0J&zf*aiu(kNjv-r(QQ};9VU7zHO
zZG6*8)cbq=m1?KeO?~rpmJjFgHy5{i8vHI&Cf?uDS0kA}k%{k9Gret!Qt|zNUGI-e
z_y7HRcK@#*Z~Z@RBrU%GdkVwf0yiq_-{n1bQ{U&{`SB61P*?Q&xTp8`xHxRHh|$by
z7Hh`GPL5~EA}!h2r9uP3p1w`^IfNb^4069tYJpq6e}Ayg*`)gUInR6y%Yt={uM6Ee
zuVr<8F9x&{*|zrC&mk3;|JL>XS-}72;c@!@r&{0o|J+DgEdM=};rAn2Wj&JTPjRWg
zz{I<VX;j*_`}uLMrRzVKdET0SKV@37{*U*onfIUjN89zkk)*DFKGff|`KRbYaXup|
zd}GF+0_(@M{VdSPcWwF^(dXN?{6roKTe;Ss^y?#=etIapkNsy<J;w;NGrGWGH-Ln(
zF$F4RM3x%E#{iWZ<W+7g5(jo??mv|h2DFu5e=$tnAQuwz6o#NYqJLH>PVwEsq^#Qb
zRf}1p^2uee-mPkpnpuhrN^Ehc6kTerm_&V{(O|v_G4IT`XhEDid6tdbX3U6RRbOq*
zh`%K>;t90eaH26HPK<L_G56SOcU8M$y>0S6tc}&X1>`{63bOlR#7^i;u#pQTk9}Ou
zBJo+D!z3U)pKU5b$NTM7@wnY{yOMw&eb#U7-XF#8y`Z6c$~=C3yZ7g(Rrz*OVg1kg
z=6?n3|I+cFYKPVB``?YEb?pCygsa-4t#16sfoyI6@@@Yzx~$bmoizMgo7{`-{!;3*
z`<wlVqvGmTe>vK!hco)i!|a|me+#ro@pu=pypj83*6=T@6kTffC$?H)`IiP=*!nNe
z9OkLH-Zsfpc>iDD{BP<0e{`6B|5vNkw)TG;Nel0Pp2GZZxmJDcyPW54{P&O!J|Fxd
zY(*13W?T0Xl<AoPkq~+zKknJCg{JvdcNufOm%z6|d$NL6pN+i{8c!{swZAZcbfQ6i
zHMg+Ae5<?oru5s4Rs9IAOCSC!c3o?^A{TWJ8)G`J@6XTXt?2%*Rq9oS?4~Qal*o|}
zmhJz?`|0=}#|PW^ubWBP{eQuoW6}q}+spHI160DPpZkz|ImGk>{nPfvK;u<l=_`0^
zO#e(hrhj|cA3VTodVy8z@}&Ky*Y3X+E(A&dFs}e_0zBpHjBhsY;9PKth3qK99B8_Q
z^9JC3i7{cG2t)zwQ(j@Y;xT>u-<|%Tb8$M<qp0mW2Vcy+!Mm&1?P2TkV$lBg>Xghl
zIAG9<I2O44^`hO=PXi6<dRG^N&biJR#Zn~Y2L)Qc-RiY-=AfqWtA4vzjP7fAmsopU
zm1BAIF)g-43wlQhtFV)dQv->6j=O}_7)u`XMNSh$kq2~}kZ-8;D2@|~NeuVg|ECu6
z?!Eul57YLa#|QQ8{=bo=IsX^f`uT2ietFVvfQ~1OuS@;**_+`>yL)!|;XK;Lv%4hI
zuq!(x``u;s5%NUA6o^Z>-zoyd%HDZ0;zZ2hA4;f*A$Bf?(v6VV%I?35J+ZKIa@l%E
zyVE}H^as5UI&VYF7@`Nqh=jp>`DXV#odFeGGOPIlDm=fxGgm;{YlDYR_uT)5sm@{%
zVA=k^UrWXR*ss>A+x>qdNpq@LXvej#3Sco%jhnuQ+GZd1eD)n4k6V`)Z#t*v&29`Y
z*BU`@ia;SRjQCy5p77ZmaEq>&HP5)kSI$buTm|fRbllyhR9d?K^J_c95AYqLs{#g<
zp&elFcYIUS9AL@*e{i^;iT_jI#{bz&Qu(ffJjck6w_*?=27V*2LB++UheNOf|A_fk
zhy!a3%^S<Ur7OSeV%u`dyJ_o#8!NOY@e9&cfW2Sv&5}Dyl>)X4EpO(paDl0-z4T$J
zjXir71kkhRnwJBauN(zpPoOh%lW$99Cin~dF~ia*OuTv-&D>w`4S9<w{pM$Aio#@N
zT`>+}WFZ$i3u|YJ<e6K{h##4Xiys_N#(n~T-|@{L@p@H#^O=0t3N&w9f#!W{p&?uJ
z;I&o<8SnaqUcG|6m#+(qN_35-UhSwPNq6qPPhpeKKbF6T&0`-+9>{|A9?617c_>?e
z<jnLVw1QBxToYf^*F6{T4hH2UnCyE=pgeNY%*@1`d4flj;9*0tfb^rHMH6@>nNd}G
zB|4Ko&@th=z03EVe&_O{eKLIgAyGu=P>W4_p4E+Wv@<{FK~wRVAqPtslKuq~$bH3>
zZhO_mQQ%1v&^~K=@P@T-oIu_?r$x<I7c~EkKS^3k{&y@m#U6nLUBN7o|Bnxj()Pax
zhg<uf&7{@j|7hShbOHcBFzKE@9qd{G^uiMqB-9w<IKawDo*NZZ&JoLx5YnP@fg2ju
z{XSe~!^{Zj-WjXAy-L?ydVE;TZ%i8e<2sO8rM2(clgyfu^BPj~W?jpq5EQEu22(_s
zW7I5ui=EL(62%Z6_vL>U;q`q0<iIK}E@%7zNJjv<ZU9n#0DuAhQpFv6f<Jk{=&4w0
z=1?&6n&gT=Dm^w97ab91-3-2d1-ZO?sS^nUOlb}`2q^*vXiiKH3X(jDZ2&tU#QiWp
z-WcpG7#NaEf!$qDwq_wt49xO1wX_MQ?B{LhkEIC-H2pL$7m4ES7i%*qau*GCm~CBq
zkf|<UB>Ap|QhUtf@`H^<DNQlXsQU%9BFkrE9<(Kzk!8~%%bzHNn&2s{s4H_8B9}0}
z#n!dRCI+)3it48H0vpo`q)vKrma#B(7tQl_;<%VHsESkC!Y%cMvo?0YO3&bQU)Qwx
z{_^bVyglqTd+m$C@TAkrwq1-r-YX<&wLnPHH8^$vE$7m6=M6BjTmo0(<=g0|57o{l
zqo3;Zn(D|-FyS*u89l$?j9N4+?jKq8{y|osaavFRvzjm9W%s{F`v+<L&+%6OvzfG_
z{^y%>2%Oia^=@@l2;Z2?;Cvm!qpN^cY;~&&`Wvc(mYm?SJ^q`V<n*Va8439DhaH5L
zQGh9O?tVT<W*7k^bI&%okJX<Kt3-c#DzqM-!dvY<P9^mMr;<YbR;y-gDT{fl+@3(b
zkrT)Y6C!^u9Bt~<v7w{JTJpbCyA(74T_XP<9n{kCe-8HRTmO$6Nk!!U0uMp*O!-#>
znR*7Y&LhIudPny_VjWu@d4Y_B%mp&MA*RLbCf~t%$65Bhue`XVkek2uhs{>2-R}?I
zwLc6yCk>6eznrER>saeWXW<hOh@N<UB17Kx@D|R8$Wh$`F2^<9?WK6DR~JQKYDCea
zT;rVOBg)Zf%EpS6(T%L|BM}eqlF>~!yXg_;u$6%>Fv?5Fu=YqVg8P7@J+`5P$ZhIy
z^$Wq?3PsbMKE1p=J!=n}-R@bZ)f{v#FNUpN`=os_=rqszi3d{^7}|N#f5i?U?HsaP
zQen!I^-wZzVd9K3#(3;PLsT+^ds6dvg1vJ3NsZRIm}s4;{F{Hy0?6n^C;fk4_1a2b
zhi^J(?FL|-yp6o<RxDbFwO4ALU0$8=2W3N6dtvD`V)x!}p8E0ly8G>FugTZng1@)t
z<;A9w?t~COcgyn01x)7a*OELrE33UE`J~D-i))HBTt4MAYB66g&goXheN7G)dlSy<
zifW9j=~9+gNz@s8F&KMEUqOk8E&2QiMB3Un$c2mdpJJ0rqlZwtwW%FUKd$kWt)RSe
z>05XwD?jXrEyqbabmgsMYMItL|F0MeV#)dcu)d!;|5uN;?>{$^)`|a+$Hdeq1?z-_
z$b#I4hsX~Pv3&nubtIB*8ty$BdQ`K|Y99nm0X9bQu)aEqT9f_zp%;T(eJ(5dC^7kP
z0K^UnY}X>1Fc>RpxHNrBM8L=aX9(XEln8nkCE10k1`=UCNt<r!`=WUaasMbIN~;+}
zQ;|m2L-p~(kSszyhsK(##lrLE;b^YGqB!mE(}l+yiy~cGJSOsG@50WceF@xuEd0Bu
z<;O($@hHEr1NRHavx)`ADxopHXk+sfIK?jw*7HSq5AbE3Fg^D;xQgwlMR%iUOHsEI
z&KVP?-YaY#Pc0t*?bBN4zZGKvEwlgJKT7-m-9I?q+J9~&t!DrE6aj(Ou!ws&Th8Ym
zGDx^ye#po{Phc^-YHXoYOriYfJ}x5czn`qop5(+ADzkV$<rN|ftr*iNgG3Z*NFt$a
zTdG3&xalzwW!PD;Fd0_pDZJB1G+IE{xN|Ghby=(?*6IrIJnTFMQCMiJ&CWRJIX*_Y
z!KD_rTWq@77zYmWR9>OSg~@9x1k`%wk*^dE`oICOp5p1jx*@XGGCN-@W|q2R-HU3^
zFP7G~nAVd2IioIo0$3vd*Y>N~`=5jD{m(|yYVtoH_{0fdO|!^lMs|y>CUQ;{6l95C
z$zS@`A2aw2IW%)WaUxL49xe)XAAki`Tn+FS8=J*vjRkFMO-(a4pt){47sAyVIclvB
zbKq||`opI6_`h=OD6k7G)Bn_t)A1h<>xWzY&qmUU{9hS(z6%J}t7w4}%sF|8P0P$*
zzEt+W#3CTX;06Nt*|I}-4#J5Q0;ZQ=NmR{fq92@jD~0a=uE4hfYYId5BJ#^BKI-Jd
zrq}#a1F%m~cH|#HYjUUelc!!HEWtzUOnOW-4a$oAC2{(3b9%qy@CI`qsy55MV-O;Z
z;r_%PhY`R(W+;FTDCa@5?kwb5H^@cd{J*gW0U}YYaxM;;TCCX-8RQ|)KdA`A&*4Ei
zO;sE$c4Q83NO^Z@5yK{^yt@wZ-$%67mZjUXp8R8fU(mjpBF&O<V3Nd2W1y{Z5BdWD
zJv*5DA=DFywilI9AuzWz<)kb1g_6zfR27%xFCoQbz!Z~~5cY+Fg#L9uSm7kVv+=~A
z39ke3?<H_onZnG(lCg&+6FDll{&eO$&(!j)F?31*klR_Vp>folDN3nB-3{Or&8EY%
zUcY?5xn^7T1bO3g>?}h=DVcB+jy+gjGMF(C{X$9Su0L(!mZStA-TRedrJ&HkET2Mu
zcTYOsX41?5D;oGNNlWDa`td<3{!8uf=-_xO|8F9#WB;2m-ZfH&C*l<pW3-V618d42
z0R@P$yscHQ-l|t?NUFJTmmedNiXyq+i;!HgA^L%#-}t%sn8r9pgy29D7XuNViOdy|
zOPS#&Vev+b&#+wMr+D5e14`G)op{}65k9D5hVWAC@VIzjS;2Tz)4fp%oqSIC7xO7)
z*$|Zfvkc0^HO%8x<GzJRs>X&B=uS;CsW8NoC*N$hOt7MrpPbpeuT9@icmVUw_z4eF
zAxPB%l{hk06bVG>dlrfi8;zTJ^6pApmT761GEQAcJ)Pxa7K^NMBl|8wk3Wl5>FI9X
zR(#N;-Ty7$H~av9o>x}%^ruft_W$Z}#{XY+f4{cf|2L5sueW@^ONU!}`C@Dz`Yr6w
z<0bmTkmeH@X3IxUZFj~navuiDvRM4CJRe3>i97a4gA%!`08%%nG`PgKRe+|q)imJD
z_g$d8qt5}W`esWgD5G_l<AO0W5UW3CT(bU=Hx6JSCI5o7eEp~5ztoP8>ecP~-$dH3
z|8H#lixv4Gi+}n0U(wQApO&uw`cZoQSC6*)|3=bw{eNTYpPS%6%;I0Z{)K_b=J)^V
z*8kr|(suoSW9wh6$Vc7(nc2SqKl?ZcVQ_CHz>@V}tJYHcf4#PUxV8V>NMiGzjdxoN
zcTpywt(3zFk`qe1;&kBFX9^3U-HS6UgnU2tV0q3$__=%{N!~nVfp);YbN5HzeJaBL
z?|TSb&i|`v{cm;q{&zEJ%m4q*{9havx14{Qa#9ige_tiQGX7uNuc!I{(SCi)|2L7g
z{Qvpz|A*!Mv7#W4{YQ_ei^4jWp6s?e%HJjF`TyrIu=u}5JPFo50W8!1?jP3D{QqF<
z|8+Czks~-Vh7efZ7$&16^`fX=5g*bzdJla!fSv<`ViBGd@9saOyt_X&p`U45u>M89
z!D8$X!=A3o0hXTs57X~It4CY??`F~?uYU^uE{X&ZIbsnej?fz;56Yh%HqRtO5Z*$t
zH$vlc%TGV~Pd+0xKxGd&v*~mm1uF%=&j@q!=pqsV(FBj|Nb(<-YMl6juV2LySoD@O
z>wq)!`d;f8j6J*&B+B{{TkbwA@y<pPgrnO4e?<j23;y92&R??D=xE4+5pd!-o2)<<
z`cqHUZF+>H<^L0mZ%M_+Bs7?zvFldssloj@MfS-L=Krx)t*80_{(fzH|G$y+r2L=x
zK~tUpNIs~XbywU93UhSgL;IWI=jxJ+xq22^DY2=cooGi*xwO;$;BQ8@2lwwc73KfG
z;~QfPJsSogF&yMM59t5*;3%#C-LD^Q`Ts`Jlk$H#p_DCv-GS-10hR6F(4C_ax&HbE
z->kO{B&PI3?+5bP99>Qgpf0DE?8nR>2bKdfWsOe|jVECPl=sWokKBo;;fv7pH*kal
zXs}Prw<W^fOZJP*Y#Ty{IY)Se&53R-2_I$>a2UFMXk*VI%~1%0H^@U|0;LBS{m13r
z#3b|^%f7{<(HWW|;mJbHi5w9iFVsMjERK(lI%D*1F$>Nbn$(%I((H-irAvZFwPS&Z
zSzsv3ffvd;=VaJNC*W1k|B?=#PM|#tP$;bnwSm|rdOmjg$>REW@Zw=Gb9uybWK=gD
zO6rkRryFEn#WP6_4~w*etXw%lmi^3xflM^now;sTtgo1Zi3a`Xqw2Y%>3*{2q^yFX
zT+#BJm~sXvS8kA3xv|Kk9OYWUn5bn8CYZ`!f3XSu2Dy-!r!WNN5&g4bGhuiZKt?cw
z(at23vO@P-RYeARcWNV?>KD!PcE8(fwWBX0V($Wnu4x#(_F22xF91PTx%Fn)>~@B4
zFZ%;6fZ`Hv6e`4+U=k)G9A}yvT)t~xDD7#Ns^HX&K^h^xg`Odzjv5TVvS2fU)=Fzh
zfa`}XjdsDi<ZRV0tqh;^umhtP%TX~kSG%OOoJqqTvfIgMggg|^<03NWVcQ9@3xo8w
zrDQH`?Px)30i@DkDA)d__r^l*EP#LC<IyVe|GEmGCG!7a*8Y3{;CSo*Wh3cZ(EmJ!
z;Ln<VeggmDR^We*0>7Ls;K2p`&5GHqACiG@#q9XkUyAe=iITvYg%iL7Mi`<az%VQy
z8Mkl_exS1CyY>fQ7_-3TKU0#dZH1sRBSD2stN`+Rby86`P;I+o7y==5r~!aPHERsz
zT+deJEH!|@7%gjA^{SK)ip+^o9Gogl<s3Q$)gDj&RvUWklf{$B`qEV<4;P=MFh3kB
zI4V)m3(rO}yWur7-?xX2M?Gw)W1L~(slm17tyn`DyVY*N{<deEZCaj+p8tXy%U<^a
zXvz7nUOmX%{~y%0@4q&ZzR~-i^+HJ&)Q1;|Yn4W5VVp3IDhqkFF$A?S6{EeRTuw!H
zi@t~;e9>>d!AvcmB;viT6nD;-A4LGVkL!|8Mrhj{731(_MdFP~ujIMW%?hEmb`-b5
z_dP|r{^iToa{BL|7VZB56uKv-{T1=n*LV=JRR4RBe*dw5xV8V-OnO%O-whjoh#CFJ
zTHt6EE!FITq!#z3PSd+p?LM$-H=YFG+p^+FBL2ko8%bogD&+;18*&?!p2Al(+Gw7(
zF9ySl=DFVHqPSv{>5&aD8Piv7sdsfT=$yA7qAmGhL2H{d1lfQUNMgA3)-hVWej<jB
zZshyzR<B)f0%(JoCV`%GE>0H1j48@b5tL!UU~BI3H`YLJRl?s(Dt7*3+TXPgfXnp1
z2ghmuU;D@P?fGvb>03PiJ*e_GmRyS{#WcsgvU;Q|XAXSj{1acfQRKwOZF@!*a-p+X
zwez<{nk5SFy<CmA{KQq;iR`CPQ-5Pr-;9D>66K*)<LbHfyHtv6_x~yP^Yk#$pNhnP
z$oPM&9&Y#ljU?vXOpJF?&u^*XIX>S+DXkN=B!u<dyyd{TmxH$)nD=z;riGg8)J>Gm
z^W>Zwfcre(Uby}rB>GE%^<PWHf2$pB<3DUDZP)*|vHpc8-v?azJS|-R4-);Q$ofA{
z$A8&B*!q9nNZPLdZ)5$(-drD+1!&hl4ks|Ez|SEJJj*qNN!Vlgf3DVRS^s~vt^dD`
zq%U8<4|3oyM96QQ>d#EihIMp-@eEJ4X|njpPfd#NGA&sDK6Zq|=X(kOOV@w(FungD
zY|sCjNrl&cJR7zv|8JBQtpB9b_eYHXUaw{Re{bWzZzvUB|LG6_TORPYNZR$!Er%XT
z{lEPDpML*UJ3g*%<^PQ&cKGGvUG(^$ES+=u=Y_Nf>_q+b&;EKa_d5FPK|VlGFCF0M
z@Spp>KW&ld<;QkRj>!r-fko^8fz<y6;y<V5|D%Kb?fTzH+OGd^b^VJQfwfmYPkHN~
z<qRj#^<lumu-s#gEm{9Z`v;lx|Nj2g|JO#+moJsQQv0({r)fBW%m@bH5&N6T^=63$
z%b>H$fg|K8wlv(1#!#LU#m3+4fFP!BJjX;8a~Ckz<1^0&NBhDHd4Dz<q0gXflvA^~
z#Bgk}cg4Vp9&XTOHwS;rEEkOsbb#gi412TmE99_Q`H;3idqThsw5=I|fZ!<v?`AhJ
z@L&iD@AC*j*CD_PAaKzXh0p;Z2H^w|uyZqK^f<Zb)3V4LvsXU5W~nm*0XGxkK*R$X
z!b!*TPzXLD*9A8a%m~Gk0E;0nu+1fJY^t;pi4_Z{-PNhg&TrxwR6c6*1(d-}qI77)
zkEFhSEk#cVOoS_z@4LumW?_+cnJgxeG5<1Lh$wir9H(^Ab#d##a29yUpfX^`b}d4X
zEwgvIA-^A>J30{qI7TE4=D-i&2z}1)j~Wf<LK%MP4Jrbp&Waz9EKWBwutSHs%NhdZ
zKW5gP_N@%~JE%7^*QF(QbLLfrPOZ2Z1$2xE^Ba{nEtActwLC`*Py9EhXghw!1MaK<
z(VdaMKcUR175Su6-{S!G9w(oW%ir!K2`jc?E^@^0hz7JK9eY;kO@OD35)f_@-od#r
zeq3a8s6m8RPd|scg>&_}jpZX=TqXK4O#2FAU@6)ZY;kaZ$p<Ex*QCl4$*h*5W6R~9
zC4<Tzt*tzotXedZnF*U)IO=h7<}YgC-UE;WYCYn2X*U%jH@h89Vu1;pwkxfn#MD)Z
z3Ci)*oe>xSxj;t0@bdb7CXLnvlW-|ZT>jWE`IKPC!(s01ev3)C8`E!OAs3X}z20T7
z0knkyA|QZ&%uoQGxKok;yv*LL?zWZ89LwUdd=xcgSTcMC-(xN(n<&q>4NZS5nq?$C
zCgxdEFQQ(4^TkNTdC8i@Q6I)GCk-o|OPJx~5+-WA7+FNiYppa^voKXe`Q<B&lVY{C
zl|#>55<K-G>lvqo=YM<3!wWbToMP|M?0*jG$C>!Qht=)*e-lajt}YI>rU|n-u?RgG
z-_WzTjj4R#g~@=L@vh8+Q%H}M>w8&|D2R#pJE7?QMUQzlwp>W;IJ|HGP1@=SE1A))
zDW9l3)eT@6&VM27r`q6C56i~V!u7uy`~Q0NIBoyCwg2B#TKGU0M8Ub)UXO$5b#BsW
zjme$<(c-JV(_Mq9@TkG}^xBkhw2<mi#-oxp+GD<ZCA}b`5HsNvD5jtCJhJe^)9f?T
z6^Z4+AfHy+ceUU*P%eXysVB8GH!=_XnD7?~n8Qf$v6LY^>l$lBQcg$KdcJh05LJCZ
zuAiby$u8gSJ`?J%^x!qqu<|-r^X^uIXOTC&>e=F{+1EDRGcDf#<I^BJ1sdVhcUKn(
z7VrP{+QD(^{;yuI9v*J@|4pQolmKxUVR?7{Sgu3lEx`}Bvm3|{5O0tRyH+@%E$poA
zd2BZZ?TOox2LZ-8sA58qK6&s0aRqu3Sx}sQjtjF3m7ctjQHl!<Nb)<aR?PLpYW~`o
zvT1?qGA1mrjJ`dA&di0(=~g)RVMDoZ?P4d^(<cchT>P=t9@d4Ru9=jZF`_tL`=Ywa
z(s~xu08||eri9F7Y2jax7n05fiwl&@G2nZPdtuCL1A2Erxt|LxZw$c?w{ZTF$v|up
zfrM)?F5&M`L7_uH`37T`yJg#rGZC{kOXiJSY=uV$GCyjRwFbU^jXW`?XdJmDQ)1BQ
zYUTMa`;zu8s(fo*o_8<%?P2G<dD>n$_mz8AF=gb<XF0v@%87f;%%oBQ5;K88dU{a=
zF9yxdMY}gVyF5K@_ns6}9V%IrPcB>U+P&fHtIpZUlOn7`Bp2Q8)!Er|z*fa$0kZwK
z&jZ;Qk6dI2&C_Rta2l5^(r^01%WnS(F;x-BqIcRE3|nWH7f;EuQaEIhe0TM_Jv?c5
z&n`ba34%)dS>(E%Zu_irK?}UTdSaHEgG(0aLHoRW)*Q5l?TgdS#nT|0!a=iF^@c~a
z<Ky9*&cEBer`e)Z3^a?U^$d2UG!nW!zu!5%;9rOI&nMpYbFk6L!a50aMqtq9f+#Pj
zWHeULkLI`V2?w_$7k^^z;6)?Jyp^P8+ntdR293hr-ay7ZyH55`mQbbBWx*Q-Lfru0
zAqPetiY*SQ<0Q^n^2T3&1d6M7;o*2yPuc2~zL^lK6Ja59x`MnG$6uC=G8!NZX58Cg
z_Wa%e-pqA#<p1cX%1`IgE=~jF%a=&cP=TRciOVos6rJLr&_N=9HtJkVCmc*Kb-`R{
z(kDGjM_#2LWI<)TNvocuAEX5zJIz8@CkqdxMGlYo$G-)*am!y`Oz7lS?R8dZL8P|h
zBAT;_EG^T>)=9LK@KdU9HYyU;mSG)o$}Q}igY8=w@Vjx1`sM_APM!)!QDvzL9GcyE
zP$f>bp?j%tGT;^{aMZGNpKIDSB+9<We-{XSq5_I^G>SgwJ5<*^*uJdNcDpP8U3X=5
zlpk$RRvUTP9a)9Ect5^3_~*45r!ae<tvIpf3vI+pYAkKVzq19}^e?$T3lg$Ru9x5k
z|IVgF%&8cMU!e&3cebf6EV}#82z<{1K&vyE7u9^!uxhmw4#LZTvNA0U`Bh<EAr7oD
zY`GR87wOBRcmuyPL*EUc=fI#?h!@&&8n&{9|DeQk;?b}B=ud@4abA*X@aaWMXyc%%
zGhT)i%RHsX3(AuJL%c(zf>AFmtYs&BEQG1^iWyD^@Q)cJVT7@(Ioa|&9siQGBL<!|
zonB!@E#p@(m?DqS@-(n)*o6UNvBR+ENDj8B$cpk26|CMXq3&aGOU-=%Mj3<5w6PXf
z%2>rG1dUxF<sJmRumuAdo1gBOgt!%ZR4M6#{OcnzB}3jVjMg-zz%q?R9K&)hJ$K#!
zBg-YQlnOzA@5Z@hSRAm3|GrpUQK2sU96~XN;_*n)SNylli>B?za)l-b5<5VCD0~$u
zKegB0sp82sm#D0+$=GmB^L$K|AB#(xS-82AP651_gtE{Q<2$7fmhX21{CTdrGnILC
zxTWjJPPYO6Wk{JqZX=U0^hu*q`5#1m+7ZD--Z+4Sm=jDwu#@}Qx59~d@T$c2tCV$5
ztCo?8%t;8RZ|64wa)i*Vw>*4m<DCac3+=!73ca@l_|o?uhZ+A5wWF>7=Zz#~!&>?P
zI>)w~&XE$=5?%V%AG4y-h6+B5Uf;@_gaPu#Cjt@8yJ{VO&2~Fp@J~HhkB}Cx|2vyK
z;dx~LuLt#7#{bLl*8X!NY0-O)#5%suV+#N*-)}I5FcXFfJ@{ayWi(|U2hs+fe=W18
zWi*=y@1lP-KyANT<v#-)VjH^+FlcpS6(f~EE-<rnCyB72F@8@yARA8F_0Q#g!w>Ks
zqEiC~6+6J*@AzgdPOxPC*A9--{$Fc{``h=Q8%fN(n2&ci9`2&9;BqT!y~3H9;$j(#
z`6hy~X<f7BwG??_OX~ZVH=HWJR+}sPtXtj-t{qE*l-X;+yq8P7rO+S1JKmBuGLG^x
z<#Xd`sIyDqW{MX*!Pm+Q=JMa}%%`TJ{GY$PCTpDrm-7F^^!xvM^=QlgH<F$O|99_<
zMbUz`ynoC4AA|QtJng&X{wwhRd-#H1#{cWpqcs1oA8zA6Y$R=x|ATU-{Fe7V4eu??
zch}&ms$cr=m92g=sVM)yk1L>M{J(m5kk<cHt6ToRk+kLi-!rckF$A_;`nyd<`Tu=P
z0hY`E^)&zAKiuB`ZzOH`|5pBg*gb`FitVoQZKT5dpRWWK<6_laU@8BvRnz*P!)^TE
z&7>{=-}3(l=Kl((*zN+)Jt_R(oIrPq#vTsf!?v-6|5vN~DgIyEKRDRNf7?h3Aqh#P
zWZI}wqJQ&XI;8T{cx}^WlCu7L?dHjO+nhQN-NwT8Upv~bAEwU#wfa%*V7vY|kzTw|
zqA>NCGwM?5AHPL5!AIu4c~twjBVXyD>DVL_7Aw(2xN>7TV^|TT4PMwl-UtU%X4h}I
z|6dZ$UHJ3JwL*jZF|z`=TPnSU?o`A`9N_@)D<kBM!Eb3~;+7L}`W$Q%{*U^KATDEw
z5XQS8#ER=tvs8NV0t{FLG8TKx3!xX5N(T6?8$cF;hM*9Vk2^1X_4h6<aSB7gywrk@
zH^LuxUW{RAuuiZZvoaly4KMd`=Y_zI7h@$j1Rh~y#-DnB+<C#l*lI2-edUh>%YhNR
z8UHQe0bqdN1{l=M&mVVQgxIJXpX1zpnY*v%9?0ASHTO{F9;&%VGWUq)8sN8PU{6p8
z?Qj;rk2^0c<tOi5x?jm2F}Us5eQ;yhw^Z`u(jiC`1IPo-U;7_-Uceh-h?0?ws0Lv3
z&shM$2_m;-IpB8`utjSa4y{q7fzwvIAo$aFZ8|aRBESvg8RJ_h+Gx#4h^G=Td#FjL
zq0O>oeV(1H!H+!vYNG5Z0C=f{yNRfjfXCmv@`vNVXI@Y~?z|8!vs{DcCd)IcT^NwK
ztjrPRdKiZ;Bm|rw@8sjoi$MHlPfO$w_RiUKnu_0-KJ>^0jp&@m@^AUgGyDKf5uq~>
zM?ZGi+D<HEy0DcvuX}qnv-Z<}?(LNfz&Oy}-oE+DtkRs)|Nj5~U;oel{r^+{E&U7h
zk!M42C!A6rnRWBCU|Wa)e?}(I0egGcbLV?|l+#?cI&q*+D+JfrMvY2EM&OLtQzhPZ
zuS=zW0l`2C@B@Sc3W>L61rU%Bxh}BoEaWo2g*?s;&SwP9rmPjpA}NQY*;AHnCb(sy
zwHGfyl9QE6*VorJ_6T-iiJk!fncz==va#jp)4HWTgy6R;0%`w^8;d|kQUTF9C^<NV
zZITJ++adOmO)7D@3Ln4(2Q8KM_BvA^2chMKjlDfUNew8ReL4bU=F@M`p#$Cbp^Zj7
zQtt@6F8)L}l&R%8R)~W+k2pz6rE3uZVs1^{Yl=Soqx1q81~}zQ$+rS)3PTu>(hKlk
z@-eAl0NT$R=;BW$zML8*09eH<0s|3N5qZFOE#v`q$lZ}q&FG=~dTE5sYuYP3MPUe?
zf9x{oJveFrNx^Y)TxW#c%!DEG#susT2w8l`cW_R4<#XhrspYcVTQ~>A#y%tsv9}r>
zW$)YxpymAMrvQa;_a$hKp%-ehh?=K9svGe4bmg*!B;mvgK>$ZEfSwHrusi@iBNDPe
z$~+3C2%JoFB(4QWmmya^WgFnjSB6^K9GmQq1!dWH`3`A1H}oM{Uo48)D#;-I4|PuB
z4vCR%Ssu870N>D_LkCP?0P{w=ZdNPeVYVR$Jjzhyty02IQMnx9@$MCo(f@c@>LfPe
zQ#61ImBa@>z>YD4HM#JOTHHtWaGE*u*ug#*`$Qi*BRM`VQwx)$oD7ZqqwYDT)D{i%
z+(G>)UDI<{0_h$opBD6?Cn6qskKBvOqFyLrF0=hee9ZQw5;@LdEV*PvoYdx=G|l9N
zC<zP$$$}AAFTnVLF#-xF1%|<+=@=0nz)=2<Kyd8nu_G%8m-tS?1sn7yB`_s7FZmjd
zZ~$emkT=fRSdbS6lr<u6Jft5gLIh&)jBp}^XXA#!lbuK2c$c3J5+XOvc>%bDT`CPG
zh=8f}I}W0-?*U|eWX8-6^aE&HA#?zNcQCMAK_R*+!~yleIVPcuvHuANw=T9E5Z%6j
ziFHS}8R$`-Y1ttTpktOw&Cv+j6gG$1C>h|IJMEMHUl}`$kuX6I`mSX|hkHD^)&+~W
zreFei%_DHqzOcCW*O9znfNP=AHC=35uJpXZ%=JaJL@QYf?Uao_gPARrd<3=v<Wxlp
zopteAQlEsuj2%(ft5ZhVneT8C^?etGtjF8~U=YzV%J4CvXvbNhHKwij*!huwYsI}#
zhKflCT-VWT+NZNgBXQEty>{~igmk9y8Oo-KSgilh&Oys@2>4CoQSP3H=NEZS>d;8U
z$lnF@CqQ0^g<Kp>W3x1%+x`?<9s!68%$N{FMc5FtOAaY#5vByVrh|FS7Sc6$V0leR
zOu!woz;6nx`M6_Nl%I6j?(KC(V2)>CVmZL_<^YRZ4+3_O2~E|nT1E8_SJ57uDloKn
zDOsuT5y$yweP!50qynw8j)uwx!sZx-li3YppDwEGf*smP_}QBJE_}(5b&x}M4Dj0+
z>V_%{L^B?wGKQg{{jkeu`I~Qr_GEqVmhZdsyaq(<684mPiXAC_YfA6(E}viZ2b8e1
z7=g;f`H?IfV?IN4L2|AE4t6Zh*#+jcHssDVJ>Bi?y}<!Hy??R-hvMy9A-X{>3g;X%
z+wy>e2s>gi?m%}RO-G_xu(y{*h|yZ!o&C(*C|zqgH=kR3d(rWPLetB*l_JN6y}b{3
z2BtH@@uLHQLLCEPhu`ZIh3MjB7^&Ylan&yZ4=KAhqd4_CX1y?&{j~<%3G$p43_`*S
zE`aGIOEP$pvmWH^(~L*%?J;ziG9q$|xwjWB@F{kfVC=#>%M1BolTJKED|zV|U9N8+
zN$mr38Af*X`*gy^&^4&UIT0F(T<L=;k*PSAx@MXIJ}|Q9hdDjBv3Ey_1+Ek8hIu2r
z2BQE^!QP&WNXS(fdwUMDL%L@EMTr@$PO+B?2G)oU&H`pbIQ-@A6r^KB)zhKy{*dQk
za5^_cropa`nd}&qSKR^b*H2OOLF*~;NA*PJzeHF$ObOD`Mt{^oiJc|-$cHZS;1D@n
zYW)`_^8G0i=f<AX{sz?1O?=&y6B80Tizc6#)JG30C`Ga{0e%4Q5S|ft9tEBU*YUQ_
zB_M!26avE-Lyt-i(4glDaYJg1kPEN%a{1n#l)Tv{A>>|DIw5hc1wTt253hkmQhNe}
z`40y2Bogcy&<uZNyds;OX1f%(DZbM{={ULHZ{eII;Okg$PF>x0Q32O^Y(E1=L%oWU
z9mai^SrW83r0_P`lzIWq(U^`Tn=9%q6rG7u&r271DCXWNx?>tFMCg7*Yq@Z2*>i9$
zCxtUq6^hX;DE(_m$%tQkVGFG+UD}l!;7hdh%0iYX3#W`P*_W^UKV|u7dU*}@C8A)t
z0m{?4A%1grTS_@bQd*`~-#<7!I)3$2wVY^ISXw2TjgI=XV*EpGUaqdUn1r;HUe~2o
ziKj6wU;XLT@zLSIe!Z3{!~4YkG>~IVU;r~^SWJ{`&xg~wp~W{+q=`zAy3J8bDQX!F
z@Jb%=q%fBvwo;C+yab_TF0EqF^tyf8xd6R>6Lfo>_su~Yyla18Urf_fK=EctkgC{f
z_XeFeoffUwYyZ!yc7Kpt*~+h*SBE?Dqzk-2-KZ*e8uhjGmG3N9?6eLNntLXgdGM21
zz+&yPb@zrHw1k3LJ>s%D`a?i0%V#)fC5M?(R!s%&8wh;vE8h9X-X3c`*(l{L#181$
zfO8Vo56VwG3|#DuVGwOXChdUGP5}K?MSS;=(Y_}atf~o4&fkQ_H_Zv8I#mKymL0oO
zXkMH&2baAM;L`+pV9FRO(}mK0{*$uJ<d}eeq!hFZ7a({6r1mwV5nZ^r)QUn{+uOUq
zAwBbe!35976M(4P#xK-VWdx_U_O!>2```Te{3Y*s0BHvF9Il??I|U%ffwmRMI~aCt
z1N@omCKVrSc;kamv)iHN92i17WI7ioK%)>KFL^6&mQ=ym;~s;V%Dta%SKN2m*t3xf
z$<pST=?H6-W5Mq~M0dD=EjB~p#Z{`FRV#*4DPwa2tb~=r{d8#Q93yEn!8GB|O$Yu0
zEVI!lm9BFvfv*9X;F;@iHMS3fDI)xCJH&ur5mc-&wCqX6f#N?d3?W@7tXbi7x>S;v
zm!0OhFh_{>gt~^=MEjj!k4aQzai>nVoqDxaH)>U*cFeY?azC^}$X=*7z;E26q1bxL
zZ6?jrN=?_rpQ7!o++_1Bs=!4pyWVKBzVOqLx^dHQE!N$>XZd7;L;cr*H75EmdYC7S
zT6r+}R~=0LB@ZUC19St~yz*?Qsmu$=W^)VZTjt+{KlSWqg@EGI$B69GwLTq@Jt2jb
z0Qe|Hg8{oWwb<z|fKY4!RQ|4+bUEiw7vN(DV16;<VFxn3urUts%;(25I`0DP!kB@H
zBY4cgV3=Md;oOH{=bBxWTvx8)4dMS9HbK{w>#+?TL~gGu*USWo{k>ZP5=sMzqNNg`
ze+uW6-1dXXDgTW<x)aWb0WA_5HLF}IW$r~12-0pv-Y!d-@F-u^vWl8K9gO6+kDTCj
z6Lc*?cTp=uHeJyU^g?90?3OE%qU4<sydkE=Vk5nS^Nv$d{!R*0Oz*F&%`F6)vR)<i
zJ9)l+?n6b(MEEp+?GKx+R=eLHzH5INc1{?7%TCq!K6;lo64Ovz6APg21y&X5w#+mr
zjkSbw|IBXEa|(;kLX{Q$x`p$GrpNtutJfYV$Q0~#YTQ@qd8SPr#N`B7RACVj*uvR2
zL6Z<P_9Di@t_btDQSPKnO7YKrYA@nKyeHBYMzOET#PN!Uly8C=GSKf_j8NiPaWfRh
zL43lbE2$x1cwf>%kN|+U#I&Z?pV+fL5!1%g3LPTD3g{7t{%d_A4P;Fljej;<t;?&6
z!LW1kuLdnt`DdqjKI~ndwTBnY^Y*{WQqX(>bXJ|E(g$(hWH}C)<5>XkCr`>fj1eZv
zOX~qC4l6SLOF%F;ud?WoMrdRK387E8Q3{j7_`;>rjlv-om8l^!L6D&tz=%rRNm)Is
z#8#uCL_tHwcIX=15W$eQ=V|S>zEmm_NJG&apb$<;BcVz#xUrSVfpBS*NqZoXd=}k=
ze>PL!)rccYPy*3mQkiC%$TJT~1T{9x1WzG7*)an@(c_AukC%a37-sQoD{2URKj~eO
z*OdlKr5<Hz4rI~Mq_Sm^u%7eDpi7F4+;vi*mnydCxORd(=Y8fyDU<L|;=3|hr3-@*
z4yKwOFf(mlr$hK^EpxiEJTCPUMeHx1BRjwZk3zGBr~ZtBqcAFTRN~`8UMXfdxx5(1
zkO>SQIU;Q9poiH$v*Dx|l`CX+6ZMl+{`ukZsyFOkz3#Vqo$jD>c|loJIg*usoj{M1
zfbNSHGlrL*(V1;L8_keO)I!<K7Xj0e5C|;r+tl)`F?0Z8QeQZa51=lz0?(XA9il80
zdd7@Y*d|l4Zb@ZEpdla_62dNLV2A*V^^xl)XydoD8%hQfu&W$dURQGFIWTb93lb*o
z`WU;CZK|E5yp=NEkWxb0>)mjpg}j%o3ClV7*~dW$7_UERzv*0b2AzxHo6cGL=cUtG
zR!$Aj&p+%~e?~hMGrcy9KW31{^LEPMFYwt4#solng28TtLA!r>)oZnfr@hOo?$3Pa
zlbL)ok`<co`Yb~fl|Q5JXP2!e#YmuYO9U!o@Iw+TFg);stRA6CMGZDpRCFV3FD_5o
z{S<mXpSOlTd`aeg9sck|f~J2<q`s<vhW&Q$eW%qPc6*(RR;SxMTN7tFqq+g6+n*`s
zo6I)x&F|0-J5H)kCF@TvzA3zpGZtX5(KeJ1|MkNc&1Cr+!QeBQsTv~~Vs=CDgTA}K
zFqk1XNUi@LQZuU}A7!7?LoKQNpc@8(Gg!=3IRiOi@3ho=Gj>o;n#4vIV0!JfR!sC+
zgt%FN!nt@Ju2bK!y>I3<$rXV?161P-)<KywihruIawObFGH(gQf9J`#9uC3@oCVm2
zMh(1>7Ad^rOm_Q|$CHRdHjCD$b3^8EtpdNZFNvL=G234V_T(<EmADdzb+KuL*vBp&
z&)Iwx@7fTq{F%i!mJC*U!BkW{xE6a>n^_T=eNOA9GezFDDmy&7mL_$;*yvG76rkfO
z{%j=Ayr-?MY)dvR+VmZR5a+tW{s=A4u>$9sA9i_#0Sl^BRz8<=VXIR&o|F1Rn+?4%
zu-uwqZ%}(wipt4@jB*ZCCO<3IjXp6k@&tJ&U`I&K$P+U3E}a~S<)TO1TyH5Q2(^~-
zOH7DVENZ&wufY!T=vi$SsD_QpD<+j@JM2~@IzsaE&F<fA{$D@p0!YHcc<e&ZZ-QU?
zmly0EQc>+xdZZfQujs_4*h$d7(<6zfFcgBHsulMGOa+f2VwMNVOZBoJpgSvs!&^9C
zT0rxa#~dBPsfFD9&sxCNESwBy0n&V879%;|ST%7$9t=MpR(~4WFbIdUU;zT!Vkz^0
zWr{!L&j%dV1zN&Jq$XTgDXA%>tHuyD3{}Y$Jugdr<Y$S$12_GaG@{=;oBP)Fv&fp7
z<6B54)Y$gZE2aVddD?IC6YYQfv)jA;rQKo*T9efirR55;@$_%8fD{e$A};_r3TJIu
zsZr4=n@!NnDw#F<Wr0crQm<9!PY+_fa@)ImZv|qwrOo(hXYlsw^>A?cu6-eB#155j
z0z6Fzl2*AZPlCTP8=C0Vu1t)z^2~^q8V?AiQX=yPPOLk`U6!y2)8c57JVr6ir^fdB
zdVwmRS-C7zz%R9{H%(Jf6K~M?dyvopi1QtPr64^Q@RtzxLFyV9p!=T9WJP(`y!a5$
zN<m=pN)0*@i`fzH_;=0HYv{od3LD@J`~(BgeNSG}!~4t?27|!GG~dP~B&P5IVR>^+
z(==B$&7THKO``{)cot<LCWcf3$ZR3ONH$7aLLs4GnZA<Fnn(*{mQL^|k01v&1O^m(
z5ez6~J3gdagusyBDj{!#xgC{*M(j0y7}aGYaAvl&H}V5~BX=1*0=8vOpjo=_2)>L(
z+q}U%JBx9m6k_a3fOwfv{Ia_&0rVlzi>I{?KlUJq5*-laQGrsHSLW0?4)oMx>Iysy
z!T<hW{|E7{>Hq#;|0f>|98O>mcUm2J28<4<GLhI&G9^8;1)HGpB$})bN`Yjdo51qy
z$<WJLhmtfY!hq(*iOk~=9vH_kK;tnC)<j9vHWTb$y00mfV#C0AN(w_=c5wvw+x8LP
z!S}##UD-x|Vg=9<5SN+|M$oz8o-?yWOl-yTL|o<t`G48_+wHb-WnmER-@FQh@j141
zOiFSbCtKalK8nmZI<Y0clAPZCIC&+Sgd}cLq?(}YxNXmR?qL4UnptZuW3K1iz}&(t
z6g~)2q$Dd&f9xmzk=P(mC;){*RiRKdu_NKfcN0cefQ501;~R_v<8to#RFK3oQbIdJ
z<?%j~0EfHCo6dajf1~`7pbI9ya0xTPmg2@QAK^BKi`g6wsgz1E>Lb=#x^a?SbQ#9%
z4Gp_!auJEc*$lgCeRxYv_?3(^!7lRc+sw3wluZ#7--Pl=ft?W8<J1aJAhQTxQ;rtS
zV<Q|H>;sOXkO~!LbWW0ESFA8Sy%(_&4v1xR0amREMpG~Frt_)V<xJVL2<CiY{#LHG
zx~4cbcrOq-is5gJ!pN}Y+OxGSX<9#|YZ!&>juwJY&?DmV7J<*FToO93yNcKBFi)+b
zdqx(h52Iig!F?n%wJuJToB-jx01QoiTQv{Z<Pg5csIEgOPZVo$o!xYW3xb5VJ*x|5
zVH-twJooJgUE0K>os`i<t8E;$+D8IrvLM`@n$oiBW?i8oR3(luu1sxudRKVMQXMh3
zNrLc~II{Cdog=r)PFRMt7oc((P?&{oxolFTEa7R99`Jg|WnvsCc+CS?rE*z#a+J$(
zVC-0Ld%NhkX;s**E-YgSFgc+*@K>QRk3FAMF8%OQOc?0ZhF}c-wTJ;`l8J(BxeWEn
zWx1r@i0MYk#_|Yq{E%RA#K#kgLg>4kf-<YCY31_SJeq|B*UM$ZUXIaup%NIK8Fz8b
z*fPnrD<coiTQydg>Vbph4TM-z+Ufi726>=8654T#fxxyik<}=3W%qNmL7yEqAm`8)
zz1DHx>Yf7O*ggr7JCB6;MfVLnuYie}6Uy)2pubiB4edx(<I=|^3Rk#~OTfrd)QXQ%
zv%8si&P1G$1cR%-2zz5?6cH6J^K3r}$DTu>U&uJ2n{TY=5w_haMPG!c&VSr*;^2A+
zM1rY?X-BtcCw<#UHH>nZ%l4#PF4b44P&l|28dUSdYP1JuR=3qT8uYAYr+w6`qwT%g
zLAAP#o+IC$2Xw|L&J+pXCNcl(#wKXW-kjP&E+DFvhEzke$6;Q7Z_isN(A~>*yUJ<K
zc`FrX9LyR)3Gc9V+BmibU8~<{iH3EwUEAMh<8wn4gfU{iCdf_kT@S+3+%g>k4pz~N
zGmog|FrZUQVtYD6MqWo8g^!(+^HaEVehd-{dw2vExqWdwj#|ABgYzCmv;V$p_1<?*
zC>mAs^}_VC0Cr&@`cU^^9vCs%>~?*_K0L|>3GXEzRAQ&doF!x>FJx!LRhGT6<2AxQ
zyf#Z)Oi4M1$#v&csV8Y0t&G^yjKbi*!b?-UPhrth9GfuZl|QbT6HHJL28OSkLuBy|
zOrZ1Z5HYK59uMVRQrd`aQLQ@lf+ZXhI9a`1)-)>E4O8-&jB^>|fQ49q=S5!Nl5KSM
zu}M}jmf{!ws!=A#vI!Q`WvJBAD{f`!L^85Xf%$I1=}xW=&vdQ~BiACF({_PzcCEhE
z1}BrF#xK1(dIh#lM%iLL!Kv#8N1QDI1tuJGm<BPF<{5hY@0WmSN^(C*5lTL-3lSqt
zRB(i@Enuu9cqN7vI)dcEJsht??rW0z;WAP`N=CrA1iUk)V`G29gySy`Gdzhgk+rr%
zXI-LFXF#S;UW=rXmJ8(c;q4;VJg8EV5=8O3igso=a&QpaV_Z@>?&_uqA*CYGY8sgF
zshAeQDx={n@~%DK8)J8<yoLnbr(BN0Fdof)D!p=@n5tn^Py_Elc5tydp%g<o9Bl%|
zZM4JM)6UCfh%-~#Mb5+y#?0}M9lI#D$Ayklxl9L|$?F4qTt}iC#Vfdbs%bw9N3HB*
z$0Yg@9ZF!w-ZiF84)(8KC#swBmR5U%_;mt3w?V<9+P*z?5B8ZX8%+=Pg&aXAPuOI^
zRwpcGs6o|l#VkWnnA$UDwuwXd$j6+<5qn@TV;zPO@2{{UO*><k&uFOLxxkB~oiHk)
zq2j5MaD9k9_PE8!yV9{EXHsV<YV3+9@rvPB9dHvt>+vSxjMfOFI<kJ9!z*Zc@1a6M
z2*X>&I%<bKXM)|ikCR200hF1sKm^szzH|)(sM(`6!NoT%U8i5%^GG*&4|-QR@Ifq!
zf=kFX8!J5HtlRq7I<bzeqd~LNrqZ6(mDi2A>_%?q+@A704H07O0FP6}d<2Pi+cF3w
zzq10+DDB^9&trZF9!GW%3-*M8J@uMRxGYZsa`N}Z{3V@IzQ$ELNqaem4zk^;cyw#K
zu0b5fh(iN-S%L;4w<N~Xdir{`E`^!;0(ROrfxS3FWh2NCU799?1YYC9m|jAqwWHV@
z*^YRBKeL@H%Fy7QwW8#P0fn9vlz1`&>?TaBaQA_oNQNZi2LpsN{8_lf%Xnq<)8FY?
z&7$q@*jF~X#z7d^C0da~bi(N@3}^+W?MIl*!hi)jpq$NN&%77k@h65lW|3u=`=GzG
zn_3o&5sZG<4q~p+#N@Gm=_r}G9jC5n<VA_Rz=<bwA|_@#Mr1-2c!kv?+lfLt+_@in
zGhd-l^gg_yV*ai;kh2rVVjQS(9oQQi9Hs7DA;uCTu5#G`9}O93AQW*DSi8jVGxO~j
zUXb|s8vF7cfim0*VJ81V{N=LRJXBRG!^GbqFyAkNI&En^|7LVbIbsz0#>}^al;D@f
zBTFe)IA9APr=(m4m)~+Z^<D@()Y%rKGBt#X0PpdHq{Xy@lnxWmXS>%pwb0dTlDyj>
z>fnn}|GTCc$YNnFM5GY5Vk&B|5k`hR^UzK)Sh<x-RQy?tJ@d^LCULKq2dy)*XC6I0
zm@3IU-`FsD_`q)H<BIb8TQ6|EV5}h&UD^(pPeiN~d8G14(c+pT>%<S^<eWvpO3TK|
zNkw)#G);4eJ{4DjxH3hxlz=aXY?D^9HB-S9d63P#?=rOFAw6M-D_1d_aAwT~<bght
z<ER7)3NkC0O&HKUVF_q*NC=(roux+jp);$5%$nXZx-m&O#cnvYy})$BX<qdGbV35y
zy0BlBEx|YIw+!cR{wbsLA2GD&9%S-}lo;?(148yDD+5Q|k4Z|2XC-th13=-C_eBIM
z)f39q7lIh^Z!&^AUBOHMrbqdvtw!>QhqZ+bBVsWnQuPuj(is+zksC^)C9F1eG=x3I
z!sQP$I}eR~dkpzHaLky!xOSlDXfX$-2PKtDLPf3P6P4|UbAhkuC=3*@7~TufP%>yK
zsIN6&+_6=h{#?XjljeIY{=0BZ@?7#GQtV%NI*V`FR5nEWjI@z;)AIs_mz=kdZ_{NW
zp_D<d@N9;>n87xa;9%@+hT^I?vtb4V;Fv0p6C8Q5nNYIzCB}iP1O-Ww4ahL}e|W-y
zbc!0yKp%0G2~f?<-*d_uN#Y8nX~!WQ_l01#?8RiKeb%*32S=ULMyow|Z*{FV6`L~B
z{J30fn<uBqR{((|X3hjVS1R(-d78zqhc6<MDPP<jQew}mQsbkfPM32t+3cwG?w!@O
z+WnM(21ea=MYI+VsOi`Q%gAILa|k3pR|t^zuuahL!}(jQ*=fIP9S>RLaJ9oBljw$g
zC{v!-je9A>^D*p*OT_NmMpM4mBY&)90G<UR%n=I?KJ#S$Ju1DK_B@`1k@p)5sCM-l
zyn?T58bViI;MNfp_%wv3IJR9owi9VjJ^dn9Nf86<ELBNyHWD98Bb7b#*elXHy3qB{
zGVp;w8(rvBLDYAVKBKsk7zZ)a%N^hLrnz5;1ays~O8`Q7BdvO4$IgWQGRE*X+v@;C
zeBp28Kj&dcc%Uk2VrP?<k2pt0#<qGAq|(c%ELJb&P``TFIA53(IQ7<Dz744;Q5(Jq
zRtR2sNH=Y<WJ?f)dMPR|q--*0Mu|G4i7S}wZ#2QF^`)}vqh?TXPG5H(b8iyU&jzyZ
zhE@zbhF2&{K^Tg^Jd+mYvy9?c_^5zel<YJcA9>uKOeWa(wRYpw>YX*3)}eBIH&4!c
zeXGl&7Zi)lTJyY1&n2)3TmR@EZtc*)II+*Y^Tl1e!9$;xH0``+b=m8J!N<nQxuvu*
z0#!U2<CyC<m1RqajPP(A8X^hG;r88~NlAc3seX9aM)z>_f3S}X!^IR-DZ!hKa}n=r
z58oiei0qpj_z~P8i4fxC;o<Ji8zKBFg7rrF_V)JHU1n+?wzs!+S`&GJi@(U$GDNhF
z=vN%L^1tnpT!&_3Lln7Cy#htn3rA7Ey913%;K{`e-NEz-_8cnzakdfP8g!}|>ZU|o
zzq{i(=H)NSSbA3X<Hl3I!FcGF=Iu-t8d;s`1V0h)!kD2fjiStAqD)UHStpbpCQ^5j
z*u_n;FJT7Q=;f{y^1EZl=%=5M)p>{Bpe+@Qku=jX43V)zcG;|D_Ff%r-Kk(6G(o^r
z0AidfTO)~C%x-jqTDDk^y(n6j$#30Bw)3EgMO}&p@0p=dNQr9GX5&G=Cr#tbmgYf&
z^dZZ7g(2}fL@>^5-DOGRL9;sV#KM-#y&ErfCNk|`MqtiZJ4G@SQ&0pI@3}c==i0O3
zrAZuyKJvXQj4rHRClQE+^QplaFv+57?wk9S(k>eE%{AObICfA;H4iNj^N)x8&;Y**
z;ZzLo&dmHXL*|&1yIH(ZgkeA&e$QbSgn}Z(f+NEiMd1|EIvl1*{IH1NA*zh*Ud;O`
zi{rCk2wOf<mI;X&rM+dUlrVt&zBcI`y@es07^Sb(z;H0d$zCeHA!Skr5i*n5n!+Ka
zp1)Y~raTp*jV{0&jt5(XVFkxdC0Q|+&&ZFk?cT~ad)#k_&Ak%aMzDMnwL^H%1$oP4
zb|rIN%egXle~6;_mowLkyje=_-)H6WLf@25hG<6^RCR8IrAzFMgAh`iig-0s9(-SU
zpa+RQukbBI?#QLGq1?rs4J8j7O5Y9p-wpd5)9)7jzpO?7Q4{u;H0kf87yP?*|IcaN
zCm3&F+lTBCUG@P$YT7;O%7nG(o+ahJM_esK_u9Ro{M@JhqrYkQ#cM^^ouGR<_f9yS
zLafKCSvxSR=pHcn$TRHUqYs#N-oKsE&X4#upufpzg%XuT9E=o-+C37Pu}pgeaTO_S
z=75Cm(eUnJi0*;7lh0}+E_I@NbV;?Bdo<*%<zBc@*t3~2qjj?luX8$TxGu7jNG7z>
zwH=XkQ|8T^YOITZzj|HgldJFQNp@kquBY~eL`vV)V|%RE^{QDl_h0F9xV)28zri@d
zgqVtLuwbs(dq%b12>i*Ry=;*O8}bjLdqiS*t#*%wx-L=T?RlNN=97@b1+9<TJw!i)
zXhvyXfP+ZZb5bzanH^8gnCO=emsSwMp*qT)D~xB1eKNOSPN>7m5ZaXT`-^>^tFE9s
zsyN5KRGukhbuf8zt9lL>ELbXpOuBVC%XC3|c#f#n%0S5Y#TGyj4z1FtAVx>Qr$9!R
zwv*Wb{JNwL(Up@NajqzV3n#sP@fo^<JGw+lT7+(L?LOJqOg6a}7L4>QUk-o-g&ZK~
z1jCiX4lO9DzE!Lw2ObOn-6N0&?$Pk#v)~vk{SI8INroQ!8G@#2sTW{E&Z6)##Xfo%
zqf6|EH*{V^Er>Fa4Ly?qIP*QnCQXn@?vV%o4r`L8=F>|YQMm=2J2P$Nyya2?J&!Qq
zkwtuO>ctrV>A+DLQcx&SuiriF=Fo;-*Y!mz;r$l{tXhV`3a+?bc&eoxtRl!P+-0x=
zc5-JKjC`q+g~jTx0Qf}2t~_E`p!Q54&~!tVXss7Vc8tfFW1L4u)Vm?LD6^b@?6f=Q
zvL%rXwR`^Jrpr&&oT-9Z@MzRv)^r>d?I{Z)N61<kdP>81loXO_x>^>=;+qHKv0_OE
zzzX4nKW<tko?N{qMjEITQXuz#oF}AYu-NFx%fQ(9;9G>V<oHtwWvw$X1AXO5xcc17
zfw;-(mj`CEGb;<}@dwQUgjL7Ql7T$MQM1m$vb5W$J6@J|v&kW|9OA}DO$O{^kA+P0
zwGIc&SFiY7Nc&SQQg#&Cw><StWQ&I^iVvI&X)m&dQ=p@{@2mF`d7?l2I}V}pZSqh%
zu~nD?jJ#U_;5=Yr0n0gNUo)gAveb$cuQ><_B5oa_9br9qRzgi?b_y@yJ)DamG<$w3
z=E|N~tq9)_g5%f=#zYo)0R$eBVyBuox1CQ??6nYll!mEiCDa<BaO%Y|c6T$kDXa&k
z0E)O?!@E1Qa9P1P@x#NQ$Z2M{fFl^7bC5i;&bn5!(YKB`zB%T06FqzO44t0$`sl4C
z)BhrGv`#+UTtrk$cn<q0Kx#9S{SzUdy2D6MWI<|g*tFRj5^*b%qSCx>iWaQ!PDBEv
zV;kmzOUG09h#<sgB?Q+O1sekrGl?C6b_m8WxgYQ?DIt-#lutLigduf)yJxhNgt0qR
z=lc&x3RK!<E1Oe9)Ux8KSwTWyd(*SdbY`Y7g{ly&vdj13HIbqeyOqnQ0}v(8=DyFy
zxyaf%r{qDpgh(p}1o{uM39{h?$O2xXNTlI1iB>{a;3$`&IZ(RFCDga#ewF3ikH3h1
zlm;W(tX5rk&Gf$6ENL?TES_+C!PrP%wx+RqtTH58K7omrszJcOrS?-ZUzoLA6RqfW
zBeh2~-dNvJ0Iat2rCNLwGoA{36Fnx?{_E`;DR7(VLlVRjneY;Lk5;UbrjOC6M62IR
zmCEn$>2#<9_?swC1)w(8ngqPZs!O8XQyS6M)@f#T6npmidd&_TS~6y_s!!31Y~#&B
z_mm$R1v`cAJEay}(JS!?vS3W`msx#OQ64Fds|?62M0O-?0FyP8Mj-`cPLjdLgI|cG
zB72H(5mV<V6>%kwaC)Qi@jpgnD4a5}+4zw7g?GU1oU++tk96MfYfp3*O+z`$YgKbE
z?<^Pn1zwgxLLI&SNJ+x?lsn$nFU_hUf;j09v=!&m6fV1Hp}#q^IYm<6)u(vMK)$T)
zoqDVZyPHYs(UB-M_g)^*njjaV79B?t?n)WqM#2hjyRod2w0}yQEQk68wpazyCbEm#
zd^1@?KzJfiLxOv>q#;{wc2mfk|6USDZg)>7aO8vEMBd1Uw6VA$z<Dlq?94XSIgi%s
zaNO+bIJl-vqiZ!g?Plx58noJdtNXEWqSs$ks}H*yayY5rfy;i%qh&A4;}}!wadZ>D
z)WuF1I3C?GGG5ONJIqp*j#2~89FaGQk&9#OWJ&$8f){W0lya9C!4j6X=qReTG^HD2
zb_98DjE{C+ET#Jbi{l~@=XWK%s>V1WXco~~b^j`~kGN?kF{H+W&T<DXbuiYzY4@np
z{9ttlR=e>Q^6m<|>EP`A<YdrmzPC;rgW3Q>7IU8hg{)_D-#>%cWO`k1joM*+7Gc74
z{Kt?y#a7b!-ho*&_l=sl_u70#>0Lco8S?4lQkI?Am)IA7UORB21L%4VZ{*yNcb$`B
zL&b1uij7Qjk@rWh>q_noeOKqNtDC+}2ushd!=pmSpSu`+(u;CxXWM<!k%=B2^j-cI
zyXXBzVbu<fsg$xp2HLMyr>b!Cx?0VOLBZVjA9i)Z!z4y+>0grOvZ)DTN&#KOgdb4J
zU{{|L95o=AfH;U~$;ag3315(;G+}J(rxIf^-gHj?IxQ-h3tQr`l6fk&dS*XuuytfN
zi?VqRu6ZK*@3G?qmPx499OND=?dE{kMCi>2!#4gB2tHKEYkciw+WoJ`F<_&8L=bs`
zNeSW<Et;|1<K=&m=^83d+As}gAM>=HoC#YYKA(MDMd%XHqIe6l%%C)xG|OCgP4ofd
z8GEudL^cs_yU);37;MKps`9gCo#m`ty6-g?k&lt3229w(6I_7E5b$$?4IV3X$$+xU
zogU3sQH)pt{++va)AcY>lLfHuv`>CP9*eCi-buoYq?)ul{j98>lYe)~AQQ?>4-be~
zqUrsX$J+~Z)Qx3{)PW*_=X9JBISL%cWgR}Pi$Jm}axSTIc_nexPAh~|+L(oI4){mt
zLpiMzVJJsKU|W^_rEb++D5?NeU;<=LJ8E*C9QLG$U2A|@1i(W37wKj)YCMni&fkKo
zK)5-1nX=-9)2U5Q<qJKSQId=10q}b}iuKP@nUT@02Pd85V=9~d!)gwi@2%zsshST?
zdwRWAtyXu10N1ttf9F=OKj^nkt<HHLD!iydjdz`H(;758r)Qm>HRxI0R^tT3J81&o
z9i3PotrL3K;mi40hvGr!ynozjwT}ny`~5S~OHZ~uwffywvo|>Fc22GSd+WS6Xm(Cc
ztY)7UHLYH6z^g24!lch5Az2sJ7@Szgjpi@wfPCNS^|`sBYF72!I%l13U$6hImbP*{
zm2jHq62i9pYTvBwZLA9}HwsrXTx_qp|GLOBT+7t0?LpOtU7>iiAdo*JMn*MU{?~Kf
zh=o%~$Z@?#1@D?sGhf1dFOcyP5F<m{d<;Jvk8xD5nYEgE0C0M(<2GwOpuesLMZ9rf
zz<L_+&N8a+nfqqda7JJfZ*~U<wO6kO?^^$`y17tnf93_aj@>a`Kfc2t{nDz=xmE{Z
zwP6%5%-V|t2HkaQf}muGqxx&JYSvz<5PI*|hCn7bsvl4Y2ML6J<M=U9VtXtg!D#mN
zUHx5e&^hZZX+9!GI3x9%xo6VRA2-*Vy|E)_u4=wyO<Vmz^Q6;WN`fO}?8S!TLw12$
z)ucM0zN>#Ye+w$@N#~csL4pIQk%Yji*Qgp<tLeM?S?kO?X|*Ycx96)#7`Wz`PZQk%
zee3k>q|vtqR{OZs&TlvKu0lVoSIyeKS<|1`UcvKgvx1v2x*GZ6&57h3r;UHKPR~yV
zjgynk&(;wf9fP;lyH3{{oOP{1uWz082EFqpW#fANfSx7UHa~Z|AKsmGejd=>$=mj=
z?rE#t=(jp;z5e=OUu|d6qro~F^!jvSXd@0uum4T0*R}fHUj~gnox^@FskEomk^Quf
zSHfFbckpwo|DGP2=VwQaz6A&8t`5_|mTu5$H=6y{M{982?zc|TBV1May#3y4ob=!S
zLZ^_|Tn2CNRkfOHH?ri7H8&Fpy-`PD<V-MFo5Lt$Fk&RKk;#ZR<#LNEC*}z-0#stY
z=M8i5S+qobmwWyIxo2%#Ub1ZFnhT{|C|0XgcIzDD=-T$vv2F1e>>v``@tlZM?pbM|
z2$Mn@Ncsj^pq=-<DGuk5B*VwZ4Iw_0xTfUytw*VhP6eG7l2x83M{9(1y14o-OD;fQ
zmXl0L%*zwbdKVFjPQZO`3VK&bHe);i>ZP5YK>CAlgy`&Xr&8hXQVh0$<d^uTK#x4x
zg6Jw7p>Q6LVR|W?3jL>-%ydEj>+h!}_&A|YWop{>EDAwAo#Ht1oX2#__hhjP3!Zx5
z11@2Mg=6{juDi3B49>@6+qvCfK$Ih-DMc^`3LX6TDSezp;S|RcJWnQ#M=M;vE6P}s
ztw$LQ9Aja$K^Nch-k?x5OF91JGQh99G2lSH{>~r)w9%~rZ@#XH>`AoC1t-*elvE8g
z*B)aEV;6){*}1d{E+r9kpj|HHuQkgFFyG8D$2-{AG{@U3l7DV{W(doA)2R^BszQb~
zzH1GCUadhau~<OvdX-Bi=|wglwX6w`KVU5W)c)d4=TpRDF!_FXlLWWoCu1C<8{1R7
z^dfAK7|#e-W?F$qB_HoMx|z<{@vXB!Npr`+*!@wY*WP3}D=01*5K!L2kSNk}QmMc?
zr~7Xsj0$O4IXIV3szijvrVJpKr4Hu}c6AV?@kXfSZ=VFOy%bszj-y*-$1$GHVj>Y#
zr|L1CFWqZjIX5wmrd|NA9Qphpijz-~bubd2H>9!0aEX*+@+1Sf@!|>9Yy5CbknP0Y
zHC5xEV0i0svV{Tl!AlPkw$p76nV=`w_TvfH`KU}5#mFATIN~V_<zPMX4X~B0RApP6
zqN;E-58f~m&xNdk^MEzIeLULh%r52cMK~wyK1Bl?&+r%r4vyk{@oUj8H5By?c0WH0
zNo?@gfa1~{O~UXh)kzYEa$P6G{OFY`Oi0PGF4iJGA2eDQ>!)!hm!LNECQsTw%AK6k
zt?E_IAf<vprtEw?&MCjdtxRq&BhRf|y(R-cycuvkL5h~ep(as}1?3Gw2(ii>Hi$_V
zMQ!29pq@TGO46<abf={Wb#p)R#PB6+p)e3Llyxg#$GZc9K6+q-EqdVkPiCAj>>Fa(
zQ2<Fyh~WisXv7m4J{CsEN4CaOscg-K#_K+i5;}_d;z(x2W^j389s9R=gk6tZnU3vD
zykLA9W}lL^L$3W4G$dE^MKuhz`+Pb$>Gl%Mi93`)($<}!Qe{|5!4?ViQxGAwzJw*J
za9;urlBM6T4Dlsl{~8YQhLz#i0aS;Tp+q~=CB7u44Q>!0@NI594%%zu=iZ<JV)NjG
z^~<1jq`c)y`N1f0Tc5z4sKDvRP_v>g8O(~n0@jky0on1Ii~U^No^M}zz8ByAk1)uP
z!JHV_Cb3bo<s4dXd(w47ZH#`St!40l#pS_)6Wz{YoLL;8eO)!`v3isZD9ezAb~RnP
z(jQKHDxfQT3xQaQ;jzhUh*@7kKs~G3wff4u{&|TgGpMg4q{VS(yJOh#xU<Uijc0o~
z<Rdoyc(zBk`0T~7GW5dQuvA1uBeDn@e~I@c?2+eVc1jA^^z*PX{4ydLe!)4)YVyCq
zB(50=`5!mW1pbTEpVveBVEiwV`}zVPhvC@AsMkRM)$6o@WLFc`dOdEw@XD`GhF=kx
z%v^&IH*coJX~9>ORUB5}m)H(mJ90DY3nvNhi3v7GUdGF`a&1Qy-@B}&o!AYL98ciE
zaey$kJaRfj(N(BT?HSzS8uXarYrSyDL-oZ6#07!{bEQM6r^ab1b^+9*ZkQKa!z}pM
zBK$`YV#7?mA!43;T>2Ck?!Z#WBg65r9pI=`(D%w$%LPuWd5|9aka-ct*S={k;Mr=x
zl9y&R?~(H&E*rfDUIer8!{A&{Px(f8v4bbj@bZCfqU#kv+UyZ=4zR~R0L}yQn4lwz
z?SHSwz^i(Gx_7}Vd)nlQ@JgT?zZPDE{MgsBix8e9u%q_F_n&X@lLT?8bgjnGsbx-G
za~#Igng3*cRIAnM!Tvt{U#(Wt|JSN7YOh}XP}@IvwO4ytt?j@1p<3Io)n5L9s!xW&
zlAk$=?dXT<SND}2++XD9`E!&_Kc;DScS#^09l}4FJpAKZ+Z|)}GAO4K-OI~s*t6Nk
z1xT8vWL;y47-oKWOF7q)+-Msqv2cg@A<1zIc}w~r*Fj9mAm(|)FU}$iN+9uKOg`^C
zpQ(SBXpLhWqbA_o3P$1Qo#$g58!!k6jS6){;vA^=c}E7egKAKNL1?OBIX>?^XJAsn
zI-s^-i~=6FQ44qo8R()PqCNA==bh(qXzUqZlF}EV^o3fwFG}~-(wCz2rCNF*N)KqM
zfi4=6Gx1{V#PbM$-g#~-f3neK$CVxtz@-X##u}H7QsM<v{r|l49A6TH*Azl+9zf82
z(2+;3$ZEhJC}1$^8B{l1tApdFwI=xE4;Cd1XC2^%7Z~F!%=>6E;Vt#liB2FCi}tKI
z-GWCG&P~Le0ARJ$d_;z<#o=+ikG*bWZxBE4<h@Kx*XQ~bN$QFcUa!l88^KGe&pXdW
zup_uJ5=+=U1#+75zdJJ=kcl^<G#`rJ#kativAZGqQT|bay`9>|bYmx*AC=2Bv-Y?D
zD3>*Z<$WxdUzo4WDlO6e`~UdA|KI=Te^>w2-k=`bwTV!;2j-p(kLwWx4*^RlwALeB
zR4#{se_Jj?zSU+ci4<zbXt+8N)=<;lh<r^1%_5H~DIxF6j;KuJ`Mxmy_$*HtMd5T#
z@O%orP!>r!BrTpoaXNZ!s<-FQQJRx2=Jq0!@CH#fwi<m%$3-=-i*thM_>D`OU{}n7
zr)DFiuuZC@QobFBGtVKFq+W$BV2XpLazfV2Ww;E4T$e8(N!)w}vBX_S&B-%$rbDXA
zEP6cKn5Lx?a>}%hkUVW6^tSdK{inzh1o`~9hPjXh@|#2?2I!kcC5Fb|HZt)y%`^G<
z=)-@?#FY6#+2QNA2+W>j1#G#n8Ul}HL6?<G+hPHgS>hjLwo7q!UQ5Q98|59oJ}%br
z_TAma(cT{(wnbvhHcQi)8Hw^~$ykb_Hh+uJEQ#LCMxz9nUK~&A<Kl=aGEQzbspFp`
zp`*;*4cJk&WKl5I*vY~K9p)TJr=8V&i$`IE#i+bsTyW5MK^#$5=>_8f<Wc4#5x`@2
z?;w0%0z5HzFBtQDizyMDmOMvH;?}hO#3N{G|1*qau+s?hxZ{CK)tU%9kV%-}YaH3W
z$QCW0x`2*^PD2)tix%C4(Ul+CuGFLmn%LL$*ueqip|%r;5q3>YYm7$V^v7Y=H3JRP
zIg)@qCP<j5i)TIrPKKNp!@O|lLkcFs(3Fh@Jko|zelXB5b>$%*@pFqjG)wie(%cU)
z7i+1)<b3uB$eD%|It+0rW}n2-98?xGu?d@5X0mck)SLM%2PbP|MshA?fiS$wqSzkO
zUS^@YP0&y=2rkTG+7>>P)bxT<Q;q~mKX<Lh5sE3LF$x7T;hXhYE)CkQOVCA53evAs
zrl044G+2Uk&tdu!3%<jW+ozJM6I1I`F<^@AfFO?v&><n-B{NnN<qn7YXz_qAfs2OB
zHD|~y(bt}hE)-VtdB?0Mf6{GRF1J{Cl8NmiJ4k{U6SU)**i?;}74@E@lB-5laO{-m
zw6fIksc?jVjhrgfJZa_3vf+j1*b`~p9p9^zcx>Y@_H^dsT|n0LT!^D`F~)gIwFo3P
z%j_7(M(&3a%;g2RyloENp3VH*q7L|@Pk2)|4c$zFUbS|K4H=S>*se>f5v&l-Hd(sH
zj6$+0<r&3<(T*LsC1egWpE(s#ZLeH@7e=7X-`J50&-3iqV>j!&GUKw#({2NIfH#AS
z1CdlvE-xYkb1kkIWuE&S&dq46T$btzg_bY#R@PA?%H?0eIhxK1!;db67w0h$P=<$@
z8KRpLFjBv<$yL8_JcKOYkhyL0nDx>GIKv!pM_%AIaTN39t4m<I>6!pfaMt~Ta~gPL
zxeVxlaY8zmmdkR3PeT_3WglPLLClm-N_ZE!>HgE!2)dIaQp!K4Q-L;zsFIXOG*YD^
zjAyD)37k0uO95LLG4huMBX`2!8XSCw=0f15A#=Mdmwk`K%%o8+yPgx%J@bZ6rre$U
zEaeQWE){7dxjh9-|3`?zX1^h1aJ`Ct<wXc(qfvp{#S0CHCuQ(t{_H1-4OK@k_KrRI
zAt%&V9c`}{-)lP;iip)#M@pzRCbhnyll=8Fl9VE;b^Z&?P9EXsksK#T;q#kMe4MBc
zo>WkhvN1uk2w!{QocOm%=JjE6tn;w-5CYyX#yFtT12(8WVX)yDBhSafe7U?_7Lqp{
z5+bn!_xWwPL(b1KDk6l?N}mY;^BI6Vl7c+|UEr_4D;A5hY?tCT4X<;cwA{k)SNN8s
z;ODX6g0^|bMFkCu*!}{ToY|`=#c?urnKX!l=1L0d6G-YgI)w~qj8@cJDN2dL?n^g$
z%xUk~y9SGvN8mNZM83@)3Zifas)12bf%axaP026rV58|GiLPEpcXI0`0lX0l0|8$i
z*nc`7@ER@Pi=08dj`ZoR@IeP&qAT@aN@<<i-i!U02d`fLt*WQ`Wh<NRR;v26Ve*IC
zy_!yr)+$IMr!+~(nAWfU?e(jJm-{dFY72GPnBZ5#bBzg(@IoCHWM^UIgXyi2i?1}S
z@kY}8=Bl+6vrG=~N)hn1FqfHZr5@dRsfiY)w247~-de}4HtO~o=&alN*yvm6gY^r1
zF-=ne#kwU?reV|S_FL~-P1=x$fhcTj7q=~H!`}SU4ZcQO+4O;toA$s?78Y(Dr7Za%
zm<9MIoxTwE-8)dUxWQRfaiLAV5|GI93mmjkz)UHtrULgRmN^!mmCMk3x>L$qh!eqk
zCEz454$4o05cy#+hHQ515HjfixOD>MUtJ`35ewG%^oCU}!)f|WS%9;gK$ukpP-WY}
z9Ydpi)aZA*zo4554%SI2`7C3oUAh6$b0n;=3l`C(n@erTrL}Uo9mZ7WLH$WMA5V}+
z<u-P~rWzyIeCKL=pzi<W_48de@(9xc9JtIph51{cg;Wf22vKTQ=3#)Ox-oWQu(_~|
z3|^4FB{wxyFb;4eFVPlKK=AvouSo-;Au${#VDrPUj^b#JrRiDqYS6R=9~5M#ydJ*J
zhL$Zc(moVm3IDU%z@MX4J{y`gEO0#@BEnw(ff-wUI}(S8T@h65IJTWh#l`$TAIF&P
z6ZPqjrishUR^ybrCnR>lypDm;{z<|BBr2WXvD0H`uUgwPYE`553XUhe7uzwWdql6J
z3!oEmzUmf8^R!XJ_rn``oaqgqFWG>JTFzd*0b^m>k$P~`Z_LB97uYj03FG{)eS1vu
zzvRO_g4rs9$-d^nWM7J45-0L5G0;`u;GD*+g6OueLVnNeo5+-~@L8Ea{^_%vc9H0t
zu1J|np&CM;g=o-+TT~mgzX)S~1W@_AX436kOfKLS&YxQZp^L#TY>cCDK4a<`rMoEf
zal*j33Z8JVr+H_nApxb1cvVe9^jF5jvQLQWNPRY^X$$uvDFjnK`x-*3`CHzS^SX+e
zTtn(#b#(EWP57RP&TK*;Ac5!59qqC(W^l_TrKp0JhLwU>hurR;*E;jWtg__E+3-)l
zRJ4x7XM@M0tdnF8`86>I`lyGRSx`CN6UzNF+^82+=AXGKOa66*Z|gZD-r#j30LiTT
zqei~aXCB1W6R@novPpoA^THHKngnBkE5hPqH0{Fwrzh=YT&U=+1{K#*4;$*qlIA~;
zfbUF<;6j~ju->B$HkRaXVTi?7#I&dOZ((5H5Yq{#6}m)*9Z?mC{%hZmx@S-8^`9Ee
zX6L-!AGD6%)M=&4Pp!u3pxZgI2JObF^+p$h=5v(i<*8}E@cSm)b<u4&k5G6MBu}1`
zW#j?yMSfK-4l6SLE+Qdwx3Z~9!!5Fig<1mV6p+H$#uaabh)rc`3@!-xON=8rWAN56
zEvqjYv6aC4V%j1+c4A+|j~2J*S?hLwt;F698>y~X4!jsoNj+ssFqrd|$$&6v6r??r
z`kC4Bq|Sv^GxMGG(_RN9B$Y{p%(6)go^%pmvCjbe$|Rg(s@Z|VA0Kf=vB%qPC-84M
zW(l>e>lpoY(z_zBD;;WDH-s>u@bXg_Tb2pyMeoh&mV%WVrUiOoVw39Hkr%ihvs{Ns
z_(#cI8EtZgqfr=5b4CDe+pJBCu-&S&d4)12^%F(x*H1ks3Q0JM&1N{A%_%qvqe53D
zQ5TA8fhXnaY79dV7(O#Z;OL;rY!7@oDMosQ%rE6QN#&<sI_KR%@BD4A*=?QmTb(v#
zQM#0sf1cogO#wX@ZE%i9A`poe@YRe#qUOeKwh2VS7aLtn?Z6&m7kMD{#kYw9>SH?!
z%&8m@WuZ7Q=A;6LOvSz;l{vu%hhPW@CC0!!f@~OL5=`!Deo3dnL~xZO>gUy*2QH3$
zcu@l4?ko&_!8X-FQr=1#Z%k)G`0ZUXr-h=#IVsOM`~`wU0k1!@-nH7Teycrr*E+Ed
zSCX@6oLQj5tsVO}c~XHZwqg7_$I&g)Jy%Ef=!+eV3Bt}KL?wxV)$5#ho7UjC+c`fw
zWJ{keWQUPx(D=}U0$x@8DZig|nh=GGqjN<#Dr2;j28)aUZHeX*RVr%m#E%KO65Dp?
z$m(U#J3MU;w(inp4}+~c0h<0Uka|!74SH7hW2<Qm&bqC3vvt-u*$`(zQD;#|k3W;s
zn<zHfGe(F2qK-+ke`DgC!t3}WPXkulP(J+U)?E&<JV+RflEKs{VQ}ikXe)oX$S}aM
z8)f$YR)(@F;x+CuRcc9PD{mP%&S*JTWens9-fgM(W}qmiU1Q}1Sibc-S4>=d=$&W2
zgR^fQG{`x@Q5{v20vMnu86|(Jva%FzrOd0L<o6;OHwdG6g6B~<!$u7~7al2W;2^vG
z76u$Ob++NkUX(Da0=u)<_(?AVIEYg`SK>-3>-^A&!&&Hu<6ARHWMO(?<+nwA6UpFF
zFPhdB4~G2AVz~;;9-HfiJN1I0Dm#30D@{hh_+3>cUV*MF|Fxdhc^?~P1X?E%OzKEi
zKI?_B7h=UMQQ90F#F6dS4Ci;W9%-`PV&-F&_@UbRSyWToB_C~bv#pexsEv$Y#qn~6
zXvYhvu2w>-W8>oj?F`Wl+=@sQlIb_4e>M6ae$x$*hPOcoB5q5{u2db}ON~wOlVI@>
zkVy11;DVoO6`w^R6+8wWcpjuL)%98AUE47pT;bc56>`2hzK4T&fTy<S7k|zLY|rD#
zU><onpTJ|J;2SjK7v$04%ggHD1`dwm!8}@mKyI~+d%!Bg-&aPKDp=MfR>Hb86E1C(
zwiMD`WAGM+YUGm7%`zXEF7dCxP5(+3(Z4*K`>We$J$q`7uP`O3u`|o=m^%9DxYuAB
z?SKAs*6sY4)dT~r3GH}ov4fm&`Y*A86btjRr~m~9=iIt7kkq2F*+h*+BXf>@nWG{>
z=3AB7(}TpW%(Gaq0^u`$-0HtSe>>=RK3Hu&N1#-`i^6F=V?I{7EBoR66?|yqD_-#f
ztd$kYxy*@(plPYXOFXf!Jr=?Q;wOhPiIt*8v5?b?zSqMgrhM>nS!IA<=~r)>reY@k
z9i6}XDH{OS@7OB^5y^nPg!meyhRA@l?{>;~*J%HeP$i#W{z?tIlEv)scl{+(dy4}+
z^5Qyrhi`C%&OVY|s=UvA?l6e_@CGv4k(ih~CWIZ_=5$R<Mc3?!u&^`+81rXQwg+NJ
zCBonfiAJJR+LIR(3Kr~@lxn0E#?+3&8;Cbw=NM4v>tH}3JBgBR6M|!QtK<cvkoi%$
z-Uwdj$FeO<fjf7EztJoTFU2Vnj*w$J6KrZ<yMnukXj`<HCnpI`bcTRkaS*!;hF`++
z#sko&KrbQdJpAB65S?^HynqUnqP{{?r(u*odop>$fB(<_lg#YtfB(<_i!DYNPjHkB
zT3vYnMi*2eBv?u?(t|J9#2Zf}u|DYxq$^!UcHm3~LBT#0Q<Iq()My`xG6vy^af~Bx
zJjT(6DDl>2iv5dlHky_=1|}rQ9d+U22(h>ABX)w9(Z!kQqc^c5>~e@JT?i#~=D6q1
z;nvBBLnRVLQs+6D*pcw#y9uK!z{0r1@eRfSORCGV?Uc~YP<g!1B*5V=@}@H%{NE^l
zB<O<4FI>V*u%)>1%SX7);bJz2Ln@^bjG8A>ly0147hQ%idqcx6np{NUa5lrPTA!yy
zWLGlI1iQ$$Z!^;#QZ_|Ud=tte1$IJUk5el^fy^R&O*vXPkBx9-un#zjLMl|0(K$(u
zU9rOS^j^e9I3SkM1z5Ev7)`wZ61ON_&XhfiV9pojZ{=#MYl>ro_X44$82-j6j0{_@
zJzLw7ru9R*hEd4wXdxH{Jt8h|5%_${C86`Wt9Z>0^VBN3XJmo;FbZ}N+($A~>*7?&
z2@uW;z|hpURr7#N4&i%@>N<q-M6njv*-cltAV_%Iv$|jwwo!z~bKj28rA<8ANf}+V
z+Qw0<eI#He3&P#0DJ`pR)(}Ov5=R(UrZzpjD<Xz)9Wl2_!V{_GkUB?hmz}T-X)i$K
zGN3RE-E!HaNLj+uB0b>skjun4Q1F@uuuA2!@Z>0$;lS9j-u8CUanq`>TU}Vj5@2$o
zgiGEGjd|?(q;lzpmtw*|uNHx=EB>{J31*Usf^4}A^~z<rq~3_>M#{$W2y*<8$dI=2
zgrX4oE~lW(>S|iKd^V3DEq%F+*vm0GFH{1fGvh9<8Cxc~c4g$jd8@__Q$297ynzsF
zN;`cY-XIUOM?yPpF%Z~xCbAl3uIzq}Ht4g%2IL&tqSrd^TisJ29NQ-$a_5l{zv#Y!
z=M^w9b3*yu8}zs8zo8weYFzrbMBxheaS0e%idykeYIZC+5I-Ra<kykmZ>)?WqQYgK
z?I+>bb13u+8Ao*UjrBajwmYTh%ZRnPkNZs=Tn~XrFx4>a=oamyZyTwGQ7&`Yo|Ma_
z`U({a2iHP_YMxk)_TbFwwmL_Hp4IHMk9u{qy;nP^R=3e}<lFOr&KSj+A_4iA*k3m`
zK~whT)DCh1iEK;A9*24TL5_Ud-OF{m%4yDdE6))Hji7{g2r29bU8~<{iH3EwUEAMh
z<8wnu(ZhUAkelMW9)zd4WjX{LtfCiZ9#PF<K&O_(_H>4fypA{uA3G=Kr*P@~7$g+-
z@CYn&`{H;UwR#^0=RJyM|9#i$z3-e*G^*z7h3RJj?ZQCxq3*#vFk-UV?fQm&c$5ti
z-b+5H#7>bpOUO!I$j*qXEPG?eYlMAxZI-r}l5!4{>&~fCPtrD88L_7sg~5M?m!^21
z!lI`*Het#ue_S&sn4lmGjC9!kg*z~T&a*?rthRYPly^yKBf3Sk>eLICa7f@}^>SI$
zs9-lt$!9X|WsCzBVnO6YBHQTfW0S06EX6PURijLfWfLr>%TTGKSKP|diDYD(0`uL1
z)16!$CklgqhL_4PaxKC+Z5J44*Xmnsa56b+{L-tVS77U8lr7d1oVsps#Mu&1V8Stn
zX%Itco}tJ8ehHYSB=?iN{0<pf7a~TQsNe`)TfkUJ@VTid)*<&bN&RpcsUIaHU|a&;
znbNVbKVic07l#?1#F)rh+o7{AQK>V)GUpQ<uSHTx%LQ`!@OF`F9#knw38HviMLRPb
zIXH;zF)pbbcXiW*kW!IpH4V)8R7{ItmC<k(dDourjj=maUPFTJQ!Yng7?0*Ym0r0{
zOw}+dsDbw&JGj`KP>P`(jy3_~HriqBY3JoK#F;7W^2B&7?;1<Y5!>TJ$EjSV1I^_1
zfjzDx(T(C2+&$H_pM|4V_OW9U{fG`Fuw(BU(<TS|*RK=RO?gYJy+Qmsfu7r-;8AVg
zp1KG7OqPwN2m3;fppz$TvS6zd7BkeK>bGK+p(sr488h3&A$;UxPUDC@Fqp9p!-)4+
z*pa54vCC&PRPS8i#nDa}mC#V}R2il-;XQ6K@~(93$eGj`iW<A(NxWkCRR`Qe(0aT{
zIHNVfsE({(=kN+z-g~H!5W?_Qv5wkdkEb$E7F`BZX2t>$WH<ZLH4LC;kJbbi-?Vg{
zesRwu-Q+#!UFpCFu_y{IA=hlI@Qkx=>tpN0I<}4m%}$$2dsbIoH|DY%xt()+%JVct
zh_M4aP8IVJB;IYyAdvjd3P7W@f1^E*`5|~5*+DGW69)FwYc}DsJPF9j-xu?jbV~Ue
zSLr0}<s3T5cBkUet?jx7aU3HK4d7)78ayq3J$=1em%>ba0XyxRz+N1ovJqs6E=`j`
z0<UplOfR9*+EMI{Y)8DmpV`h8WoYouT2XStfI?3SN<6s%b`z#mxck6PBtw$%g8{-B
z{w!SLWxO)_>F@NcX3=*ckNPzZ!oV)kiX5U7PG@02D==+8!ekZ(EYJbvYz}+oz4(ql
zG1M`OEW6wX{hjAYg;<PW^t*O=h8JS;Sip3Y%-oJsS2XgXL|)*;lQ|I+vmGNcp$fdh
z>XGe4Asz1AkG+|%P$+sI-cT`rR~*RMiDNMi)VL1pjSY@ccdig)i4j-1Y=Do33^Wjm
zI0>v>V)&W)b__2_e0+_4`HnytZiO(De<A*IS#2JwDwT2K?+}>p7eSr2w4Q%6I_0@{
zjhSx;DZwv|N0w5qaKIKoPD!~8F2Ch+>b($nsB3HwzGtb;+0IaCTFg6$=`izrx_gaN
z3thb?$-@nzj=mW8ziXNy61j;`A#BN1++Zh+414CGono+ZFO{hLvlx8lo2^XZUoTHu
zXJpSjdVDZllDWRIVe<Ha-O$Gs<@dK<;CjJWLnykm9WJ1VU@7uU<)Na*JxA7yAI8a9
zi-MJw4VIG%?R03G<`8`<t^|Q)ifSnlUk-Uf>TJzaG({d|Gw-{Mt#}A2w^puVHUrI?
z3&<mVB<E2HG8SZ3Fq=W3d%`l(<d6_L<6BD&@k3`;iJ3LMWprbbaEjd!(mp%kG%p-~
zIzs{MUD&Y7mf*YfTgLY{|CHhSj~Lo>4^n$XN-%h+k(ZnP$0WzZvl2R$5uotM`ywKh
z>IvoQ3sH>tHyOg6u3#nt)1#czRwH@D<J!W85y6-ev3d!VB+qJoLVjVksq?gUEN=cV
zv-8l%x5tpc1ILWni+cxpkQQ@bdQwusBvkY|K2h0zI2ZVej>153i{ZTx4JCt?lKNWn
z#XVca@y}%}HffM#FC0nVB+n&3BE<lPr?dE$O=Uy0&xjjYKRqu{c*%JS`8Hi95=tTT
z3eRT9iy3S)i4MjdXDGgk#d-Y`O18elIB=DyAW60X8Rz~F&p43IS)&=~BaSi=s+s+J
zPFW*Ke4#Y$IHcpg5X_c6ne4RBy4LC7sB_wAwFmF5uJxv3Q%0H}n2T-m<TUvTAduC}
znPBHiMP7POvjFz+MT9cti@QTg?0r>ge3aDba&9P`9kt%Qv$|HhpOVnPth=s^*5V;G
z9h+bon~b9lp~UA31@a!Y2^xMle`_^6?RTx?A&VWZb~t1r-H;Du$}_!jKV^78h8=N@
zn9jfY$BG8vTOa}*vGCwCkB6_SgZO6J^LP?Q-ft|V+SP0D3%;&t2wi!BTSrvl(-4~C
z*mmvMPQ*R+_={L2MGmY((h|KWFNrSmlK5DftL&M_-jmkRg|2^=ArJ)m=t8HeqP~mt
z865+OaS$^N-SKU2n)`)FK-W0B1R#`2(yBLh>`dq{V+?=uJfakc_`+Yyf6l{@@Q_u~
z*v=*|A90S1jB@oPNTrukS+ritwSM*TaRxCbaQr=X88@V=M34BU*dciTAsx8I5-vd$
z>ZPc^kmAXlnJem$P_AI|zwv~p)}0EokD5`%ef_cXntSJ%eqfM&VYFf*VtB8z6ojF8
z)-$nUKFesBh0hPT?a5BF`;o^j&t!sqUu!o`t=?IqX&ox(eDmbI*SESX&Oxz!tu@cP
z^!x(bvGtGs;nofvj1&9Zk6+x%8$3vANz=}IR+qg)7<_D;oLfp8BT(g-G0Q|A;kdGF
zDUlH#jzdGFOF87pqfAN;ET%P23x)2%S>RwF8HS4~$Wnqo8}B0i*B-t>h7s8}1^q;D
z^CSX~lZS`9J8y*WuZU%q*0;B}x9&32^sv3XtwYvVFL3b}*;)pc)*&Y>4qW*kjG!df
zrP=rjRJlaH0#()%M^(SO19eQ`%S9F4!Swj{94b6=))L<ubn4j<OgR9$yKvyLWVh^>
z%$Rys_v2SB!3N`^Tb{QwS%77A=F@nJ$Qi~AWoZ~?78qrEL&>_K^l*{7)5I=sihT<+
z!Dd13TA>Iyc8q@d30a+Y=ndLZ!5B$1EyFk&+ho_)T4rz7(bk;`=0OugO$8~&$+9()
z=*R4CNa%Nq_1N2_bq|HDJIR(FG_kNt(cnEZGzzIwZQ5)+$d{>UoY~SmXpo3xS+6i8
zej5o^o~^qqX*_6F=bc#Ca=CZo#m+<~6wC<T8MCQKt6~a@plSlQ3+-HcHoRGh!_Y^*
zcZJb~)$1gJwQyrKSOX@JRLy;Jzf#&oL%zv|y9mb)Dyep+CF;WQkRK}Gp&{Ip;RTzS
zf2PQ6b#hmW*N!j@i0JP*?5a^vgjjH77^5hhLV}3H6p0@e5j@1Fk==`VKV=bt7A$JZ
zN6K<4G3&OsOeGVRl;795oumISWE1Q5wHjg$ra0M4#dobtDj`C)5?fQaw$$?%OWwJs
zg1ylNc*F5vt1ztK*r_Bd#xf)M5w_i1`TCE00I|7OqT~qHZ=!YxFT)@Mn#|K=u4{r<
z=I#$sSpRZ%f02Pp$twJ;Twds#(#a6*2+OR_t+{lGy>Spi(o_-oX3E3(D^L9(b?6no
zg%}{YR5p~mn6sheiA3r94Z-&t0*>kTtAW4l)xe`B>@RsYu#;Z!@7Dx>&T9gK@dlR!
zns#?5#T2BoM8&)!bkSq^HFRX6hlkwSY|b<Fe)#_L$NnVbU4anK74Fk7N=-8P>OQK~
zYV}}$AO5datJ(i+2L~^IsO=xT+N-^+*7jfhP^}%*s(U}6>XVFc#m}6?cJxE_tNY3h
z?l1E5{8{DF3o4g3nP?h>kY!1@bpA)<tTlMw>GkW$TNJc)CrTe=wPUN@2d%ZPR+FW&
zV)wk=Z=G7Hs#|wzX&R>5Zvr#ZFAv|(VTyj0Qd$3~)jrBpM_YH<Qdyl(g=Wv=$xaEv
zv?VzpX(1Qbg|P`4AR$s&pG^{&OdgP7%p+f&H|;^wB6xl^;2VvD_eSUf>02-Y9UUGb
zor*y^`urmVCFZ`$0tNmmF2dP4MECbX_r*-`$Z1AyiLtcl$W!nH$!}p2I4Jm-UU3O0
z0l{rH9EdQTz>Sy?`x859Vkk$3pMC)41<VKpA|kp+_RSUAZg=0*?q-ok@u-1a9D?$e
zkTFBsce=Ps(d&2m$O~-W`wd4#uLpDAe|XqN2Do}2PH{BG$`lA}#FTL?7bt9XlPr;`
z^Fv7~Ll3EG&rIMG?*B#pFKiVCv#j7KCSQ37Ea(3<dH`hj|Ep@X_MQL#9zV~YRpumu
zGXMwI2+o1$n)ci<3~gk`w$C>!3oou)-EOB_M_V-rK!?A0F{)7lo{}-G$Z8oF>7Ve$
zi@j;9{jP%y!+3+XYM<~$b*le}9yA<9i<N6rtJ_W2ML(hl$MYyaHQG$0-3{W%o*|AD
zdp74ghx*prM(_Qg**QIJw2yQYIfq++7u<9!a?rCwR88?v`sD%{0n)d6Czf?K=(Gng
zI30af>mdcpAYD@^iw5fX7|-Boeuzfi7Zz1Sgrg+%Bg*sw-$tI`u`sA)c-B8!eNBUB
zdt&<e{GSu~o@=X$E{p)(tJ=zEbYU3G@((-LaDs&*@Fp>c9gxo%!^R{ealWm?5;?3{
zzea#=!su$`hc_rcNh{i`z1Xkqz1TPR_g>WaZ?(Ps7xXtx(<#k7M~!Gqw3~_NW4ahy
zHFWsDq5uDmu@l@+O817bBgb{09@BmPc<v|IpOs4J^JmQsHL%?rZq+pYHtKL|Poqbd
zO)%PG);Q)5GPySlXel4rz|70P=(_Mfe*BR&3GS6iPue9H1o{^AnS>-|Z>`c$GAot9
zVK+5{rq%5an(YmMC3BJw)cQxi+Zgm3?cN%|F|i$um!s!sW|J7%(RdCw^I^nhS93$E
z@d^RwaO<vCH}tLMyMZXuA2cZu9d6z2DW9QCf6z3#C4Zyhk7$EFe@6fQ@B9VpzyCV|
zmW1?Ej}UGdWc5-l8MqZqSrTK7q1<a7w+Cm9{`*5FqshPPhHlTi3d@c-5T>09)tGxS
zb1k8$Cu^_V^3@G)nR(E<)``{V(Xafsx{;i{51Mw=>K<<GxLyS2;;m{)>z|&{!b&`y
zDTWM<mcuIcAXUKNf3(gHw^-eZGvWvKZ{AF)_ugt8SzT6tp{~K-0AXW-Z5KzxjK9Ph
zYY0g3`h@seulsS(Kj{sc4S;;ObtmgRR2<u!;i;_i!TKfrofGI4zD?C@_PV+CC~~Gl
zqNL(Nk7`W{viWXMT-g~J%j)NjXk_p~O|M)pqLL(^4YVbzY1)U^tUpz{ORfm{EVI5f
z<uoxCem(`qEEPDjgTuvr>=X6ommt$Lk*;YO9<g<oE~p#2jLfCv&VJAe*}z@?mj_*Y
z{`@)RoZ$=ygiygeh=`4ha2}&AWwp_M^=}7Ms^vTFo$dL|*eDX5OAwU(>I%pR|B4JU
zzx*fCD>;LC(2)_~8^jbVwaYXT&0ZI+hk!#OK;YPFTir(AVjJa<OYlIFI|RFEyKev3
z{&DNsrTrtRd<rU`J_VKWHrl#Vx_l_n*-<fOGuk?<*Y;kSRkLc=c8}V<Iu)qlmof`p
zqq+kWm7C<+*}D61{?_8gK2ej>rfWLkRQ#<jvz8KY3RgBQ>MV>P-4L4W76Q|_Jj3La
zyH9$Af9)~9x`q#N`9A4&^hwVF`bpnKpLB;rq6VGRPda+g(HpdN$9CKUFx^3ff8_zL
z5sIeB7+td(Ih^hx^+oW?2Usl1-+TQ=|Gam&wc}9b+_*vp>75|MMgLjQCo<k69iHk2
zvB82e+q0SPvCK9VT1AIC4b>g7o-zfn3f7kyyv)|oCwcA~VLradI9f79;|6X2+Z`3c
z29yFGwpA-bC3BiRARtw?L_KdDfUOsU)JNsJSlm9n@AuF6{0y3%BkOQWnX!br)KV&9
z?^UZA={cn}G+9UhFgL3#jmsXKVn+qjkP*w#^tzy8Zm9_}xoGRy@#<<o&WV=83+BOZ
z-i$7m;iA-GfeO&c<3|igimk_C3LJ1JXNC+q%Efc)L1B8VMCm8O4)(6GTY!)oLVz84
z#Yzx6<cfOCboaG=EgZvC2wQP1Hbqi0Wy*wMMb|XN(=zdrDR9Zz$~&$3HcUC@WaoED
z6?zgagP=BdBgn>n$PyV)LV{bUducX;gzd;M!fPBsHaNN^jDj)x_9gaHm4&(KE^nL<
zOYCR`J*2I3xs#VQu%Wbt4PEGoFR=dk;bHsxwa=gCXTkpG1z!A=mp`lTfA*^{US;fm
zFZXNT?|*)mpU2<-taba7d-nrUEcYd@^J;2Yx?-Y4ClwR9SXAx&+~)3*N!Ll)l53}e
zOQ+1;5L8@tGsF%VW~Jxmc`(^2_W+!skC1_W`pN3N)6mL?AIw*=GqZo47d_ibqqXR1
zoS84E0H=j?lFU5{>ioiq8z==Am$8T>BZq?UCcsfw`f({wz~u1k*^IC^LrA{IVR-@-
zC(L?!)%cgW=O!P{TSv5<#E}<_kK|;)#4G+=(qp;CT$Hs3O_Kl))3;0fNn@((l<&vF
zEYjneiup4;o*Zu9nPOqgx#vD?mpE;V!<fy?;s|t21Do_SX0778go@bjx>oPKR1#EK
zH$`wsf$Dq0uHPV=0(Uuu{F1PEu3i9zinUd3<YiE@{?Y37TkYe)`na*6($a$uumPt#
zq}Ud7b_&{B-dQf53`=lG-)P>Z+yI!|Va}yvqRC=NlR0eJPkO$K>L;D*D!G)G2)r;G
z%ci~tLt6hjId{Z4H_O^{#3mDJps6>WfPW!4Z|x#4kb!;)MqbR)fL~&M)sp19b!^|)
zx)vzN5=r54#RyKww9I6gy8IQN=zbH!5%p3$KV5U#-V+ts#IIeQqb%LOM7eO3;z*_M
zz(pl;<;|pnB}<JQ2J)*2abtvme_PVDTp~W)+F=9$$!s5VbdO@&12MZMIR>{+iJkl(
zs&Ag?CI7S$chT9clXsZAA!I<|oI!mmAel(!eEXxtlkY#@_-8@>kFXO4j_2d2Qvz1V
z|9gA;S^589zxLw0{QrCWY~ufws{<?w_m2|r(c^^tM+o{$gnjmQ__T4BQ6SRg32dv`
zX*XLZ)}YnyTiuV16Q-IhmM^FYzl(pwW96eL`a`6lZz}vSZvv{q{D{B_U`obF?{cO_
zN18qAIh)g|%Eo;)78g`YIlWQkA;QvjZ!D7`kTmg$zwgoQuV~xF{*HOgw4_~>Xc8>w
zulx2kRmdfezBk3CZS)4grLbVo@H$9QI4OG0bdiq1vX`gQNc0rcWZxnH#>Yim=bl^I
zP8#BC+eh2*MEycnk<&k;L*$3HJ0Nkiqc0$@ODKyvGjlBXquJ#5pYK24f4=|x%l-U+
Q0RRC1|8}~;=>R$e06&@!-~a#s

literal 0
HcmV?d00001

diff --git a/assets/confluent/confluent-for-kubernetes-0.1033.33.tgz b/assets/confluent/confluent-for-kubernetes-0.1033.33.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..43273bb2bc8b08af7b970e249530ef88265373a6
GIT binary patch
literal 369990
zcmYhiV{m587w#Qv;@t5a+sVYXZQC{{nAo;$+n(6AZD-=V^Zd_Sb<X~>Yj<C(yJ~-E
z{MNMyB4Gd^|2^MSAT)*&N{q%5vTQP*oUBI7YK$hztd?5JoNV%HYHYIVHdcmqCY~ya
z_Pi3NHnt#_pYLvmE%og1C-%CKDdaOb*y39W$A=;l&tE2ziKEOUXNfG&iP?wP`I0W|
zv}}Ulc`Vs~Zq_mH`Pf@)4|O@>cVQvk^9Iv2CUP)f_Z2|kf`vXSz))ig0Yl!5<Sq``
zG04#<;x_LFa8v}-d$ey`4VLES<|k8?>i0X@+1dBKoeX+CA6wUz?E1Z{KHZJ)UMKF{
zo%U|-y<d2%njL1bNk0+KZroC8DmUB36AXZ8h@9k18yg^mzky;VKj8^aP;iVI@Ce86
zunHZJNaOCY=GJY9%p@UB0<orN@i`b9;i6z6ZyGdJ-^<fn0&zvK$?xzz-nLph2e(!N
zvrC)PsUna~Bvuw!ez6+___2^}U)uGNj(vGEeJtD_iG^thI1U^Y`rKjyrUVE}cy=Lz
zD8om)+A)=hsdJrj>bkG4Ha0d4myzd&5rAPzBOF4%Ha6mz{;ail47X(B@W||s4YOwK
zpyD)iM+@q;e&S}4hY879?Cohnyr#{jd%Qevg-||@;8;x)#&G^&Drf*>3FKG@7fF5j
zZv0gTD&Prh%+Q9Jk&pr>wPt*TmF$avfK!rEoNRRj7R(G%<%;62z1+aNyX*A;d%W8n
zccc&4<8fZU5u%j-s5OALy?#e#V|I3$etq9RMdp0(h<e@s(K-yl9$o6aJCro7&xGIK
zN~9nh0FA%~yP4JDne*!re&DTZFMsHwV4VC(JXsnRz(mH}R|>-jQ1}Cy|686)l0q5T
zC<09G^aK9>Oab7)IRwACPYDLpBZ*T0<RK4%f*nFB#;L;%V~Os~T7|F9<?zIRgQqGd
zu?nk8&tWNQCY)0A!SBA90~`Pu$7S+Ja`M|f-ySYbuV<fk{c~eObET1mfe(cf@)Yj`
zF(484jAVB*$hS~R@Zu;q$F2o4;neq9aiXmTqx=u~pP_m62Gj5g9+}O|LBR8ZZB#fh
z#<red76{OEvbY137{*-t^h?YJ^%ILK7^1Nu8?U{3pcIcJ6`W}Mq&LwBjkS{@e9QrO
z!CwSIPa#Y$Jp5b&Je{1J@27>euOodm5$gKd0L^iZv;kZb9P~g4rx*+P8kb}H-h9e%
zgWr5xMtq+x(Z@Tw2tSy?8lwo6ASx0jbBqR~bc_a;(RgWk!$T70y(}+Fvp%qgj3o1s
zEd*(P1CukzQv2m4=)jm19kPhyegfq|!i7Zoqk<^GOyDU4@;$ukYBADt&N4xPq{s`P
z#_?sLwgD_L$i@YS*im~B!O;7!$U{a7LQJFZl7?XmfH6_ilScJrqKI&dhbzF?lF#jP
zHkGnl1gJzj>%(s>L`HPf)NPZ#J1hq#oFOgMJ8C4X{IE@G)F_b?MatrzX-+@W7ST|K
z^GmR0u)&Za6vsIVekV{W1;;X(0v&jSL1Knz7T{$=ZFrt`ei^`%gj8)4Ty7+T37W1k
zj_mGhsFJ`W*XxiuM-;~|VfO`oFbg_<ZZ6VXoDWP$RXz@WjeX_DBJ$$_v-R~n?wZz%
zD~40WZLk#R!|8qXe}u@CS(GmQc<p$UxWw<Uh)AQv+{v@xYvR^9R_W=IY86nb;9#db
zmm!k3QzJ{*)o>RiqgWU#y^LiXAUb}q$zh`-M3U1lm>qfeoH$rWln;IP>vpL7#ng^+
z6q?bGHxlYF{oI#{SDAc5Db~uU6zP0K$IH*f`F6JOSKMBHCYDD_TGY5l+*l~y@>069
z9`l_-rmh+Vj1eBeK7yFSZ=4|ZIDzDpT-(O5%&k1*nzi=eGx3LNoN?#pXxzSFLw5cq
zvz;R#KwuQJfL-|3Kgfdz)82zVK#?aM1~J0rV5mlNxI$s*Qg#Mu8ot+b&5iIqJc5@+
z#e~t!%spx2;0|66Sz?}Ye!>qtlET~)pnG`Pmmo)#VK7`CCu%KM)6sRHk(F#ZI8;I&
zxtT~(#kUPk1Y3imI${ukI#8#fl!6s?V9+T>4%JX?PCC%<jRcI9hv6>_3uop50m?o1
znYp!1{qhuJ$~R(yLNST(Vzrf*Xp2A1f+ju)Pns-FLXewZgHf#iq##uh%{mU?;z-cO
z1V;%FQWJ>Z#UsVo-;ILFVF_j;WJ1l3b^u|2?6pC<WQ)5OurGQS%nOF84_pA)9^vAI
z7jnW-CMahoz|`B`eWS!2+2Bg&>#I<sb2)7o!NUJ(2hV~N+{a*Uf~-S+&}eZL)+|IN
zdSq5SZ+W#<t&c~?zNYfr59euQq?btUPP%x;xHq6KDRmu~LoGlpF||+f2s8dYYz%M^
z?62%fuouNs7ry-j23f!_giS0@xRUUzC$qSAY+Ao&zlqfSDi3Vbq6;Q})r#;h_>d~s
zCL|>!*TH05k=Apeq?rCS`GWtl!H*O278SG$v}}&iU;>zO;e!zK3`*fZ5K7GR-g=pv
zlYeLAr|YoRy6b!QIgx!P5UY)LYEQrKKV>3m(8HmE#hk*AL=4JM!p{;40umLP`n~>|
z-<`|!v<rZS3lC*9dLjw2NKv3M5#;c!#ra_o(a$_!P{`bJd!FJQ1i|{RkGuJEgf*&S
z47~nukUnKCNFa9P;tqPi<R7D0p8MMu)&&wX!hvDVdiMez-yl95(g#pXvYepJCL~vK
zC-;#3jat(bx>jz0`!j^%j*w`Nkep~8qd6nuxv$q3-PONv#vw(-3LL%tSytM~A1FXB
z4n3i~mq?+B-2n1V@&sYhj-(uMFeb_<YKXJv;lvXz`TTOq45w7CzocK@Ku`Kj^oTl#
zJ)w`#Co_3eI0GvhMdjM$NwGanvR6WBK$!AUCqeE=D95?p#0R>jv<*JuxEIW&c!{2a
z&{v|-v$jS{z%57IJtrx);*%8wKMc)?2<@rpR9BVo1h(mM|HrrO?lAn!GfaqzHK-!i
zbB8U~SJJR3XFTT0U-m(bS9Q_~$tDMxSEVA;DOop<FnJ>u8Dq|z9w&aZn3UjVO`O1o
z-1sf~ONj22>7AL(k{I);##?B?BiF~oNEDEp9ru!jTr;uoXIbf&taDXsiJ2#iSZ+H{
zjxvx~%?G`JDMk^75VMmwY!)HnQ1Fc|AH=khIAXNgAWzVltd$fU_jirdt-WHD*<C;w
zrf9&SYV0V&{6o1A3+F2>PB${kIDwhSPaX^5h(E@TB4iP<p`;SQHl@LJSTbYP%@s7C
z$h3qPW)mvMak?iDSd!$4KApA^_@@P}xr~3Hy(6HG*p({bALL65DAx3w8z+Hv696=z
z?7|+{94;{LlaSDIviT+6lKyeITqKrGV6w()JM6<qSp{1pzDgmd3p(+pfr>zTK4tso
z{RN@J*XNhN%AAa%%>_e?lr1PSsY;bB6(V{O5fh74z*<WY&Vw5SHY%}1Ph)6%gYqL@
zKoSw0P=LmV%Eb_By||Pb^?ISULU~#w+XGcbAjmM`9~rlp7=t`W0<1_p_IEvJ-#AIo
z-$hC}IAbJqV@b?fi~LiFKS#7KPy~o}%aYA8(8L=_Q3DFLetG`QlN)!f71wYPFdgT%
zfYGr$aS(PHH{$XF&Y8>Q^Jcu8j~Ebpq$fSX4UnM}%|UiR14D>@!+teVhbCHaYDvX1
zlz2>nl2NseFJsS0lFpEm3NoR+-XHVFqZ-rK>K4FEA(uKk#Gnd!Dh9UYv!b>`F)y&6
z&@u)A?aJq7O%d8P+`sWDdmzwwy2Kvrd;MWk))znOsnxp`d!HtP5@sF@r3&qP<N5iE
zS>6zTQ-~QX6$Xt^mlk`{c+ViCEA!Kce1GaX3%<dkJrD!T*|65g$m8m@g@lz0Uf;RN
zbkD!6*DJHt><rN9RXqtOtViLima{I%F|qVSapnIQSuI}J_+t^ZpPSv{fTk!_GiN6P
zCLtJTVv6T^h~otKl08wS>>R>`$O0k)5#USi>(*-eF@9)OnbyDTWDhd!fVEOu#~~je
zcgJrOd)XpJkAxN!G!h8fc@avXT?p0@6z7ThuiBq91mtT~q!WV;6%@)Ws_8sJzgEN-
zWGs(_sZNJ$mF~ZH>8&A)V4DGlKEzRrnfobgM4e+J0#oVQb7w82Mp-L04Mbu&+Lk;?
z`A5z6kKQ8-zQoz7WhbEp5~9XMJ-CPZSyr4UwvhdQPnucM_FzsC5cx(b=)CDPOnS>>
z{!r<S-xx~gB0bMfJs{C40kk_xijvK&ofi?uzzS{liHx#|h2kX`%%qT2q<)%#nznv{
zV*d$?d{_V(0?n2tfwzRb6=ApPBVj{ENKk6r$^(sohRr}wNel_8UBh|#Fq3e(BF6iq
zjX8fu!Q=@%z=e?8h4(lAw<FICZKAh}IJ*AL8nkb~``by>3ClJ)x-3N-aC7a?-{bY<
z1P+3KR%oZ{dgaVcYT`V>X3iZz0!SvuTNvmlD>WG*d7Xv7qmn9Cpiuk3U){v00)e(^
zq>r@uJYLcF`yA<5q0M7N5sKp?2hGzeLd-ahMd&wN@)yk!ZMX*5`A@9$u5AU6zJ>}X
zDUil;X(zm@+V40_as&itZbyQ}yB2#1N`FzN6NUe%7)g-OjXSeDY~47|McTJ6S?SMN
zL5Xt|+WQ0OYjI7SbkwP#ftmK@iF4LqLkjNbe{*n9ezDFAo+UKRnuIzp<{Tg=BX>g<
z<Y`1~^MBDUhfmBj=tDVh!>jP)Lmvyt85?WjjeLD(H!|`eK9F}#n3wNQ+65WoZQ3mC
z;@&UPuF&A=uon*7v9N0T9y7g8T$m{QLBvO^B_8>CGF_=|`aV;;)8(<Y@x3VumYuL_
zZEXX_ex4hMGISRtxr`I1DP(l_teK;jd$8tQxQBSy9+W^Sq@ru0;WTMc6O2(@J9kw7
zu>n3-|I_wqm?*(Ynuv;*n}gq*o-|FHRL=ZOOe&`<c}i#~1J$A!<h_A2apdirMKpfZ
zAcRMA5>RLQ+3WG-I`(xlG<~uC^=>!c`_=r3-qzp9>j}U<fVuMw=s_1^fiJN@@^1dT
zsKq5-8J;^4p*AjA9~POIp11O9%YQ&<dPcKZmRQ(tlw}-cmO?mJ5JV_a;rme3gb2?n
z6+3vd@3X{#-kp+uMVq0Yzr*r_$_(sc1cctVTAlmPwWf0oTLPx~8K|Nbd2wV=*TVOP
z<t38oADk6KPm#e%imF1e($OJ=*IdhSlriw`p=7c>kNi*5)x7a?bi%p<hG3wcHe-bf
zvPG%)9K`?+KS`p-7Sj47olqvE-?}fiw_CpgjhmSlsLGW>PR{w1e6pIGZ=0OK(ISlb
zpfbNB5xy`tXp>9MuYT%g_+pkQdJbP?g9;QgU<l{_JY?;8Tk!vCa!ZR`Kh0lu42v@Q
z@wL+1Q12OXKqw`=qJ_(6Pp#%wCbOpmnfW$SqE2LMqH+uO8oo=izOQdH+%lkXlyD;1
zOGd)KYLi9y{Gr;*$^rI)Yw@m7_Zli&_iEX=FxhTD++A>3|DCFOpM7Dm_Pul2ML+h<
z;HKa0v2^q89xv4;uJ@7F-PaL}tPPgGt107Qh^vsQIMdJkFuR=12R%a$<oUNGd>-?f
zeQ>UNeqGc;R;85r!6@^Q0lt;7`SrgQE7a}W5OM*wlucJF`s_81z-!Pu_37D$krX`+
z?SbB}4klq>NZeqzPC6Mjp-cjAKO}D(%`6WZx#SqJ;F&@S9pp&VAcq1O`rnRW`=;tG
z0~Q9~VkGS;0yFW7?v7#V>|KCpBT=TEbjij#|5S!6G;_jgqF}dE6zwPjZ>36H>;v&*
z-#m*FOw%Ql9Q-8+>6-;Rt>G3NhAjB)V`V9>fQ>xKg<vzI<%#+y7m;BYwrsK5ucQ#P
zKbrMzu>1ErFw9TFT8?A-Z&F$xGKsSvG7W!;B9O&R{rd}689S)~L1ipjdd$b3R-FtF
zj29;@%MfzmHaFwH3dF1DHPT3{)_I1B#1B}EB5H=9H)wyORCrDj$*c3h=g>{ly<2N3
zPzi6NBuOb~ePhe0#5&v7&KF2s*?rQ;5|`sKd~D+%V2QothW%u=o%&V%tTB_7Em5C*
zf*Zob=JN%-T$T&`jf`Vu%-@ZzLPe@6R6eCPDD&V7uG?4>^L1Ln<)L;~QJb9bNQN0h
z5j{107eqY#$Y|=fwd7rWVQpuqRjn6mm@KNUWvbZrr)m;GD}?3kX(jqnt=Xlw__y%-
zeJUiW;NGwS<83Nd#k*hc8Gn?lU*1W7o}=_iXWM?|a+B(E2IJze?7Cg=AAG3=Egxra
z5};7bL3mA<OD46g@Kls~ZkcGQueNk$iQt=EYsorS&SjNEE!mTJ&p5ZLmd3EIHBGhN
z=R;2{wU3tYx!c!@S|HvM2;Iqds=Zq;efGD$_h-q-_m1Q}&$nOgl;}zslm!QPMn+_*
z_vfO|Duam<&!o1~=}}N95d{kk^ksPc?}Xn}gN)@A3e2S@s&>s|w?h2MU$ecU0i`*G
zcY41VOyg5hr2mS_`#g-NxcumLMO}r#h#{Mk6j{;rcT8grYFPc&!S6{)IGVb@PCXyg
zsJJ5b={Y7Xs`Oo=>%8Ww?dm9Q^dR_5Q8skkE{(b(`qs>$!gzpM+W$UVs?5ebde6mV
z`1KykEvYp7PI}k@FI=BKW1dAK%#M5fOBwWclrwFc>a;^+1NfRYhzx3q^ZTI9`IF99
zOgj%qx-?%Tf|NU~Fd{{@Q1DPtW;>&_LS7aFRxG%h=5aoCtmS4Mjw>vNuf1&Gv7&9!
zG_f!xtE@!<C|{BYN(==-vC(LgF%-XkkxRgHpWWA?F}yutOwef~wA-OGpL`tP_@0<e
zpylYyPAgH5t<C1B7M>02_kc%0-%ahD_m2;~_MWwOwn7u3f&8a(Yy;aXq8_l`FY3;!
z-cR-yGBO}Kv(`Y7grfhO7ZF!j_bd!u%cRKo1j~vqhMOQ+EbMmh08T+Y*nWnoq28Hu
zKQoK;3-DuG#p?Il%tL|GWe;-hsQw-;*wN*B3*-mxE{6ycwBKZJZB#>{*N<|$=Dgqf
zwQK`kx|SoE&u$uzY`cc<#DYiF2Gx~Qb-fIxe+#8U3|n01U5u(jL9yVAI>YV1pBR*@
zKQ?gO<44*u>l)I<i?db$G3|nL!6!H*=04`ux>Ai3C+AZ&(kQNZ-ox-wGihda3fM$H
zDs-lb%#^Cx$~NP4;y<f}k6X0RnN++U-_ydIJKERkO6oP{o~`U`;;62)4c5|aKN(u6
za`_S$UjMSsWP3N(Xw%{`$@SOFCw%JBmhDLMA*@sCc^$6CsVaTNQ~+n%`2YR34&8@&
z4?)x_+FbkQ$)C>iCOkx{5ffXaYde~Jx_pGgB1CZJfPzfhiz7l}v=#A=<yH<MO|~Np
z6ec&ZF_<H3fCTMIE=ntbsX$LQ|22T1@;Pka_<M3&<OQm_;*=@?CHHH=%H6GA`N)tH
zqIXil-Q8xO;APk@u-`rV(vPEqV}qZAnnlD;(Vi+DJrf~mtdWmtrAyJ+^f1{Qa!J+O
z%frRHWk74m_SHcOiy_IHnuq7Z#l^|f`*lTrB=q9cCStHdD|UK2_v>kJF8sb+qk6Sn
z?!n24-yT!^gdd*(=(Enx!SQ)Y?<P0}Tef%5;#~NKfsfz4_5Jd7zp(eEukZbK_V}?i
z=c(Jsc6FU1wRKt7xcEjx$1<rVfYF*U&<gpT!P)cZ85*0B*ELg#KuwVFW7`CGOGAp~
zq3o2;HDW(tL2bf%z|5!cp@VvgdX6g<LxG+WFkaCn<h>nNf4(;tNKHp3A)_(ZPMaz9
z%|ik~J`W#49qM+?W}i|7%1+1Axzgf`*Yk5@S^C#h=EP&MP_CVBImg1~Vs^)P>N!H7
zV>$ScGrTC;<7?n!RqHD|<BQ+dT$7c7PENy9BF4yklZX+f0U@v6{yaRu6rtY|IMqC}
zw}t5k@s0^SGV-h*M+{OJwi%JElar5-WPuC3LR$3WVR=o#34mH&uRm%R-%r_U{Iw<h
zTo$kIZVU<;IuQAHu9nr8A`A|lI%ZnCL*sy?x7hp|r{UMMRptl9@<6nf*;g7dMmFt}
z-Xrfu_iff_hoD7I{fS*r!}~^tdwP(i{=M3GHOj<2aYk_+&rCP0t|polSxttV2QoMA
zbEAB!_)RPyQ1?GxIXCw8_a@c~k;bVk`K`{;;(UUimz!&+mxousBjuiuJ5_*2wxW^G
zKKI*5H|jCkR@bHfSoWsLq*HCPnt6OL-PvyOY4`Hu(T}@SLNdKaqp{*^wxi{C_v2I{
z>-z7G9~b}Iw;vCmeoHfbvvc;HS8*-t2i<#&_+<Y++}d^YM7o-UWz)dXdFQ-Oz*~|s
z-e+!1&-cXHStotNo)%6QW$5VoPPibgLi33tk@d{l*=zBNSX{HHSNda5UHOZ5wYCsG
zCi{{TPOZHSorUs46qB{)f%2^$Yg4u=uODJgvqp=mK6<K;AtWZRL%a4yeeuxEl4<CO
zd$N_OyWh=eZ65I(Bs}wtfq}9YH1k|Y%M*L%j4EIG<t9ss3N_)}gOW44JgzX%U-qb5
z)~ovCm(Q5rPEvIe<af75gNJCby{d?P6T9d_sO$*5;*a4B|K&+9LzU}mST*(#>FI2z
z_i@Cv@gS-y%jUNqi&R~uFd?OmEHfYYwN__U9!r~tdPi#YI#{PYDi|7M(agP``|OkE
zmU2s;T<o&P+0abs&~%N;KB`@DbJvo5qXr1IdVt!+MQDnnA9HMueM?INtY$=rvM8vE
z7yU!$wrB4Fa{@<DttAb|!x+|ln)7ijR&I)jf{7<p;c~{V1#gB!a3%AY5m=!~nLoBZ
zPcf#aqAXxRlsI%aodR}vs-_0N)Gd=b274M71HRX{e3Xa%uCBYhw>G}FMH^bAQn^|H
z@*8Q_6J<Kxrq^2s4D0!FviZND*PON$Fv?0{KgdLJ%^)sZS8w84mg>Rkm&>z7d;9|D
zGSw*&7om|LPG(Er4*S2Gz3V(EZ`r=S-$d8GSEetv*m=KuBNzKtkHY?Ded@)zHs_OZ
z_fw$?P2~>&DNC{_z>hw6U@qrT?=EV4zl_QI(d58Tuly&#jm1WYvI%|FCM#ND*jpNp
zWz@^st|in|s9Ks!tAhso3t$KwjnTRG0gG%_mkl%cE8E92-%ocA{<eA1-@P7p9hcvR
zCl}k_gV{xXuWvbYwt(WB^JIW3Z)mIUpjKBi$DXfs2gU5)b#J1_(!h5K{EwY0wh3c?
zhllU2ty*_CsgLic3H9!;6S;&`T6GW$ZeZ<E-xWb4XW>=|5KvJ3wE1obq{Z3NNb_W@
z`kS5^D%i+#mtBY(W%nd9$H!;qCLT7pg#Z!&Q<zq1X#iFzS&=q@G_nWn!SytI0_BRU
zMK|W~b8(OGX9$OsWejy7$M_j%5B}ku=tC^-CcHUsTba<>569Xm)j0SfHRhJ<j22hq
zl}kCQSactu7sr^rMZ>!OohC=Xi}+`;JYIq_dkxE{?W4Nv(^5y}GF#55f=}jINMMQ&
z>6$#ZF#ptNd4Pvk1`?}&0qPm-3DHc@<hNP%jpXiaX|)Hih136)^aR@T*SIHN4&Jps
zz9tf4>^6ZZ5_J!~XpA4KQ?x=s7Ph%a;DNP<hrnK%HfYJE`eiC5a82H&2V{t6h8j=j
z%HO6X7#D;QSU`eplnvW4JRb?3LzHlT$>-!gGDX?zttLr%?rAzhqdq|siD;08&%fTD
z?zWAnGdVHVy1u3|=FWS{Ild1Rb^0qPG?0_|xOrI99-h_LtSq1lH9B@S<jTgrGU@DM
z09^-B>-nmE!g>lN{g=Jcob@w6|2shcotTG%f8Aa`Xu}MHt`|qWjM{$j8;Zqbqq*@T
z(d{qp-b==-4m8)(ztp0;TMzyFw|Do#h2IT%vM%EwMBxl@$O%EEn_)sifxOQNU%x$X
zwwi-#GIlc%Hlq04Icc9#L<J*fi~1VgT_4H)p1F{B>io5u$s>)@uT!q1Y6FZj137{&
z23hn?-F1SYH_i|91G0CdzQH<-@!)3Memip&M>0tX3;n(5d6+7HUXI&ZK8}@QCX<(`
z7dwW+65>pcN*zzRoyx+*5Nn($a1MKjN&NA*$QkX<sGk|BnnyzZb0y&LbL@kn9A*4V
zMG5HuFp@azba+;J`xy-De5flHhPAT1c@q?6T16jm#U&Dzy7R)SIBhLHhRLE)w#$+2
z)0c$mC5Z~G6G~r>44i~^({4`(A*?-R3TL>3XF@cW%)k7Er3R$Jik>%D#~Akmrhdv7
zk_z5^t=+{kFu=uv!l3-1OqsiaQ^qquKh;GiF{Ij;=N|dj%}7I$Z^V4mMwy{eHR`2R
z@w5{-z)c9pCa9~Lr?CX!y;HQnAv^dhbsL5JN1>`M$phZlhaM{>qDMdlVB7@{N!lZr
z1ReqQGyIOfu^}A}B>Hz3^N|33HI|sv$2u4zqBPmeE>MB=9KzBjx%9BviJK2O;vWhZ
zNq4IMmuZDP4iSVlVUsqVJlRNC*;gEgHQgZU5S(KhOav|J2RH+6lL~CpcKt6Us)E)v
zUq}<R;Fi=%@}v?#-LUZcF@_$0cTg@3c?15C2zERaMo!51Dv=aJk<Do3M`9BQ$^v7H
z|58l$r6r`(q74}eIZUeB7<#gR(&9}qs?(RF92lLB58;o>!bio$ya7^}fg`&h(+Vzx
zBKw_qG)&Ysgi!s~P2+q)SCbK4%Re?AY^G)-R)Wbeh{=gg5?aks_FOq&>M77Im3vP`
z0|Xy2#5eCt*Jp#qFR6X$GQ&owQ<_#2MGK#iwkMuAg$zO{RHDrJgdbg)qtzzbN)W9t
zn9?V}kwA_u)E2;V`9SLIy%Y%@``3vNDjTGY(|^IxA0<&JirBHDg)o!Gj08Y~j=Fdf
z^*IWk2pG=(34oW3n}&}BYB_g2TQkoHqt+D&{Rvar5R{^dczvdg=D-i??~91EG?GDZ
zx!QnQ<juO*eEj3f{af%4loyuu`aI9jqzWvuam4f!r&M4wfe7XU$7*X2O;jwkLToTr
zZitXSu<<<U&bo#4r(xG?^$xIc;-_}Y2c2V)GEk;km>$NUibrJfPZF|pN%<$Wu2f21
zzz7X_EOy)5IovJPp%iRDT3nlHcJv>Rsm-dihLV~HT223qSOebCSLZqU!PCh%?&A<8
z^>+%tZm=LN5tn850QlhFf0kP)#u;kVyPJlPfoa96I=MC1?pj$&j_tben#8Gu@CE+r
zxn09_f-2T%45Ds3{WQL2CH7y7_&^HL$v#PDGJyo1q&f7c6LsxfDX+cG1Si}!I7Oab
zCs{Q>DLO%e8x9E8%+`&l&or<AMS3B7pQ8^pO08M10c^_P57%QT5bME-sidCNo$=Zs
zql0U7#lkpdKgfD?nNVttPSLvay~J7XrQuKF&y;*KXOd<JbA7jq_>m#>DQr$rs}kvD
zf>A8kx}<qKrd+FVJ-W5`G|9d&rL8p8FWKSpCK0vsx=v+Q9_oCHDE>kP#tIl`5kpeX
z6cgP9<FRTt$rMv7N3;1QhM{*eu0OWQ_c+ADlXAu;ekM@mc7dtJv&0-Kf05~0B65`k
zseBz0b_Krj7|j&)V1S|O+S3D1<beEerKdP+K&>bLysi6je74hZT(|29vI$HQjqzU@
znkT=l%)n-E+=tZ#^ZKd&r5M4zDy7W)w#G#hN3~i#At^&o`Z8woDPIHYSl!MLXP9;N
zAG*CtI8z41%Z1B$x`pjJND;jh$jao9x8C-X8yYdHmWVS`aB#_10FFwo)$<(5{0>6_
z9I=Z=S8n#Sev>>WdCI5-m=tJ!LMCbRu<?m$G8P)wBNHx+G)oN`wjngDWIETzBFWDN
zDbvVee?C>2j$>qo<TeR8<W*YvW=W}Y;T1#`3(cHv(ltxn0Ic14?Be)~F`tu{!`;u3
z!9tp5L*S?Vllp?#-a09iK<d(qUh1{UFGP$>RLUPB4aGw;LP<y$fBu*ety1x|u&oG#
z=%~C{qtL?z46VJ+Z5(|2xRi;%eBK?+y?(tzimw8e(*!Ylv8Fb;wfUZ`^)aioE-|ll
zJ^Qz6_LS;_b=kaCwZ_><ew9`ajE~*&F_ok-yCOCCx#?{7R0Lj{i8CH41Dt^zEF!^(
z==_vVg^x-%MF`5mZcXX-t*yF6xkM%{=$h8=4@gqB>{I=e$KWBt5Wc@}2Z#h(X198g
z2p@#iab?QtY3L{{Dis9&IV%9rW+aIWG9FycjVbL=)1P$Q$+dmzFypk>QOJNee^yn6
z?kwX{?2ixpAvC_^6xr!44mM8rEh(xY(&xVKS6twSv-xeQAJ6-S!1voYkJndjuRF%R
z=cx+;Nzq&@cEvDHH5}<LrYyl>`qHGLM9ULbLm%sj38p<|k$$=?a5<oeBxO5FWvQoZ
zwc8PkCzsxlkkw;}j?n>m=Dkqm(|tO#kps7AlW+Q1w00-552f_9JCSF#f9S+s5{Le3
z8~!*9k6Fn{e@z(S2;@F+#8nF-@xxpszi)n>XG{JS!1y`OI&h!EBSx77y$JC$B^QsH
zIA#%CZ!7|@gN<JfY5_SCd(+TAO`h5*%@-(wJOko(*8iK&==*koOk$UZxGosHI)f>1
z1{RJ3E*4vwyZ&lFlnga36=b574q~?IZQCLbKn!ivB&S8MC?!JaqgfEp&KdvE7YKET
zLsgF_{mhYrJ6+DoW&*EKQB@68BlhfI5BT!_H5JpOx*{H--hPr4L9fVD%&|cD<>2TA
z<|{;Ui#XK}xxc%H#NXZNvE9-Ql+KJ)sl$`&gK+F`fjFz3%Svu-BE=KsP^g`xU=NcT
z(&kA8CsY@J5gXq;<KX!<-q+*fS$lPG?G{A*vtKA7La~nl-D@u}kvC=d%xCLwfKr0U
zemSUUQ=E3g^T8l9cJz#G7!$b*)GK};li%w=APmQ`#l8t&0^A8q$dAOl+xl~UQAU>R
z)Gg~whrb)1awj{3yBSd<1iL4qFbdQHD27n{;M9W-(Tknpj0jaRwBjK)#2TM|qs)Rt
zsA`^!$dGVs6)c5}30{pdUlfik>W)#zq^zBIxtW7BkVJyCzT^FX?WQY7#zu05WYh|{
zCG8T7{<JP}r4Q_iEcXd}O)f2wo;v=<mW}`eqLN7@e%%(>bP*ecwd1m*uuif7fWtB=
z=4eB2C_L*AXp&J{SV1`L;m0mn%D7V0$$Ki=2!&7_s@fr-B4fcJj$&T)$P)^r7-`N6
zt#5HDCt|<fY3}$+0Z?}|YB@>aqLz6SOTD9j8z{chcmyMO&ZX$Wqgk;(DJy$M$RXSh
z7*3ly%%7`^pKP1*+)o1a)65_Zax$Iq{FhV(9kmbh<K}8;k=3%AJ;Y3h5{C~<J->{%
zY&w^BN^z3TkhUJLM^(I*3w{!zixhO^{U|}#-n7&`<|puYn%`M2TRAJxInXmF!4d@O
z+gc)|;7Hz?hf#z%-dPWmlrSW0H0jv=`gsOBnIDd`Dzh9f%{mn?*wj{?k}~Hi1Nzr=
zS^z`gy~1=m3T7`#ISuQq|A4;5@m>XvW`gM0C&ruED1D@w7K9&m>{TkMyuWUQ>3Dv0
zpEss9RA~NFK*)tmqY<40@YBJS=t19>>ep6+z=A?{Mfo1JuIzN$ZGnYJYfW5txx76r
z<axvd+lNu}l?{D&3)2tR%AV|McqZeZLH^56S;lUD4m0Be9wc~g&veZ+bfpZR0NChH
zijBKfYS<IT=5_2&NJi*?zAq@$2(WrQD3~~05y5dd<oVCWgAh2;el%A_1x5%SJ{<=c
ztuVShmJ`%yL~QFMijOcosw!{h=bAXsKGN_>s02+p$uM<c$QHpY;%?h;R1(W7TG1a|
z&f6thKhP|-8qzZe^|zuwpkiHPZ2m2%KNl%W-S_F_H`=qe)~C0Itgc+oh2EJ4qd&`V
zE?A{ohhWb;7%I~{rsl&_DbI*Nk8?^tepUX%ah+8;E6<(nB+`+T2yV{R#Bi}VV!gBa
z_{p_;w(qeMe=$|7oD#9FT7{ctrmjcy{jj_5R<$|OJT*f&tlDu(6#+6tF`=*-u<bng
zFUL4jQ@Nl?`3gt50(Fe|^@ak)FbuwWB#><W_xT<4_YItyOAT{5`@E8N1HLC{XKoRs
z;7208Nq{OD3TOoDt2f+P17j?vLyq$@#8{YcWSfcyoT(W?<JO?J=XK7xs{M~BU3&U$
zX`qNv&j9xBJ(N>Yx3f{}qs&w@s)L9fX|w`x)^k6L8)@#bUMyCrU<2uf{%1zDY&0r~
zuk`7YfHIS?f_cC+p=lUm6EPF;Hf+pb#DkWV;rcyYyjs7V*;+Ez^MwC|3#VXB_$<S?
zGDm;PhA;Q0y&iolHZ8Ae3Wmeu^_=doV^`MES1XG^+0cFOn_x&7HJpGLkvaoRxe-9D
z!K|W5>u(}BcDA%9K>OH0lYU}7lNZEgifyn!$58>^05IhrL#B4hO6Z8TDXm{LrlW)x
z!zW#(sS}Dbv1ws~0}-rZt@Ya);-&lxL1hA3uwcu)C<`6{2^9?dG2XppLQmo63}>R&
zDNT|Z-^GzI<nPENP)=$P7HRc$()+D1r~JtO{pr^#we+9;ki>+Y6c`XG6PmaNdTLbU
z@%O(z|L378xFgU5I{BRDKp4UCBBtalo%xaIU;8g(p$#=+v!++bnz@H3Kd@-J65^~}
z1`qQ{B@bO7g+OA2+aWDe`7+Yh!?#AGilqmvA=H=IdcjBMsl=N=7-jF#_<caqo4e0I
zCT*x%f_5&TW?9M+rjU3*GCld&9TrGuBIn&^2n`Gc%xNsUKLcD&V@gY7rE1lVuD};}
zj$I*qGY;9EwSMP$im?+elFDnf=0a)t7kIXa4W*9FUQdI*WYg&gDAfujX(yW=vZ@9Q
zWjunDWG9PMv6V)7a^Y*Azt9~Ct4<FM;8!Gdt*IG_&|8{%K1EwixbIlZVC_euaR~3|
zT5b%4R4nlopU?Sf+>b}GV`zf3RnTN6q?cY29U*Gh#N!~5frk$j1E>=6hAv>~`6ji7
zn*?x|$Lf@<sKR@#lv^Y0t#-?id+eBmwY3uMv)PLlJ}QUGcO0gY2~hOAe7g^?ig<9Z
zk-n_|9UOX*_&<GaV{6Z60_E8D+;uJ-6ll1h=xX9v5Tkci&05)?E{10ygOB#w36ar7
z7uZfsGG`Y~n?%X<SLmoc8SjKJxxH*Gt6ERT$a2`doI!)U&O^r#3IL&DOFt!ArD0Cg
zW~WFZrM7(;faYx40Tm9%`MdkClC;L4`+;c=nf>f)4m76qE+LC!o%v0ZbF?PUQfRfA
zk!BDATkG&1p?rhCD+^3k%&43R{#H&m(e1|>-KC+kRSDJW>6yti&^K4Y<>hZL`S0}|
zbzX5zNirw@bbSWk=yM(M*2OQdKlKHU{VE6LX7*xe)_2=^$2eAWt{8I<SAnZ~k(*>l
z8=)4)bJnmZ0LC_Me9s5aq|gOJ0Oe7JtfDP(Z)kihS(|V;RieA@!B^k&IM(lQi_@Dg
z;}#u}rT<jwo+f-^p~uZ>y4<6f&VyC9@_0BW;Lt01m`>+YI+ZEMjDS24%dcwXpz#ei
z)9Vf~@TM2_zD88yO<;CwO}CYOSKhsBXbdfV^&j2EivPRHoL_z2y)O{NP7mEQe#T;o
z4^JJhy`F{sa|2YCOql8Z3HVAEk)5(vU5dVu&BSFcYoTL{use}M2)%>sW?qt(xk4)*
z#wd5Njfa&!a;2Z~blXe_e2_Vmy0}?1RDMnFqN7=8C+Dsf8-ZC~J#0p9JC2-BPDQO@
zbsr!%Mkt3fbJDf%jylQ<eg0$8TmrI;>)f79H!Vkkw*@sKph*!?IFjG|Iw`T5w`8ri
z3$Cj+C|&sy0^Bh+^(2iI+d^8MqVb4}ubC+CvWhunEe7T+JW`@h{y9(4yJ4A<>Rw<G
zKhG}VoX50)TI81fHT!#Z+j3p_(4l*wY1>kZ=t*wDtJLy;9~tIz|K3Xf)c>b(LaD$#
z<M`b1hJ{Z4|EO<Rs+0bygJbw`@H98bx4305vP+hVp^I1l1uYf*8}FauU(8PRwq=Ig
zzZiOvn}2hwYyYo#`G4~NXTpE#tNb(de<P~>7jN43tJLy|6*0r8Ak|5=_!c2n3p<pD
z&T)EwDQi-JBQ73A_>p`tsJUan;&_%(lK$M^+N*UFoZ#RhZBwnaw;(u!encnplyiMk
zK)b4zKH3ZKAg`VdJP+8dN-+r172IZ*0^dgzp|C{}6OMg&Th3K1Ip_L2du5hPJ)#XS
z^`$xgE1|U<ovm+cn*h@uHar<EkS!G5Q;aG)LW-mxjq^7<vbfT;va=TVp)#HIvc^~o
zpQ)7>-FeS`UlW`{lER-q-nO<{bgfK5O%$KRHT1-zFW6)xF5$fXW5Em{nF-n@?|n&z
zNu2&=Icz@<v`0Zu1DIUGyoL!$gMbJkdo__LnC6((okfgh4T{-Z+8;J!_zzW#0BU`1
zQn8RdC!<+p>(UW;CMXJDky%gI8KSfjW-O$C{^zX9<K`x3IF!&;M_Dj&QdMWZ(x45;
zFz3#YDp+l`^T2T{gdAUkX*(<0Msn7cohokT)gP_hc4&4MojG`(8&82w+AW7V#8V9y
zOJuU~L535`rzt!$7YH?XGVAMTE5#;?{v`Hzjd~_mZrcnkD!qh&4#6&~EkoR1=FZK#
zeC(82SRPwNeoil+t5|p+s}oi_+C`n)CDPWmjFuP$k^OK3d8x{L-co}W=$anIAyclA
zo0e*d9bMk5dFEDrYW-SiK5?3f=*3_?9nn8kUJ~(aStvSS{gc%hZfu~~5`;&xG&RJ2
z6-t<E#nF$S<^Ym&ki`@){ZCqFHxVpo0Hlyxnu&d8drtfpvpzEPaTW~NPicwEI<kf+
zuAMHY8mCmw6Qda0j$gHwMg0+7>zlda=};reEjl$^tU~mxQpY?ci3G{2*P(RVGD<10
zi`18id_Ci&V#L3hu<{!=5()<=EyF)t9X-9=$o;6H$;Bx`M=1QhOz>-s`K{f?%(){g
zJJJqCz~0e0KU~rB8qHh&5ye|~YK`%1*-;lZp{7l=W022xAjO4xB9gIgM6nscB1<PO
zvumTGIz^>cff{G&bz()B@`*-4BJIL%e;M)T8;vKIiaz&E<y)Ko=1(@9UZufKXb#z>
zO_MAI$EJpyA`<85tZLY)n}7b*try+gp5IB9)6m93bT#dGvvH<G$Z&Aa@@oW1A{Idh
z3PNEg4j4--^^J{<564S1uQ$`va%Vf3`n}$F=kA@g+uol>f1jqWFS2*8x;!49B3F9B
zx!nbSCpk*^wKlrw9!>KmuwcQn{VVnmNwWN85zFO_NPmoU{}gBYWAbk1et<KwhtDB_
zP0{E)g^oC<@uon0Hw^EHC4>l>``b~5qiHc4G+voZ$c0hxPC=$YF`^JzQM0Z5&CI;*
z-K(uJKiXX2lch2{0XJYRe4KRD0%_5FeweyLF|H6ce{Ihc!~k%n|60HZnXEtB%PKqB
z_|TPp?;3>dw~}_myR6pvA3A1rQD@qx%Ksp>e*=Lq=Avc~PpL5H$bm5|?KwmM{|QcU
zj7-b+ix;b*KydGt8if^_RLb0OIVu-Be1<Uh+CQI<Y#dMS2Hgt4U~^a9P`Q-ssJq(x
zBe=Wr*O9742oF_~yPDUzYEqt2e$vB-zaR7jhOQd)MD1p9Mlm}}y)6Cz4~Y*yCF`T}
zvCCSBEPx=N#QA9olP9luWtb>UFU~RKX^vd{W6^agve3~tywob9o0l=jq11^{ykOB-
z!l;0oT)gj>`-0mxuNy_pmNg<--!!~h-1Og4|D2%hVd}MP^=S@*+s?T}q7;kj!N26Y
zqZBRHC7UifFTunkUyVVG=`d1E6(9p<0)`>}QDc=H^ik5`@5ynqVS>sY#Dpl~kocbj
z>lKd6Jb}&v@sAmC!)l)Qfe|I;$J2fR?Q0n<EwMALNA!W>R1`_Jp{G!y8}RZ_aZt*W
ziharvErtQm4J7rOIU$X=lH~i#5^Lyp+D;#cgCwiHTt`;=r{hJ`xWNICZf15>1vpf#
zsG7@gx|1(3R{I_{O$GOEVqPDN3L%@v3Sp1Tlga*cMmp5u(*M}-6>b!=L}J}_!UYEu
zv_nV%_$c-H4Qp&N7CIYp;4Z6Hi-OX$4lBbfs>tB~*s$6oTjh+4t4-g^fB>_I8&S*A
z&B=)2g{k9FpimTebPqjil^l|x+)c?J^GnXQ{`MBU&>4;BRK(Udb==;}sg8b*V()j|
zm!hJl#c8@KvuYH-+2XAsq>ouV1h1Cnr|?fy*Ykwz-bIqT>)ZEcq`-CE$*-N_I|Tid
zj{Fv1g9cXkQLkTT3Pvevt#r_?2S1)uO;323zQ{ylsHmRmoD;yPe+a7d*V{g!FAc4<
zak<5pTvg0Qf0xtuA|ey;RYwaoff2@LlCTL2VT1;*E*l~+uOdKdx+S;t@h?MvYOHoT
z(rpgbBR3`*Pp~w#d|Ya1rm1KO&M1YPwy3D`)ShK_?KR2)mqnkuC)=vFF46_3La<oP
zu!6<L#goM_9Jdf6g$lZd7%ga9fl(nF45?`LiXwwFnumBYTToHW#$vcJ4kfgS8;6rl
z&jCrV(r_e9#D*!+nvOv0j@;0reA%BrZ(C$|7}%;=_$zD^FFW02r0OYnwN~xEckwRD
zO+n47-BDZ6JXP=O^zFMr|H7o5{X(!CnWa@Kq)IYNb-?$8krk?j$v_AzZGp+8%je!i
zVcj6M^h!gvY79eH*rJz~luH*IF{`@@o5%6PxsUj;`l0iwdA~yE;F`aw6P|l>&m8iy
z@J3~;o*!fD0MxSu{ev4#kdpi7hbS{P0A{7B*0uExZK5TbC~<U*UP1-a!-UAP3-(k|
zt<;=lOm$C=`Xzv~?#D=dRLhav9k7MvZ`vMk3n@Q%kix8)LfrOB*_uQ-PscIR_Y?-c
z@{AXx5Zd4oBntoc95~}Rw)flJZxF0XF{VXouk(xzyg|lG2&1-ZBQsB3YlE|^;c@M!
z3(-9t^ok8f-Q{PDnE}>CS!^TLM>=#9w2tL~LAl7Nep-{M>FbCr))`B$&%N7$J?<67
z3;ThTRrSz!mI;fuB>vNa6v(AD6Lc2&S@&PdfuiIS4O~1Vn`Rxwf4c587}J`69CU-#
zs_#C*b?N!9(A=6-P~Sd6k@%&qbYh0;k_indsW&_3;HTe{6+_+;)Vu7Qfca>QMSpvI
zz8y_Zpne@JU1X>7ejU)y4-WgKSw15R5>(jUYl5ET=dAQ|yVwJMR2p${OwlyKG3;_Q
zoFJih#W&v-D6RT`R%n+48?4=83^*8)JgD%IE>GN%l4tSw#G^8qJ#}lPZ!jQaqmHs;
zE}uaqrCF)005v`sRmUl_7jVzVrTc@BktG4!NxAVb&=2{h?FIQP&lg8l=Wrw)(i-7f
z&{G<ypFN?`tL355k9F}37;FV<UHocAy1aUoOmPHiAMv<PEv~F8EBMLu)_GX}t4GYp
zHjVGRPr&Z0KbkUj9o`=oyhV*k&8i4)u>4(CvD++CJ7dj~>Q-cxO^&S01~H<RmfjIj
zI%;JyXUjg(?aYoe1jm~Ph-bed|C{__n)n{rdea9#><}QttZ8L#JcvH0o5p&gj%eP}
zrN1!#lg|n?@KF_a{KS7pXOuo(=A>dPE}m_k!)}pbCq2BIO!!@vC%zFBPYry%EYtJZ
z>VoS#!f}{qxDk+6wR&6CuZMEb&=wI1<%cC05?GR2>^9N0l$Om=_9zhy?bL3_4o^ow
zK=scVHI5QJA5J4YguYLiZ4tW~gE(e0tz;T!G*s&M`?kPVY;BA}3#{#iF_|%<Xb3WX
z`kPKlGoIYFOc`VY%xly1MRaadZVpo&2&J6mK!wNwHzRqN)1?btsp0|}7T=qA{wsyE
zBk`UuZq7^sxU~Biab^H_0Bf|1As&x>VrpR#F^mG|!nh1xJPi&_>DD&QED3c^7t+=b
zzbk3;>wx(Ler^=;NBLdMnq1BxImJLd?W{HaqVDHvc#ZdMrEt$A2Y-&^UE$x1!GCl<
zD@H#)yb}^CeTZ(tvxqqhvdw<^ZyI=^M-a;y;8rWNkzSJfd~XoN{cUu~=kQ$UoJ4)4
zNR<g08@QI}H`-NP&$op+gAf0g(q<3u*h^8S?4lrnPfI=MyzQ6NyDQ|Vvq#tv{$@(8
z6OMXrGFJjGB5_!zi=f*)@Fp~uUJ&dA#lL!Qj*Aw2R#XTK#7C~k+jml9y#@ETluQ4>
z2w6i~Dj$U64nJv!!~%#Lq1fV)Bab}fKvGYQ`5}H#JhRk%unq|%et$xD?8z~;xGI_I
zczGnr+8Ghb+sVeoB>5-F5FYGSNBXjg;<Kr+<1m|F8wW2ae?E#w=<zO?<LzZ=?zZk?
zTU|wov87_}PXOGQZ$R6wmXU@@*sRiO$N#0&5f9i=Cr$>388H14*{d;wjivA~F_M&D
zrADRaLf2nn^u%aD>#H-e{~Q5G)m5!5zBd=+$VtXx2sEJfq)+L~^I&f;w=$DA>D&z@
zxA3xYrO$+ro(V~u;*2^Gw83BiS;~Mt5^|W*hZ{o&+2I4E+lK-XD)a&v=D=J~(W&jW
zOBN-4ev@-r`3#!@2QGGAUm0ex^zv#$W`%78rU~QTL5@juMkQ-cZc(PR#Kp@NZ$uXm
z&HvTCBn47+IYMTz!J5H<U#Z1c1U$7=vwM(dzgGHyRAl`fS@{R3Rj%v#n_D!UovsK8
zBkAJM>N(9a8&mABV;PlTv>U64FJAC}F4ERT5jGZKP+_rwzf?$`+cQm+c2SDq4HtQ1
zJB##(C0Jws($$(heV~Yv;EAUlkaj_bo;g7N2>tTRSHUo{Au@)(H-R}MOMAV5|5;)m
za%~yKEB9=`I^Kl1VotZEy>hfJJe&MlIk%B=EhP0UUR``2{(XgczhkW0#`t>m^@2l-
zoyFm!5X+rdx%Y3+p~^0LVLd=u*nTUjs76^k8GeTK8k^U>F)faPFQAKAY4D*ts1xD2
z(em@l^9fQU=>V#z2o1xr5EvHM&s3K*%-J!MSm~;~8YSRdes6AU<NF?+=H;Fo<1j!a
z+p%3Akzqo+(r0UT0n1z_K|@!<{DTSv>MB7%odPK((iMr5yr-<H1FtA8b@5X?7aats
zW-SuM(IXXM!NF2*7)18US-PeUx&30BY%Xr@c3z*^1O~?#TU|Dl@)uf~@?TP7k(?E*
z&xS)f0{GLE2h2VpY*abjG0{IvhsCf997q<4A<B-<%8t%)rm!gh2!1_g0l7{YKlMEB
zA6U^EHt6#A;{1-)rRvFE951S~R)){&cQj>hNvoekIe`@kOik`g7a>!EWaYfx?nI_2
zlA&bwI?LXT8Vw!Q?OL>!w4ZM!^8@UWO#7`tdPx7cYWrnUhdzrD98MAZoIhV=C^&w-
zAfW|kN@~0v(QPE=al@RhSlmOJ`<HXg8F{CpKh?5HbeVO9>4FURYeO#@&_Ww~2^Vh(
zJUwEW#rwgDv!(6v@xi(I=-EW!y<vN{$7g?0W81v5)0-1w#26VZCtF9MO_d@KFzWz)
zQeoiC4{j}812B$Wj9jU$tko4(0cL#m`(43*J^tPM$JoB^R9!hXx4oP+j5{lHc<k4r
zBfLh##~_EF^!PyI;xv&2Vt)~2_RlC0ToF-ZR27rY?3&ZC(U;zPE`Nn^R(ln{6E3wC
zlvRRR)-0j`m>pbkdV@KnsFb!1GECYcV$-&=LxfE_g}g(Id8Ezl#yT~{ug@NP;^|hh
zdZsp!?W<rD7?32VaALXHJ{Mo#AhrnCJ$m@6W|_Wye{9M*GD0##7(+3toBb)FV>~i}
z;zTqsS$z2ah<eB9%AO}&IJRxuwmHefw#|t>v2EMd<ixgZ+vbFCe)E6ty&uj#)m8O$
z_gZ`Pu0~b00>@7TE>MlhC0f?xnmZn_#ylv9c?#-<!(u^e{eG|2?JG(uOt6wl`QO69
z-=m#mL(Nx9*Uczk&04;ugr-ggPsyA*ac45znUc=22kU~Z_v?<EJ<y4$_W>$umVPc#
z297KRd33O@*C1jxdZ<+5d$wP|4qe0)p`Ze5>QE~<yk@QECYw_g7y;SspMN6JbP)W#
z-GenFVZXE~l;?KV$3u8GeA@GR^&xnScJ3qi+?DIKJ>7YIy!Grv94IeH5O;lyBPsZ4
zaM;kUSAI3kpc#Q8w5iwN$9PykNzq+$HUUuY`QsS|#$|>#<WfV1e_8L1Nq<$HKVzY|
zB(B;)ljDxVFZajZxkXW4-D1c=!^NN8%FcL%!Mf5Fm(~)6B3sCVg*9=LjYANN>YQbS
zJA-^<-?;{jbqU+2lb?O7tmD;^B~$OLyFbdheXTtyQ&Fcf*x@$gsW7|AjD>Q2?Dog0
zhW%Aw&DIrRw;)f4RmxQi75Xtp6YzMGt^xompOYj}is0ma=aLuPB@|8vKevOw+Vstr
zyqxPA7_0sr1a;MAG_FsT5uT}nbz39fKCxl?4~Cq^l%6gFM`s&>u5P0bxWG%~E%+~u
zgHZPVBS)i8Z8x0mmN|^}rlxc|K#bwTn%4Z9p7y%6_4$?{kgcux*V>v9#r>jst#;*d
zGYzl4@LYj2?KqPt)zcO-h&tr4<Xfs_=-z;<^Y7oDzg698)y|_fg*!Gr&I(>FA6=qP
z%Hf9DuCatmyybN);cYIfy0QwqODu^^WeUDsa1-EITV6}@Q?3Esv&Ft{i{VgzmORvN
zTWIdm^k_~c`B_*L#NWDBG%Ga8o=`*79SY7jJAI)op}($kwzfAvx83xwyViUj3ogEV
zo);^(zTR|;La)C*c0GMl<!QRMGx@qXUwxWkDqlSH6HDD94)AkkTXDD7gF|z!It;l4
zYZ)h(Y1<iS(nSDu&wpLqT~j45cEgaSxPqms-P}BOmgKM2{9D$2+^_jM;yjOcJMV88
z*F4-m@Z<YEiw481b3xbVB8xZ9c=+Z4p2hT@R47$-Q`P4M0#4dl6E*$47a~)pK6v9>
zunC7#S)*I2oP(;n`W@NBuZUx9*+VsRh8JyF2>>3lM-lrMt}t6SwY5DgKz~oo6!ArW
zi5IWzGMJlY<ovRiv7%m2`LLgc!>g&y<EREY`dJ4X0}YLPn}*IvXF({axS&cw?*71)
z94fGDJ1qF-`(pK)i#R4__$EG?)pIC4*vVO={UY1R0aATCs~F?9&?X+SRYFsehdtQk
z!Al+Pl-nf&B4J5mziR9Z2m-?L{zhG(I)`tpP1n{+8xQNn#mLNX;R3%~SK@x(l^iTT
z{sVuI<<51{FJQ=EL=OsgF0zZ0sNE|(<eE|F-7)?k4_<<c3ulFPG#gYF%wJqBRwT|&
zEGxES)yu6r_*@t|h05PvD21V=(d3Wi*{UTma@A_-Z8XVd>YFm0kCDo^tK!V}WecRX
z1bb`vAb<%Q`N(CQ{-rxrMJDmaC``@=E>Tb_e#z=Z>my_Z?l0w%+Br%CH`w{3;DcY6
z$ByT2<{_ms0<s=DYloDzXH<vRDQ$p6GnC`7+dwFmrIsn)m(504+V&Pt^^qBc2$pdA
zr<MaV##n^2!f`wGO7`KRYUeI;hH7<0|GqC=qTjBu-M?M8P=*13<|_?A(}!LAfldJT
zl0+%^`9Zk!2=+*3;@+53uSQe0(-2hgtpI+n0dNeZK)e1FIsK;=SIUHPox6g(m636~
zkgQaa+%Fy0;EnOLflv#G@ga^Tc>YDrkF~XqTitY?+K1)I`}}P1Q#-GkpV`{aLcQw7
zLxyOlZ`~UBU6179KQAV#MsT68x1n|O+MwTl@|^v$YY-gQofWps*YuMCWXZvq9+4&U
zC|YhN8BcyD#Hb;CG}z3fHoeO%={XmhFB$$!&ttLxkgm=_CATeT*;uExi(Oi+)7~$b
zE<fPwY-&kC5OTg{<1M(shynq%+PZMmD&5N618^ddhl#s-4Pi(ftSFp8j63_?<3)Mw
z7jVj1LiFOTezLGUU{57LEec0eoYH8=a@nmlL|A73=_+q@s+I@0I=_~F;E>17{!&p+
zE&$)b=<|*!(``{N_k21xwZ%&`h@pz=Np6VgG+%3e<5L|aPFqbsc(9*5loXxjLhd3C
zBP}Sp{aK3Xqu^jnENj6WQM76o_I*}8qDU3nGE^bGzW2u&Di&Cj9!H?r$y))8|D7Da
z$wb!j4~&ncbRh!SPfL~NeqTOc{jE-IC<;!I2TkqR@8UL!biv!!=k0sv)|{<oeVbx4
zL)%d_-cT?@m1AYf(k$l>5Yn~=xmqFaV45*$m`4d}2HH6BFMd2fP*ZXA$>xP%xSxqZ
z3J9O)FB1!MIAyrb#|fYQ@Db(nQy4Oezb4m~{zykg#Zq@O`L3dMZTS%AnAPG!oKS<J
zO+rZ;M3Kh+(#SJP&5MRhBFahz+tGM!iPIEy#FYdKvGp%hJrmnfg|0Mhb4M=NDs*7y
z587PU8m{)3EYb}AQ8y>MG5mepK-oRax^dzO{q5W)kIzW}It_d7zpasshj;*A<!}vb
z$^==jV~o-k<|SIdc7IV*q|!)cx)PQV*xjECS@w8(dp3=5%4VKB{rMT{i<t9u+-UB*
zj{Sa0=<ELUod15ic>m@7X@5UVm?P->bYXuj@c#Gi;)L+!Z}%5QX`}Vya(C_rJpM<2
zW885~W_rLmG2T6JJ}5f}hF)jZ8d^ezr(0#>#G|aZk5(oM<+}8u91XwUffn8Vfw+BL
zWXl&*@MdkBQu(c%JyP+W!p4=r^pvi(1KqV__|)7l8<l5$?VV6UK^y;Ple;tXpIVhf
ze7Kz;ZR8!f_Ba;Tl=$!7tjaecq%L1K`=Jfcjo3cMFlpA)6~dkwi`yE3(hsXxA^BXp
zG+}uhor5xa*!(rWvJ%=$`90^iki+A(LP{F^NK^+;zHV?!E42{Dk<@UfFsUkYH~B3I
zAv8B-<ZVGh5<UJ3RFeM|RZQ3X*~_mLP!^|(A_n<aAgO+g!x*9$168_@O~{$|pOc$i
z|F00^I0d$$-18q7;Qh>9M08j&Hd`E`!qUvSw0H=j&_!{D!XgfMJ77y`NNgSw+p!g|
ziNIW};Oua@>-*>5QQV+n9_uxS1YF8LjvzN9Ue&^81NU>`7vu}?e&VVq_86=Q)Y>T^
z47BDc1i1=Z0|dz1G0;Hh4MU!UiGU;4nz6%4e8|`9++ICQzw$r|sC}t2l-kgPof;6b
zN-Wje)y@k~TucRRrL$|ythzD++M)ECr)FFTD38_b&XNDv*%F_(m@9A+7U!zhwK32X
z@j`!l9riE$g($yYSg#@y%Eo-!s6MkqlwGdix6C%|YP8NKJ|!>~;>m?RW?oInvN(6>
zAS?hIB#sEwI#NBxKAm|j_=CJ^zajAa=x89~hiFix>*>sI^OM;*9W^S!7&e=!&-@gs
zUn)jY*)i=?O)HmOf{GxpG9tE;cHdzkVp_dw?GBS@N@mEx+|Dvx(evt<Zl@=yL<h#Q
zVhWfb5GnTXs#kbvW@BCfyL@N)`suQ6Qc&)aN-eA7Ai>}?dA+D&Z`?~Wu_BjvK_~*D
zx$3WE6W~vZs&QmQS0p0tmjLkBOIvb{$EFW^1mh#gPjyKois~t1F>BM$UMJyY?c!vx
zS#Vv3()XGYZ;&&PFY6+2St#UBrCu8hE#;+WfG9os1oQ?Ey{w-|t0i^*Z`m4$MVDc|
z#koFfWDWwRNV?JUAkB8M50I?mQ-)OQRPdEurRRJn+1B{C7h~#@oOq0c=b#%CACyn$
zeBGHUlxZ!hmfkPf%zfPCA`k%ystLbDDi!xP9Aud-RV%L53a-LjbNsqEH~d)inZ<TE
z4bsHZJzGe+1Bc;IqO-S9u~az%_Z|^FcRr}Z-cw%pJr5Jqx<qq=x*5G@S494uUe8lt
zYrIx)z9+vXk4xZ99e|&l-A^INWpV>xMgaq4d4bqCqHMl5zu=BHcZI<x-+Q6*Mn20k
zzE8dq?EPI}C_2}hR$h4_1D`Fw9-is!tsMUzk}d!D1JrtOhCO1as(7Z&4sieAl4H+K
z2><q5Jg}v6eyA$jsP?RSNvJuwPpJ>Nl?n}1_9ADjoO}Zq;|a4Az4(BQoO0WDd3ufL
zyH}t8{I#GIQR4qjID8e&rB-=8tl|~BD*aA=`_(t0Pycs>J$SOku9~f?b$lAirMaS)
z(hB>p=O)K#a~YEj1ZCR7?6ofXpux81!s+wckwkQ1IavVL6rODPEQW80djJ+@chNHS
zq2HLK*9mA#ax&ncer-NMnZ1czxv;QODVl&a-*oJc{sQ|BYeW;*vG!n4@BL8Mo$e*r
zxFdJiECaQR69MOYe@*~dQ{14`J5r<HMqWwW47#Jq-*F_2v>xP`0gvEBx>W1S+O>du
z{7_ACgT1rgN==ovyGZGawqBBcf{2ed1*)e?w7wI%R)%KbXbj3m)HRhSEthVzWiUIm
zo_9(v1RXxdx>dD5H3gZAdSgu{*=CHy$F%H`t4_O^7{thZk$b$}^hcMvSqQGc&OL8_
z5&Y$;-9x6uQeQPgoXgSM#00o+qgWR6S=Bd6HH&vidxfP`tX*Ce!~Lnd^ih*9->A6F
zuliveC#ynIE}eLz{CJ>*=12^qX#QEbQ3@kEN2at8s1?+dJd78wR!GkwJy<FK7|fp|
zCYZFD{F15mRpU`XBF*<VS)PqM{%o{+j9Xtn@WHdVs=>bWN2@#uPwj<+Ks5nIFW(Ib
zyGny1scj0ot(O+1-=JvokPdm8SaB#6wc=@{66r=H@G(h&i5F6s9f$pIF0^EVBc1m>
zQ_W6TMusVX2@}_$X&!M&6!<K$`0O$VD>5%p|7{ca+6R5FB%H3-3DikGX>!fuOuXJ*
zStTGe#yfqvncsOp4l&#MX(m3@9d$!g((~j8B7V6%zw>viVkZPVbN`1W%kNyo{5XR=
z^N*o>mQPx<AS$`W@{J66AU`MY;TZm>eX*e*)K?c8Gx9C<JPDKehII{pw^I4@n+lCd
zn(Jq2KF=rpS3pxn#J9Y5K*YbzS3<-;%_r4Q!O0Jed6<dk<EPVf-JC)8z(&anLM40%
zOKvAd8{4ps94D<COhXkWYd;asN8w?sD80DSk)ar?cr^-&TF7{gYAvX2a+N3^ubSZ#
z+QkyaZm&io)3m`|lyJu)<1rQl*)CrrxLS)A2GK3At^1KY(~K=PTHucjnR&9~PAB%f
zgsf&kLMOjt13eH|>%13vR6a9~JG)P<;+ezw;RV5y=S9=0jok-H=XZCyBsnA7Rpq?+
za|p~W^cC36x(<N{Ha4#k2wII=EWqwLsjH9dgh&CzHy?#A1P%nYAds)j4feQF63Tyy
z*7bJ%6~?v$^CnOf&fiPpOc&FxwCTy6>o(vA$qef;V8OD_*`N?#LBb$Ey@}@!vIgNE
zl=IP_&k@o(h6iK~Bp{G0KSLLBQhyiXgdWE-vR{yY&Y~1RHWj6Fl2}SQ1%8l!ku-H)
z2jcrpjgZ&f5O`5SQQYJy%IqLWI17uRp2S$);UU03p2Ca+W#?n(k@A7kg*k#)i}3hg
zt)Tx(6+4Ua200fI^dCf4*vX*+;5gEUg@GWtn0b&C_3S~mw~I^rKNb}C=w>zZ5|{R5
z%qSapfT6d58o5X+`v;fay(+5iT*avxe4NnKJ>6bcSl<Y1`wz0iTZ`-ZAI7Wid^=M;
zZYHIQ8~ZcLgSNW{VYow4(a+EtMQSehpfCIFfw%=7faqB;?1Z0yWGm?QV6K9{&*=7`
z?t(8Fe&@yT0{-$?1AYWw3VjFBJ7KJgW7gq?fqOxWgT#TWf=7mE%kLASY%RjaS36x9
zLo&+am4<WPU(d0qm&WXTx%E^uHqaem{>3Tugq}arBOPzD(`*I3<>_<~DdR>w*@I%y
z__pU8J53vc2?D=C3<J-{M24eLYA;8qf}_F70#64D0Ko@RHxN$J3I@?T-?y8!+F=Mk
ziPizN7OVB2g5tOtp^H|JwE#uLkTRLWtafd6+dl|Bxb1{}h37l*c*{)cU5|6<aWnHY
zu}W69I!w&S2AsEUL2MYNB+Ha>^^I;%vM!s8%2Gkk8?cwrE2~L;P7yqpRTDHVW_d2C
z#jd@=!%Fa5Ro1x0K818k+P2Oa?+)-=jZ4S&Y2-=TrY{r%bjl@dAOAy`7Js7(0smlk
z<(2=qN8bwH4C6CJ?Zvi#5=YGKLO?^U*Mgdl=L*gWLDS*OUZl#vQ(5)ew=Ukl%IM8`
zzvU_a^uLib-_`#o{8zR*cZgm4X6mODe-n4Fd$(n}SDRd||C*BwTT5^ivN>xjweQ|=
zb(`4CPvOvm)!ZUITWd=AYkS$ku~&~QZ;YNO%V$SGC$|7?R2H+C?rIkDk`$C4jgHYC
z+Qx<kQiZ&V!x8y3Ig2UOgymjwc(Sm&a?m{a22!#FnsNry?tWsZtPUI1CffeCP4=Z{
z3AX?)Bp(Ts(_?GA&{x%43Bl|0cPus8FZ0T=wMGi}Zl?7pfaw2CDe(QIH_ax`fTXQK
zDE~T1_$th40ZB#f@Gg}&UP1|J!M<2P@65KH%wgLsAX|Wi#nJ;fM@9k=`5T~DuvHd(
zYTHqnX8XZWs;v(&zz|))5L|i&oW<y!Md_S{Y3V@Fv><<+<RcfcQd!XZ<$?DKxk+Uo
zN;ML_9QV!)pk6fg^d8#@3w*nSR$XqaLN7ET2u&v#<hUT0@cNkpvmP{ox?Ms2X*BDZ
z@*HXz$6klbYwUscs_w}m7v|P)xSBP0(!ub%|F-qkkn0<~Ge`d!cgO|jOjc{4xef5J
z5`3Y3(41SyDR+M}J|I>B1MFJr`QM7mAaS>8_V|9x)*yp_eoE_Awt*rI1-=jfr9JxT
ztJ(F=Ah>HHt`w8b3?_zpg6Oo}4nKluFM(LylBJenH6Rd;p9#@@k_fpiY_Mp5jk&j=
zR_*onXA>oh1Jmqv7QWFQDn@3@w$b15f)#F{BOMa^D|DphP#)ib<W!+MH!!L7VN%vZ
z%@nO?b!+>Lu0bEc(`aJm72)RX<!c+)5b(|6?)bJsWJQK0RNp&A`^ANFV|Kf10^lEJ
zdDgX9#JGf*MIohc9)wibrh1LOvoTSBFB=B)JF!MW5;q_MMxw4&iJ!#irH3ekNQ;A$
zsbJBZcv9W69oSMa+@k;VMX;WmfyklY{m73(b)knLg1XgUz}2f#Rl!nMg|5JdkWXkR
z5nt$X;NGG81O=L4-V@3ZL8wIbL9!MMJFdf$WXBIYd&m!XRS*`?y%Yt1w9rZZrhUrt
z1XL8L`E4YVzsWX60z{{)Z()AGMmZw-!!L`)P#7zz|0xmDlp&%Y{P->m3)O#vbkF`N
z;wXO$wABA6W#~dgPx9Feg{hE7)COG-g>m%06{j(JQxI<YuJ0dMKqam*`@0gl??(Q0
zfat$|G@br@!kP_*`Cpy?r(;MjbBhemc3JOn9r@4s0R&BOzf<!A$l}IO+nqIyvZSZf
z6sq1eDv7mXmdxv_^V?kKDb=YjyvL3<h=>}oqwpu1lW*uha)aS{Rr8k{<C6befum)`
z!3p5${UNO_f}>@OA-j`Bxb+D^r=iYFveL+D=}>)Dl@2TT)}Vu>IKOCD*al9i30~}%
z<3#(NGOB-9KU-L^HEVEfQ5W}Sc-^ksQR2G8&EiYnv8%@|=TGgX11TP&7rT*nnTqte
zdA7tpQ^>TY6x(;Ah@~0N4^voPK@dFqKi16;ewck`g(^wIh2noq9Oc-)vZcjBCIU(r
zV{z#bi4T$}635I|^P3JG0^tx)ZT~VUTKv{zwxk?!GoFdzQvZqM$RPyjN|Z)e!JcqP
z>;WLUUH0?HxwpSt&3|zNt0+yRqC0<s4-S+T$(|c+caOBU;f@>V|5~iv5b{+;mh1ot
z=PLjrD%0LTRIy+A+`Tb6^ymAG?SOij{tn;VRgc^b1L?uyE(}Wa6U)gqks&!gpwteQ
zDz5q}K%!8pBj<w4Xg|-91J#V$Z=&)}|NRyUu7JSBxUIkNYI|W6a9oE2I^6(k9JPY+
z9cxP^k;IKA>+|9#;4Q@bxC<(C)(`1Sra>r>he$Ysd-%<Hy#aQ8?dyZI=-lLG6AWA-
z2F8djT%siRm$Q7VndL*iRsjNHkExlzv9bZVR;_93wH#laJ_I=JC8Z&w{fO`!udGZ(
zI(!w|EhczZReCJbX+f5UQ&SCB2w*m4NlLf5UeNJMQSb)kR%$*F;WBb3(O7jdm93-&
zqDCziYMrG}hQY=O*sn+Go56q@TBfIGr~8*G7nyi@tdkjQ|HtJmaa!;Ni#D+){kxNY
zZv?VxHfptfc@tp3zI*iTW)mr^5Nfk0t@0=7Y?<cBAND0Ayz_l1f^p*zt45B~%N?H$
zbyppRIHSsg1sblDXxd8JQ`ngNm9d9S-tnGc9*4N{S{%J~FEQJc6g7&ZAj>+P5gg^A
zfL^NzD#LX<$p*}XIiPfVC|k7nnBkp@y^{h7uR2v5d^3QVAy_($Q6eW@6@;Hd%?_w?
z226F~^Fpfuw1-YsRetMHLKJK?%|?e5D!J_8TM!M~aFC^NP%YnBv^`$h<AC2Oj_h7O
zVTL;H^&vt(^aJHiij}r}5A1-WCRq$@ORz14E^X}Y9eH4&8dl>WL+Uwb`$acxO{;-T
z%J=$qPV1M%?_2e@$&AH8T}|Z)bl<6y*gH+wK6B)rfi=ESXR(JW@X1E71an>I)2OY}
zunpjW;g(h0CgWWPf>p4KsJYXw<xOaw<6RP`C3Z*H0tcS&?3#WuJbgfI!a!|lUyK1A
znviEl|JkB3GkT~@@LBf%-xg&Y{b!5#|Jfo%R%@||f3}Fc5g}+I;Uw)pTSQ_8e0^pu
z*|&iVV>Stu_88@m%Ia#)DDs=~qG<?MlVxe-e+y8rVX;nQ65eObe5MO1N~>&E>o7z|
z%z9z(n;)0V!teY3?t>t=VW4+qKnnPKK2_99!xjF@m$&?UVb{pZ#{A6u{}~^G;ctqM
zXXyIoAV0@}_dn}1bguEU3PIkH-n^w*#XDwk@W_2($xDE5<CJq^_-GyXY=!tL#Qpl@
zQ`$oX(eQ#es(3*ZYu#%@6w9aVoAQF%Pc4=>A&%k?VwOkznWBr+x02uwuFMvAY!QHM
z&y$TA%NmRr(KbUdAuf783E@T@3FeW`K>Z>R!0S9D<9rscU+dSgY+hqPnk+|+X-Ez)
zO@0(KvDon1j@9ehA}U<?$J&qeZ?qo9gk#VWcMO1riUig4Xnj!{-x*HkiRdaaBIbyv
zJ^uWR%&zGfzaT%mmUqdSP&|GF;}=>^;>hsr?`L5;)%?_39o))HH@~q|oY#_@DjFF0
z@WR$<Bzze|K4f!DJn=mp+DlO?9LYI=YE)aAV3ODl(4d|};3K?u{JcR*cAAUvWgIs?
zCc%-#(P3h9qT~p6Osr||mJ_(rT10HVbtciGW&MSYd)EGuAcmVWlXFX+&Qk9Is6n~@
z-0U@i=(-9xqh*3KV}Ls0eo48TPgLgX!f?x}@y0@lz>w@WFV<mxxW%DJU}(}fPvg7H
z@W^cUip3dS9_yf7UHMP?t<9zUEowDITzuN!9d3!oytgIsTP>W5Wnk$2T&+K{?&krD
z(D7E+rYE;L31{g|3QIy48?@|<|C}=*eKvILpdbz2dTHSlU?~3n>m2U9tw&7u+~41N
zd1<Ehdm0)>v}5>wUN+JfcNwB6<0KC>#~xq9{$6q#*OGkx7+ie|BV5JMCMtdu(9ceC
z?NA|gf6#mYmKgrdH}HK@xr8J6hw*tWpy-Y#=4fuWd}(-cE^ObQ0A&0PhDaq2^48!C
zhlqN~%3pP)Qo=6v>h6zW<{xz#>^TX@3PVl25gkmfo|0^ETZ1O8)PsVPG79}@Fa^@~
zvySgb&lHozc-<K?3U;I9M&Y*pH(@^w?MQ^F7?{=GBr#%8rU=JA;YSK$WP|~bDo)4L
z0*G)(oEoj6qGcw><{dO-tlx;F%zOg%bQc$L_cU@sLdXZQrMysE#iU}!WDpWbFcO;e
zVOu+SyEXlwK1f?(aB#td)7xGR0>?{QRCS9bbko_4!D8={BB+IdXu4$KwcpkksMER)
zUOaXf$O)b0haJ4OP!$81Xm76S4N>dKKom=r7i}c7@-mkqe?ad-*+mm}gR(oaw;`gA
z52;3jmihLjt-Y_YVuVD0PyzGj`z9webZq~1$aatkgv0x0@)H6PA?OhCAzT!7x_@Oh
zt%pzvRroI;#DP|PIM-}*Qzz{F=o0WyVTUpj=t(J>nDad(#D1pI@xf1MR$-L`?xh6I
zhFQP*aleY5I|O-#9y(LJs3JqIaJ!;aj&Z)bW7f@n7qMvQIy{tFc!XMHq5b+lm^kN5
zlV^DZB^>vrVWp!D5k*&8fojN$e*h`e;~s};<sw4yZVT9lth+^Q;p+pd-9ivXMpV?}
z?~Ecf$kIrgAkE*A`RKET&alTajVwTwKRwAM9h#KXq|8-~{$9z`|N4-Vf4HpL=a}@l
z28$g|rV`fhoHy99at0?Fw`+@RvI9<mP`>@NdN3*D3N(aMm#;y)CAZheVh1ukA;-Oc
z$Sp~g$Hhrb6t<>L=bG8>!)W|iv^u*wks<OZFrklmMC?bR4Gd#twA)?mEhx9&g6r)g
zPU{uZ5*uSNp<=@d9UG3aeiV{P-_X84wX4@@$0%0mpP)B(S3>ri4m_{Q>4l>JeOwIc
z<BB#&bcxKk?E0N%Vz%EZ@nw3R!P7#1mr+U3Z?SSs9=y+tFcma#cCKFWv>pN6IJTc*
zbLK=&KkYP*$Y15sY<VpOR7jheg&DeYCWJiOtFiHH4odXBE4|E4#|nguN4)H__?lW{
zC4647XgyCp%~7SL+Z(7+_mqDu60*pf8pc0Oz5U<;%w5v|sQ9;}HMRPs8UYzg*PY&h
zO>=NnDrvs1ZIQRp@m?dBE}Ps|Arq&bbiE-uty{OM46Bx@a_Ly^kW0-hW-iE5Oo_aB
zOzF{<NIc7kY~Z&sA!%kmu{`#QAg>+6=Ct43utkGx*v0oj+)Y_YDLIu?6lj-l{Z{mb
zId*7eiw$IZrO(g%I98F?>$N69YNVpPCXQ7tj6T*QAgVt#7b5Kpcdmy7M0M=)QZ_h`
z3)P~S@J{gg*PXaB39Qmw&|#w6I`gQp+MLXh1|;CVtIcA|iPs3W*-VF2y8d7eLiH}P
zldH(n2~d*?Helj%K-jU!;AoJ0&O9Q@?t$TRDQU0icM=n&76@}(Vo45IUOJbfu2hYF
z%!=QB**|~uk6}Qq@EzSadF4y*#Yf6O^Fc*AJ#Gz2oR{kR$KDE6|3W)jNWQ}B1yUeG
z?~1S_xX!&eu3l7@G53K;=fZ4Wa{GKTxH&o;UsjT1T9#^VZWe_z<|1=$fXD7n)QEyy
zUvhyn!JiJ*`xq_fQYhge9(ko4zpd~4fZ>}g4ko5ppU3P~W&-kU?ciJg4U9r_)bAo=
zM~Wtg6c<DMUufX0d5v7UQBEvc$hR{JJ|rlbkzCmYJwD`Kx8UVfmrAN}K{%+#>)@>k
zQ5RkZ)`pP){)n{CRXJ^Rx2b&a!(UV!-MAf`+r#y@qs8;($fh9vYQVwW$6$f&O*(R^
z(r8kx4hOj<+SqyI-kN<HlZ5`P)}jrA2@KYBC~&&%^ikly1h6G%faD7w`^_szH)gp^
z`^k)Y=?|=!NJzTT{-`<Bfd0ft`RnIyLC@`}vL{mVcxGh=w)R!=01(w9v@N2zp_f#Z
z`xN3A%LpTCf<2_a>E9a+%9ZubL{iGLDQ8(#RuCR}15Kp`C8a}pw06u}%A;6oxgNGc
zr4WVz!_tPbMk*^~_004OT?F0;0&UG(^C3YEH7+vv+}b~?*y;;NZbRov)_mfZF>_J-
zSl(J&#diKIITWlTK!IOZD=#AX#nJ^UvO!uMkJP8xOmStv4~7Gqkyu!Z9}SSyszcl<
zluW=4mV*vQ*xpPSM<P)H{Gyh<A{T=#tkK6bNan9%iDN=mdxt6rGuX>20u;qSMi#+C
ziL9)}J%3|wlAtEaEe<$wgB|a3Jf{6fZswY4zj}>iFN;TjRtiaEMyWo~ZYwjAr^hb)
z=#whe&Pp39mMX(dRh@zkgAV(_C%m8npOe390u?|VMLBmiXi8?2u)t}~8jV_5$1QO0
zhq=5mipJR;2WG=d<lvW}127ztffz=;w|NV<xD=`)VFuQ+x(evOm)vP>0-`~G5gP(4
zGO#(S(mZ#RdTso}{y6#;M-p4@wR5*)17CIbQgw<2%CIoW1e%!&X`ZQVaKE4bB3YL^
z85ua<IQeAhUN*gv7JgJ~bG;KMhxEM4Z@?#L+tiKc3=)XYM&#XwFe=4^OH2bVOgAZ3
z!0pE|IdheYg2EyTW1V}OIj<=z;XLP<ykXQ+Q+6?VzRakP=r1N|2BJoXsF%y|oA1TB
z;cK_76Q_TxI7BVpW_+uGM5IO$YEBG4NW50Gn(98$8x6Pz8#<R|yg+|yBVX6YQV_M%
zwtZGn3b9XF@nGINH=*>|oM|e*g*DB+?r6Nv&ivweaE(<*Ll+D(WYgD6#HjP~d_G{9
zLfkAZ(vmpx5a=VJZ{&N|jK6igS_~$6j}990vVulIEonau5emOd^AF`^FJA83$~=P5
zc+OGrq`kT^>i`zT?Wcxw?%S3k_h0ey5fHQyrL7YipfhjL(MS7=WhF?MJ<k$g9iu5-
z_{(8Hscbd5pa5<ZQKILt61}cVeVf3r`R{oqR<12T$u@imU+^pt<@futJIm`Vx5cyx
zVT++FP#?F9fDPOTA*U`kv+kk~rfaPB(n0YKp}fI26SS=kQO$L!<6_Qj;UUSWgeVPe
z$IJD<x^IRB6Z2B}FO`3P)5~wVC55&<qgP9b*nQS$!o?3$Jji7y&9GecAD!lAAiZw9
zJA$8}-uIV;+Z}7G9uyq)x=4M0og8QuC<~%QectF-*d}k{@SRSX_fgt;eHWTKz?2h|
zmia@Z&Lh4rjxqmbV#NxouCCq0s6FO-t{#zJK0!P`9tXH3vb*F_Ixe`<@giM28sftv
zU8{h<Ok(=n+~PE|%ZeE$IVSwmdO_H8<)%F*cO@;*dRLbR-c66Xw$;+aX?Gc|?X|zO
z)#3t8!(c_*9A#VPwCl!<XUmG{qB3v6^%^!I8Vt27<rv?T*B6I)HON!RX=QuXuZ3Zy
z*rPKDLmysMOj-{x0~YICY^3F_t26xVf%X&q@7M5Fw=ZW5Zus8I^_%(*7q|X;IGGz|
zs}$fm>%e{OO7r@mzxgt~^)36Lgczj(DG^N6&ykk*t=ku&0tl&y3}vC;RX&W+Y>gyb
zGGC$0P0Eq-!A0D3paDyO-pHVOQRhC)L(-Gdkj17qn?|b0ei0z+L?LKh>}ocSeTYMk
z!wP7-%z)@d`4Oetv;J{^PK(NeTTyZ^u+&J(#E%#D^X{~nQLn@OHau#ybo=uNvHMFF
zRuKkuNIB>BkBol&Wc>rN<12<;3O>#<yFi-t2V;9D9kd52jPf};(x@FZj#p~yBYeGP
zR+SFeXJ}evqat+28yaFwHtzb)8h48;LQQs{_3_TyX>)H=V<&t~w)Owz)7$>KbpHO~
z>F`=J{?jY9{MLPy`bPi5{12Y_KLAJ1-w7SwW09J#UmJA>H9qCWFCs}+foC-#VK;hZ
z+mv0KcDC~!o1s~zoK6Dkc{Mm40=bdP<`!ove-JflQ;6fw;(j!(9`0CcSqIjh?pVXv
z-mrgQ-mq^{#9I{#tXc`Es@s>#j(EOjRR+2pl(6H0H6bL))bIJwgQO254uNe=$p0-a
z*6`ku!kZ=8%H4MBl++$nb1IU?g3nHln_)u_2dAwAgkU`K>4SkzxCm@<9xiNU=hWD3
z(=;<Yre+TIKIn%=dTr>)vD?%xFQ`9S1RASUx8P>=xJ;V8L3;>Bk5JM+tt%z?$>0JU
z?lEGl!+-O#!Qm3vV?6L8TAVN0Z#}^$D{FIjO<80yQAaaW6yC}1U#j8z5vwf%YBkF)
z?e8yV7!q6@ZG0H!ruH#HUVT=YpUxjEPF=6vs=-!p_pvt9{8v5hFR{cMxPTf~?2cuY
zctc1kt6Gd54wWZaqj`=$wKb!R-1O?g2I<z>#EzS`zNGE<b8-y&pZlb%FPctWYS(RE
zH#++5Ct>AVT0OXBTe7+_&qxbz@AzV1DGp0y;nwqIeK>@=ZkyCZ>tKbMrXpNEx@n|2
zR(qCCCFu<|i-;_NdE`$w)sjzk`YD=j`Thcv0?D?J)Q4SZ8g`Xyrz}+;<9)PY?bTvN
z1FuDikV)~XuRDONG;V;4zYpT1y!GjqO#6CW%Z<Q?)Y+Uo&8x4Bx74|yZNKM6KKt^#
z(EtRGMI6Z^$Xh1APA_POL81)}-v2JDM{Ipqf}-wQ(a8P&u(~_{ya4mp-2`{{Lx-?>
z-QFLY6qEP;5~@JF3yT{YC$mfp5jl;&92A*^wOvH)^~}d4UmoK;&ilPMapeU7s=?&i
ztX%cVuYsk|Ea4cVKNrvTlV5i?&6)`bWg3Q`es^fzjLm#HYv0v&oY!+uUsB22xy(^^
zwqUOrJb$vE_d!$<?>_fj*2Z-zcgMhftnpznMW!##91dZSeS}da+Lq(MybY82X?n6U
z7KVig`P=D)>{)7i1$sS7nExYtgE`q8Dxpz7txhm!b9Z(zk;Mro(ne;uRik#qHoEiN
z<ali(Zq0-ycB|H-!cwu8w{7%iEdut~0HB6zXHNg{Og8x~0}j+)^`f*969aC1BkiPZ
z*}jV%BEP9>uKLSTd22-XB!j|ah>Lqrp*mogS-X;LK1-d!sJj{2{oQv=+<SbEFF!)I
zqtsfVEjjRVxbv0n0rmQHJ!1CRBwX~Oh*IeS@O_C@#z#M7=oU|6jK~4s>&S+KuP7<`
zlFA(XYAApJH_KI#pOV$P*J=PSFZs&i(xu^3;_DJ8tf~F=PwUghmtw|AL?pafhFu)n
z+es-uNzLn{1bG`GRKL1UgOYfFr67mThU3}Q>Rr<aM%8!PJl#qRcn#0O*b>|fC;wLS
zpYTxL$_ZH#&#y~>m7NLA1D<?o`{NQ))$1h}XxL;@5^QVg4}I15P?X&(2Dib_$J%|X
zoLvp-h<4~nOE&XFFM3va8S}*MpYgJv$`KR2mhhi|3R!Ic(=PJ3$?{ZsbA~6@{dq;8
za;nd)onoe1yDlKwqnC|cLr<B#doE8{&I(h)O*vOqyTV5nR@P};M$Hlbh0MlifUnLn
z=xC0m7&X>o<L1_^YCwoj(fx#*qo2q~qz)Tb9mTm1gRcI%$~@C;egM@mHH=zz%TA;&
z*{8hox_9I6TNVFdCf9Fs_arARm8B6C6EmWA#PyT(uy|D0q$-nkm0-Hi(GNvI$INoQ
z=6s9jxH}CjaY5~<*UQ%h+H9`l2ehwiNuJN+$lLC($AjVezst23@}<6?roKV8yXi_L
zFa*{4qD{6O_KTIe4P|sKT3UlS&b*=awS#nU0jJfMw2N7$G&;NLUwP%bRf1LVFYxZF
z`l}GPUF)&G8hu<$!L4P=T~TrF<<m2o-?rFAwRhy?7PX$%01T|npWgfX*|ICRr2f1z
zh#tgjTpHL$TxEK8$5M)MtG}*jH(sXQzTCWZT}A~!F#)~$g}CY^(9u_@TPfgI^)RCt
zrgKMO3ykb@!z_kPWps#UsSsvN1)%SGbA;5Y9i`OmqbK}cvYfhWs<4l0<YaT+m!EB!
zjbztn^efX1k~hCnop1nM3|9P<$R~&)w!F1WHpHu%2*9RZ!-Bmtm#NdcL*UFeqYzs~
z<K@kzv7wx+aBUd+w_%jNe;?)d=LK`K-pf||^mE@$LB3uVPjlsc8+_kiA07@4hV8d~
zoV<Mgs{ekSkJU`y+SeD%ejj1@!dV$TrKoAN;uRyircQe?oI>|Pz%)xu+@zq<KK@Fe
zPzUMdwq8W$bu9jPfTv}(eSG%@>kPEZy;@bGQLG!?zU~#Nh)|;W!emPR{Ls@=rY00a
zmR~S`3_qEkVIH!eSsSu=uuP<MC+L;{MF=OA0RffCV>3TM{dBD4ZJo_FIJl)`?2j#{
z$cz06Yu?4kxjp4qvc|BkL2kbt^w)vk6(HoO+J{KBOV}q|4S6eY<L)zkPTG8<t6><-
zB9DlN_!pFT&!=8E(pb*o4IHv>wwaTxS<-&L-EhM@^taWe5|8l!$62K}W?r)Dvj#4p
z8eN6LzCX=Wu|7zgyNORJ*MUCsN`u_-BGeHuRjKW9xCM7O@2X_B3TS3xZf?h?EK7!l
z?r9hBkY0N%gvYyYZZPMGqa3Pb+JNb+%yzIc?^MxlF{FiPvNVW)6yhvm5WmpMs(1!6
zY=wuUI0mkZA<Sl#iOr&82S|ydXC{Z6RQxv27pxSP5B-yqZZ5kW67PgulF|C+oMLu1
zF>!f8`wrQ5>(j^FvC2gl%${xBCNeT}k&E{ujeTEge@xfS>h+CH^&=fU>jR_#A*z}b
zHQAUSfHw^jUm!nE++oZq%|eWJqKmJeg&vXs*#?FHffS+;FzS#!DZv(JYI{upQmyT=
zjPE<0qHb%XW$XWBy0cro&2NBRQoK1p2^jZpBHo(q7@LJKrV^$?*ejUBAfaA&91LRS
zc&;K}v)f#&?hZ^>)r0D^CpLV^)(Te{z?aVa{hoX!FTZ@W;uG90)5=1<FEbXHg-#tx
z$2WJlvItp`SYM%Z8~$T<z@1Pg-P3@M^uL)L@W|~RqVEf+zezuHq<h;dNylTiUe^WA
zP50DxCphAmjuZ>JmEF){?s8iS>0K@-;g&kI-nqR0u3H_H4D*c43gn6T=mqa)dhQ#b
zQdtIL^7@G5koXtu21TIXK<gAbHe55BllV#f;}O`!M;O_APJH@%36iORV?H=|;;R{x
z5-WnL;SdClQqv8aM1C8uPu+8dHwYTe(mri|1S8g`MG#C&MUo#;!5Nd=9<MISzNI9q
zNU0K8abJw6AUhq!E9^Nm^F*Uu3}xc}j2shvFf0{|Nke;RXZ_Q&O`-_W9hMUNcJT4_
z+@s4F7`w?Sv58%P9uzNrkIeOmwA+Q=dRG&yF|f=-+awd-$+Hlo+it!rB08ciS6=XU
zC_Z6Pt;E;Y*d;-FAv=HVaW$c!2}~+b$F`iI%WpyUP$a+fwAFR0LCz`x*tt6ZMeU`Z
z9OSxM=KJ#^p6)0N)WSly0XVJ5q;^Q;`VVr8;?ON;D$x~Qtk<@E$5W>!9WOi!U2VDK
z@w01p&{UFU$1%{Hau=wt6t3Tk(zAgl+<kdS+@0392d9V;X5D0F()aP$i6#sLbTkF+
zJY9oEZ~(;;J-s(ma_<wIDR2*TdgfV?B;DZPJOK!uG?{1xkb8=EJ(CFvdAsY<914#y
zw8hY~!-K=fY`4;Jime~y-CFtkovnixqiY@#;DxuLbe72xuRGz$-uc_iK|;6K8kCYR
z^P;`z_b}pF6BZ=t7?@)d^&9x3?6R(Mb+J9in+hk6u<?fvaY6kGP+SP;o4=rZ={V=(
z41VC@$D>{xY9xq2Ey4^E9WW`hzGpROJiiGY-8sn->l=OkAbQQ1JPnW{@fbtZA|o2w
z-svOqjx~kVgQ98@$M~~jV1J)Bte@lU`-$v0m20HR+zv7kyqZ<KyqW(Lv-0;m8raBk
z8Ps)2$&eW9NwbmJyPh`w1O<6$aj^XsUiL)`dlLgWUsp)O#^{HXylZ9jJd4h$G*Ox2
zvgMGq=yqJA(X<REwMI;Qr|K?<6PJ)`N+j0Nx)GB`fXX>|>731}ZjWl%Im0`aPh2W=
za)hKlB}p4(<yF_oNL!cnuhEgeh@1xj<6fn^L$U`63dI&|lF)^nEwRw6{3#l@oW-+v
zESAK939Wq$=p=s#H@e8-lc-Mcd091HU|)%_YdkB|;mxi&#DC_2?#k4}c2_iaQTNrW
zSEd0c^CuOE3|o^%;C2LOYeppS&A|QHu~f&`vT5e?6=z`8#F$7f(7~3D^q352tjjI|
zNyfmf|Dks5o|<c!K`GNkB6-pHx;Yz$=aVD#(JeE1FdL*(?9oSB!?vF|siDZljUhO5
z5jT8#(G4|Zhh?1iy1Um;YjAEXOh5$Wl3y#ShF0)v_LU%QcPU0J1C!+NN{g+u*tmrt
zCOddfmj!+mL{WE`!BXr|6o5$AnXy_yRhUs9^K&_T=qD?T$<v8{xV@O6Ab;fQp3Kn0
zAymn!zQtlj8JQ#_=-ke>Mof7LaP4b)cprROs^i06SXNkHNiPL-A?(8}v$KViMn<Kn
z`PqAaQYTEj^9aU@@f*7u0{yv0JM|WKmFHmc&nfQ@sZyyu>N24gUVa2emwNl2wco;4
z!_sN$m^Do3v}6ZEYGgH=w|I=7iT6pL$|eVQ=eYB;z*ftbuw&T+j8z43;2M<e+q+OQ
zUz!*)PIA2y8E*xn0jJxe;Hqfc%tS8LM9k<zJDy8AOG)PS`EiDPYE;vxy@$@vHS<vG
z8fW#-`JIfPqSH_8p9BU=<O(CK#-w-gvuPG%2A_Yw$4MsM_4&{O<-X50N$V47d&_gq
zF4+<<^l`O#=6MOXxk*MCHS@7aZsqIMzUp_*+vnS{8mTYk39E6-*$nkdq;YPx`;U@d
z_|QiBsh#dV#p~GY96l6M{0{tQzVkAnSu&_sSbC@e&@^@5Pcu38Neat!svNhq8+cDk
z?;x5xjM+a~2w-tKOb@{^`pA<e&!-MPq1P4?*UoN2JyH?Au1{LonW!qaW>3l@m`Rk*
zW2mSAZ=U)MJGX2-a;6P|EnHweuIc822nx#ARqV1>c}k(hUGXwD#rk03f&2X!8)GV1
z%pu(sul)PsYXQB>V9?p1N<zqjZjEvOp1@4Mw%8F%J{(lXU++=A2rrgCLY|E*i{?*z
zZgxa^F;P=ZZ2`VvGMph1Ik+@1AJ%Mt0fX{G`VK(5AUrF+olmswI%MZJtfyS<{3VzY
zj5IsV-Dbxfw3A^P0=dDEqvy-p8w;wZwVDEy_I7IJLbMw~v?g~0es>=l2|?3od)1LJ
z#mMC&EhysVaPImzhHr~4ce7Vi9>*WjQe+81;vDu^e#5^3(M*$3Q&x^&l1Qb|JKiDM
zZcn#&?|YkvWYNCNn25&YL&YZh?A%1>)vSAH+SfpT0pDMc&EHY7YO|g+Y7A}LQj=`y
z7o@n^@8{J>BGEsDW%Wp{7V1qCb}-5V>f>uo_}(0`DsX<~u)96FV{JX>To`4IVBo4e
z>TDNeu3b+}t3v;30GD4(r((;%bV)Ly0V&H$PC!S!_)Hh(JIFzRP1?ZNB3!k>Z<(A{
z4T{^9&g4#y8`gyNof!}$L_=h>!AsEyvQeE&TS(G{=m3sDnbUWp!_dMpL^Ll^d3o`#
z{EMZD=K+z=Zr<(p1s)xP(SFaxA>dSO(#Rsr$iYp_cD&sv;us$-)XPjl9{Ytib6;4J
zoG)EuotU92iyG-e$i7LL<ow8Z*awa_qw&LA(q8fsX_gCqCQyL20DY(vvd+U$hkJVO
ziT=D%cSSqflCvB8zR2k^PtC-<{^%f@RB|)6u(?*kX?w2tU6N%8JL<k=t%d*QLw+~u
zw!^u9x@Xad5LYe-J@BK7T_m;+a@Xb|zqReG%YSYdrBDxkKEz~kS}|@upaiZ#eceJX
zai3eP9zpyXJ^HF0V6Za)Ax9U4%G<IWD(*;N9Y5sGtZG-|{+SCb>|r*An<l)AZ#(%*
zb2(^@5yw0EZIy~kJpGR-8Ky_N0u|GEb^9j)7BS<I=k~}^sM9i)qryQ)H98bt+>xt{
z8-GjbFif#;g~6+5T7TsB*OeQvewvI+TxTZ?(x|PUD20u4$02hi*A!6fE~w-lAsfb*
zLRY*n&qG%zERQYIE@__y8|AYNca4>s7NhnJYJX4r>mVUG)u2AFqv<_MnhyT&ybyF0
z-Or5B);J0dJn@1l2OAi)$@Kb(MN$7nnUTe+bS{$Jxdp;_SF>#6s`S=#^eKO_D4NFP
zEoMXE9w?z>!@h+h?((4?Ai6}K*$!*BQD9FrGL)4v`V#3z_8sw><EbJtjcumlLH<bm
zk8B~J>_1Hcph38a55Pg6?5*GTRV5lHA{X4;QwJ3pLj7TUoU%aexpz72sINwxCWr$y
zzf1s31RHB3J|%-44r%g^3a#$lv^v^&1w<08E9*Y5AS8$m1NygjRuDX6jnADjjn5Ma
zGr`u%>TTWP5R$xx0r-wLZ0#%5nDUK{woZ2|OObdXP;o13PLC?~O-C2y)674jk<OTr
z3z*I#L)WPza^$3(p}-ZHc(|dPrzuuqb@((JOEBsJvtcp8X9tkoRka84E0ZpMI^l-Z
zuTyuDjP|S2BqS!%pte6^b&R3Wnz0#`=2R5BT+-z>CZXdzl_28w^Ob65<pJT<gHYkV
zMUm5MdwKgfiSGq4Y7mc(F3bGXiK=L@h>e9=S`?c0QlA&9eag6H^-!%8?jcess`WoB
z0k0K@Xy%T)FQ$TJyJ+i>j;Df|6zu6yL8&U4im1SN81hzpeBv__$%?Nfe=lfc?B88A
z864U1SC&#uVkw=Aj4oA*2n+11T5FneP(T6am^H<#7@T=Mk_1LC=H1i^XeLHwZf7Wk
zPQ8!OI#E4ur#>GNIvz)V&XFz22WnKN;QnRyIy6s5x!f1!hu_foCMhMv<kpAQ7~596
zYlTnoGx#X^v3A?k<MKI-LduU!QNG{gn#iQr76Mj`tHxng1oFKgP9Nk_B23Pl-hf=H
ze#kFnlLhtzIlpGAJ(nB;MIX2e5dzTLqt<i@Zv*)ZR`%`A&8WNl`pTKFZW%g!wMF;9
zmFrXtBS5eEtjOc8*mOCOwFu(ZZ9J#2Q@@%yQivguyn7NQ*$j$Z7QXN7H`+@WOCBz+
zVkOnGb~hFZ*(79$yX-*(0y^2o6___`bQ{M%Ln6>^7mZdU39Y{U0#JBko$a14r&2wx
zHd1C<wK3Jtv2@NhQ-PMX)t1do9&)NghOj<2u*I*cF7nW;2Lb&7&cUo3P33}u)|h4I
zXJ>rbRyIP>@G{AzBYy^EI1t2rp8VOOSRtvbzVrNKgB>UUYSO{Z#8o45Vy98St*z8-
z8hSP_{vH8DD$yvjlT0UB;(ReuM$~{6X@9`h!-$$GFm|POJ;7vjGzaU>6k*&Y+HFC>
zHSm2Q>XXHk63mx(q2X$Rv7_#Og2j+Bv&_L@gbE5X?xMFrECz9Foz1!B5E({!Tf+E~
zHayufyK#gBRSO||Ot6XJ?U9}nDNuv|jKI!azbq!0d$(q-?iF#U;kq79zpF*#1K{W+
zUb$@9Bdf;{(&@n<hGKdZ?{c$dd1yzck?WaR?d=HEIxB~TRu2o90@V;KxF@~Q%u;co
zGv>dM{J@*xtPWD<qFJ%}5*uV1ANH7KXIK-g(vz#I)&5y2KY3=Qr@%DLl#_Q1Z!mw?
zxth}mLy?2NeV71@Bh)%D6w>5Ke*L3Q86n)rD3419qKLZBH6T~6paU=6j)MB9cs*Wg
z%|pM|_7S`cnVqyK#m`t~UL^e^AfyDPBCAJMja61*`pYX<Sq{%SVu~dPmGoqGS@YEZ
zIt$|dx;UHRh(YgOQ@8Th3UKu5TCMK8$I9(TEg54kJFCSm@$x$*>;Soeqk^hRcsLJ=
z>Ly+)_?*9oioZgq0a?EnU8$<BIbo}8r`27CRiVe}OMQEcXH&(S6TM>aJPGB?OK<&Q
z&X6WDFum;!=K<ZGez8WD3@}=BQZ~+h<4Zackdrou%26KHt35M8QglbAZO_h9GnI(F
zkRzP-j;q?wc=s9fN+N|`NppB%qRu5vaJ!O{L(n9qY)(Axzk-mNc~h=*@!C>(@Gg&s
zylw}aoh$yXxb>9b@tHdI0RBIw-Z4m*o&nb#+qP}nw(T|c%o^Lay~eg}+qP|c&b;5Q
zQ+xkN2T!Lf)p^p@om}^wM7=kSSN=8asVHYG5MkSApBMKU?M~OjTHUm#041P9v&3?1
zF(gEHJwrab5C}I53xQHfbScFLUnXN)!M7}l$J#walrca}oLdr%7u!6VUbE~JO3I?_
zve9#I6=d&PXCDG~w3*$447~hIuNlm?zi|~w`Uo4g!DgBPA||GPNPrlD#o<Rdq}8>G
zUI3@vl=%Ca<${5&(=qu+PaL+hX&0J-E6`jXw0tMJbi1bg8(d!AK}pZ2vlh9K+Z(K-
zUaAH*xx7=_Y70z^l^pK0+_C-xUh->(-}%*UOl&HZ*@Sn<Kf#<p>v^}KS=}L(5%`96
z012H&rG|uzUV55b?*6en|J@c$KeM34(8*WHVMH^!)KZe|qG*T-mzS>sr^$MkiIfSi
z_yBot4mj)b(=iQ}2%j{kI}!5l4n1bsFJCy*LuF}S;q{Y6HC^YcI$ab&dzDa#omYMk
zN^*6CU>Ru150Z+4wRXkU*l3v(l0c$o&bS{{{iGNSkfw`zgB`xqq9a|Y764uc(I-zT
zITT?Mqq|D)C1<C&$Te;0;EKNKr_j-zo-8bD#Il^30h04M32JcrN|G0@b@?(B1&j%7
zo=2Q8RCIrCe0KNo4lcjedSg_60Ky|7>Ue12Z)e_FujyW5>TgJ+chi{%xoNn5>gsOm
zSA5&jiN?n;?}$Grg~<9xt^arG7^#|1G|8MlVp4<q(Gvd@seTm8btfY>fmYma%k?Zr
z$<qw0@l5NEQz0hIwAUiANvHrJE_CV01@~9H9sU7w<15MP;3A=xr!<o<)Ty0v45{kr
z3i;mG5aXuiA?ss~7Hg4T_x1j<LdJm-E=K>-r|oHGTn$!es=G1|En&!E!Z_>2+<?H{
z;Wn!Ahw=3HMB;vOYr`K0-L(#xaBdivx<0)vK5(M!T_rE&z@3+pnn$9i1^(!s`*Oao
zv&3#LU??YVORpnwvDS=^oN7_8#0GOiDqCMDh}rpQlX4BY(I$W!e!PSD0id<Zn`H;k
zjl;zYL{%E#<-DSKqa_(*PAB-FU?49!0pzGPO)(KjK;!B}pbM95#OHKr39jJWkga?&
z%K;`W50z*DI!;Zx_J0xvXFcOV@5uu`HHU0LxHKRwpn|MxqrEK1aZSC}2Tqbobf{fs
z$PNYRv^xu+?Cit}Dq%x~lPGqvcZ6b(e;)wi+@dfJDJh7jxDG+FwVUC0pcI1B?#<A!
zP-(>BR!&fyQQcv52Yj43o{(I*)P?X_a755ly>P9Yv*KQQt4X&sqJ6ANQy3A8FeB5F
z8Z}~a5opxeDtlX#tk{~dF<1s1DnKJe$W#@@YCV%=p#RR)Q?Zp|hhGrFC(E;Od_pL<
zZx_WAP(}kfcRLd)vZDlT5O6IBfvMLj|1OAWBAfThR8@PZV4|=JxYy5|h9*&BDT~6R
z0^Y^6XOs;0K@nVW>S4+aN{JJl_{hav+~|Wx1MedMpeyZDMmG&h#417)pv;mW!jt_i
z!bLozjg-^@yLh0^z%`V;EXrN!yvSoaXug+=IIjb@O1EkZZ;-hQaBtHH2x0orFm=m4
z=Z?_!8A+<-iMbPlz0}3LhBkxX$=)(45Yg($&Fw~%FJxdZIYt#?YpdzQfClbC{@WVt
z&YkFOQ%ZFUb?`w#!Egt9YZ~7a#3V6((%9AQ++|b7TcPn<SMdbCfHlxKOb<+saH?aq
zfhM*$E8w-k;@)*;(zNMPP!T@~YnGLq<(U~yYo>!dY)|l2KKzae*+*&4kbg61X-#G-
zZgbr8eo>+g2UU6DaU^ITt6p4LgqqnHrsNks4B|X+Mj?_=3nXCH$O>B{S2`K|ymtL4
z)2s=an|Q+Xyvw0X#pqxEQ~(HC>^!5(Zu@HS*;fuZ(?AMz)h~>+I2O;%OG<lT;*?<?
zG9XOCo-+(v74)(!&ISz*YR>p2KQP=&-Tk~b=x(mvRv=DhxB;WK*k10*$R_rb=vVd6
z;&k=PJF52s`x9xPXEi$uVKJf4P3^NQke_B_H;bZJ27jI^S%>2l($=4U8jFAa9K{RT
zxj)K%sTgclefsSQb-H?I)y@xu2DYa3xHD{olXem5NwHvkQfJW-Uq8oYGe(Gt<h`nS
z2!P0{pQZUh50A9@_xo_R0uFYlxvJT+hb&bU${Voa`UDH)EYvNOZPAxgLN%zW1%K|k
z`@2w16F-)J-dJb3>n$!CkaO@<G#Fp$Jk4;n{xn-GXy#FruAVW?E3iayZ4m~Tj}h*=
z6cf<$aB3JkpUB~m1RCnG9}EQPgJ&o$5Oz7q!mU|Q=`VV>*bwn%O4pudr96sGX0BDd
z2@2z}Q)Y-*@WW*jbe|tp5mg4WWTD^YlF}T>pSp&cJu#@=*QhI6H=fu(FyPT8W=xh_
zJb7YmY}5@9Uk+_r@6I_^lia70B&P@iYm=DkN<9BUh4ES?Q{7xG<E!gq(+11msj}uz
zzx~nvmPWGq(~znBr4i>AqMI@+t~c7D4l?^C_P*QYcnqp)6H8*ElO|D-llPqBFu*ai
zsN$7|h!uG6)6L9fblu5M_5wbE?did`d1L21z?{JS+!>fU6u?7ui$~<2vR-K4U;WU9
z`!M#(&{EBdB__@2Y$93FTdp+mH6Ow4`EEUgzibl1z$F(0?WwBA^Uaa+qRs=KTUTXo
zGFUFYo=(psa^}EONZx;JR9HC@EU&QMbVJ&xTN|ZhkgJ@L(1~WE8Hstfe4=-`lxfmH
zYG|-2i(AfPOe%AsVCu-47<9a+#)7E8>ud-soUQq^CRXg4y+?Si80E9~x;GxyjED)}
zHYnfZ_Mcm^`$V@vC6CQPnfl#h`(_fouA{FfTInp?;R@C}_0WaJU!D_zW&Xzb%3>ex
znEr;iXU8~SNzr7y3z?o5&MGe5M}uZ)90+&%q`NSHkhEXlK_!A*cqh)WG^VwU%Ja_x
z+>cBlW>vBIyXibq0JfGa_6Q`m164Sz+mAYyW8W_v!y(Bkh{2#u47=Ll-3rJ`!(s~f
zF{V>?Ps%OZRv37nvp8Q))@W!3o<@%%sJExj+OOV#^I+ZRD0Sxhcu~VXD3SPy8P2K3
zu<ww25#lh>r15gVC(#RAfNaUhe;y5U7G~=PJ#CGD+w~6^GtjO3L@8}JM9Xg1Q^qAq
z9DPnABDK-YZtW=zUF!qQ2vAjvD%D-Wd&7P}LbO|Ez>Pr|Lkee->vVnkwcx*mlE>io
z#*IJXOzyJ+rO$2T75j|ELw0G0iT|K03ujwHsG@$OhO^M4K8&Ujl6+P7W}j51&^*!<
zVRjiAu?PP}<#k^E0J|)@Ag3GXw?AEO*_(Yz9~KXkoiZ|W3vM=QiN>&W17jvj6)DuA
zG}SHGV#GqMwhYIB`3s;8%Ei$zQ%&J8H2RVO1+f9ILzJ0~n0>540SfoFDng~z)tTuG
zVw)J`4R!%3cc~xn{P+#R%oS8ZSVma?wMr6LsGJh#n^dWRgqR?=!-lR7A{s;*%NRAh
zJ^)un3T(7`WHuEfOw>?CdSNQA>NDx{%ExTrl>4-1{kXpwaYr`%=i&29l;2@?K{oDE
z;u3<>&L2Q%i5HOT0EhJ-QTArT(Wskzrq<2zQMPiQUvT+!)-@9i`0v9zFnu*(;^56j
zxr`^sN<y)C>3Dw-_m=P(PtJzlAkJn<fA!Mm8X{%e{47=%KBwDk!pP!2CtPOQ-8Qmh
zpsEwL-{1r9v-~QTB3|Ew_+F3Vt4BJF3$U;gL8coW%Ex_it9OWZNDrd`4_q1h6~pKl
zIV_5ep@lBecBhp@9TPDaa8K>TZ!Pbyg4LhW%C!qIR!`E1b+s#JAXEEU^nK)6-vH*|
z=(S#^T$Q>GJUv`hY0bajYpn&l0j{bW`$T=sz#h*pf-O}wSjgHMV;%44XtEyO&B+?=
zxGa7R?$C&mvD7oRZ8sfpXm(YjmW3=U#z#G@;(#UBzPS>OS#gd;?k=gd>&!+bx9w+~
zJQ(n-=d|Yi4At?b)f|OsRk!KH%B))Y57SMTr`fczVqJ^*gFV|$=;~{V$@5KO_BaEe
zc%b69m*&Z=TQOT+FzIIa*J)y9A6$9n!JLg_xt!bW?~d%-+{s51g9Ci&G1&8dAmXG?
ze2-J>tg+3+*x=7VuDaFMUBEjvAH9*9$MrX4RcLN6_d2hNEcpy|Gt}R03NSTPpU7%J
z4VKCJqJ746v%bz(La=5`p$;$07qao4G!BHaCJkf>FA-QwggR_dNW>Ai#}^O#^;9|R
z2~&A{W71*C;ZKne*|E-*B7|c{JpE+`UN4OAHEv{Vv`Q2^AClqkJcOq>4NjmXb7W!U
zCTi}(8s**Fknl==vZCpjN%dm`&%g*>LfCmXA?y%mpviaXdL`i%Hx1Jn4Tu;Q&>+`N
zZQp|l8Vs9|7&bw-`tVo{VfOjaK7~m-%siM%ibG-=&5kK<Ce|2|qLXIBJy*jGiZKjB
z0b_By<VkSZV)_i%vCjuT)bB`7{prQ}+aBU!PsYx!KcTdC`EmE^%~vi@0`UNuJXI+_
z4H22E@zAe$zZ-nUv#b75rW1sov9V<Jc5*`_En*xdj$T+i?v2}iPpIK*(MgK#wBP34
zgM&4sr3}6W2yN=h-A2aZZQW5wcY*0xxl`J06|9-kLgrk2wnbY?wzGR}G&p?9GR2hc
z)LGIU*Q4E{6fNM~hD$PsN@eh-o(WbVDVobNqoX%7ZHQ}e(K-rU6Gy5FT-Id^yFsU^
zPByx}93j2dJu4_*F%N?SKna#^1=-uWMr1<|B2zD8rn#T&I7ojJc!0+nL5{nCK5v~K
z0uBdtH`q-qTvNW?OHG-2QiB3Ci<fv1D%^aF#;%0q;sPY+q2!iUUutM3Hz{^)F5i4O
zW>su#HIjM}t!MgIpHJ=m@#lOJw==-nW(&7Se@y%X733H|pB<Ty2bIffJ-<oAU7=v)
z<yeZY!B&pCv!3R93!cC8Mm_JQ_1zYkizkdI9N%rT%kVagl)SxRfo>6U@$R|WcC)I^
z%Wd~BKf$lrlam&BPVzt2*RT-$J;sS7GUi|s@>@~Y{AlSI&Cgt4ip4}ZceSF#%4Yc;
z{`XTY+8$#l<RC#U(7a=j`$id*sWb``*S5Ek^*jbXf<HNT1XsWIFiS@NZ2SbOs4A?Z
z?M|Vl%YQd%VjdB0b@IGqj+Dty;Gw*6v)ZrNoo~;bKMUSgZC)tOs4cJ1ANOPW$7bfK
zu|8=qh}oJMy&0WTzlF_b$~j?J+VoN^WEC{C-8{4y;;BbE8EZ4tzHV|%335yX2{CAz
zqbkT+CCjSn>^%)JmGVzjBJikk#KdVo2fTn-Q-uK)VQ2G~bGd4TYhItBhUB{|gC#CM
z{{o9jk*t2rPuat~H&USd=LWG7z}Z@#GM|qfEQmX4MuHrz`QE2A4Vw2XWp*-Mn`+qY
zogqlV@4^&dVD{Ofqx^=iz649ya2|vH;U*Id25ehk<9V}{$>u^M6ThGwPK8#fVgGDz
zO0+QyuQN452KE8tcH5xe`x780?*7aZBimXoNffC`NTz3Th!~_FEirb$4{nv|aT_dH
z+ET^ICX&a>_BnmsSr&G^;a=OG54B@wUNIRPa@DwLl&WNr=rTSF7t1*7W(j6-wV0+A
zwy2>VY@ebDo(^rQQI?-jhJb3bV|3<R6`t)YG(}uX%rpvV)bN~emjeTzwY0ssX#>&e
z)L_z>_MkM(XxKHNC=hbBJ78q`vgN9d{^j<4&OHG%&~vd1Ip#G(x(@ipFQwlfoB<0L
zDeL>8={!r=8L3fZ(X)H+qwlaUHS*;6F?Atr=u-t9;Y{jqf#45yEI@icJ(PM)q=tEE
zNO#i%5bdmt)-WW~`7SE0m;j!L$fvN}ar8#*kUmy#keuo0NHL{%C3_#30d&7qV9|n)
zs0t&IQ^dtv5)4%4yn}Jh)vU7eLAU`Pp*LlXqP9gID7_+iv<rZ)i_hY9VEGZ(kVZRg
zETbP|kimA^(M?7*HaAgljcDuk-_r7gR`^FbzW3WYVBg8@5F#fcXcW#|6v-r+J~N1U
z`2EaT!@%o6n#}zx!YA_cx$aF<KLh#_>Ik#<jqIrFu^N*#fMFn5g!e()l^BB{M{9X;
zp3_>SQg9_!OZFL@6SYr22*=>+KX>tJzIvU@XrsYvEK|_xM|dFz3IiF`Jc*lpraUb)
zkpaOEA6*?i-%c-YA5ZtY2rnbCz3wzd!WJJ{YI?F2m0yGtBfTR}_~W=dOXvzRBfcW4
zqP(9kWQ~-F8Be|4%;>iDVBGk7*#FUJL;E65H5r=X;!>>^-71{cuG4jHA-T9&vSBt&
z>kH52sk_0%(z*{_(Lhsrv*%#!&<!Z{`|fbnAv^rxj`hWy)jTJ_$QkAz!hN5ZhH%Pu
z2zT8BN_F{+p+gH-Hu&k60Jf&wmn8Ph0e3fpB=3vqU}^C(H1H=X=Goi9#@7^Ntkn!=
zI<xIDayZKnk)&g)){Kp2Zxf1;PrwR_SSNMvwM=iF%Tndj;|tMV^FT=LjSpKoYQ5C@
zhLxm;vX0z3jp=bSuj2#Phnu_4-L*qP^OX&Ss<CDkbhfh@>6tXD?g*On6}(;(cOuYK
zU=>oE#Nd{T>XxU#HTvljfAPWfxd$(aB<oHOLfJ7|0BTy+Y$1>kT@GPkcF>R>Aikyi
zF2}~buc~0jFZnWJ-afM51>a8nVc4<NW@|QGW;xN0C$h$B(RIzC<c%=+tX^{A-Zxw=
zGap5cfTqewf|qW0wMk`L1%}}%ks=FfJ2cPb%~c$FO@(k~>4CL{(KWy%9$a^H1gd`<
zv?XX`n7uVdRgn!zc3w}u#x?A$J<t86o?He7zw`m$qCkk#NefpVx14w;KqfSN@cggm
z%l>Zf@J351JW=@`nAtIOl}hziB0jXuektkC7b+Nlw?HcQ!*aS0Gcqm&ppH-#{WJ;K
zn}&RpcNi;phf}4y`PQ$>KsMh4p@v@SkV)3fh2Np5)3pCk-9&`H7QE1aW$oK=gWK|{
zb#W1}634(~w&a_i=1!<cp$7Zx^mGEqB=_44UL7Vi{_vw+Keu81C?UQgbA?@9KOo*7
z`35j@y<!k?%ECvl{0%fU&c7KSx%IvY{UStkHd?S6`KWCRYhmW%hogtAaS=eZxced-
zqr!5EJuT-?1!|_9t4__;QCx*L6!~`F=?8_FJ^{FXX<n+C&fjv8zYrgqRgNWT)I~^T
zobKw+u=a9L`?+ddRrybXTESbb<Bir5#LHoC7=qC%IGG!+T;gBj6g7EBiuWbz`tHjI
z{Hma0Hft6IHc=uebrglUuCKOV1^DTQKciUht~&2OlokO5(14z=kCwSR+-yti%as#X
zMC~nr{#2wXsQp9b0j5fJy8OvQb$2)%WaL!i+^}chkt#CdlP5X$vMsHdcDjXzE01u-
zE}_76uB>He%QkgAhgNQ4+YV(6pTPPd#tIlz#hjB?L{R+?J#!p%dV*ah%IFMH)N$2L
zuv1y!W8qrI#r7Ll7gnc|3H;yRptV^&UsE^wPWz(^L!Vz2X*ck=Vv5iqel$WECY^n&
zfU>WE>K(2ae>I6?I;P(lvjbOtcAxMQf?ye8!;iP081#1HE{v1qh{L<T9V8z0nixOv
zZARQGYo3=+`21X#&Yckb`7&=h`ho}B)d=&^Z|uIGpFb}qT55@hE97#FiN7y5l0E5F
zh#|=9zc4o%LehDOZ+12x8*B0BKjWs>bDs{mJZcJsWO4KSA%-M?sp#-ggbvrVgIP-v
zyk@5HyuxfC4$vdJ-9ZBkZK3I({P>n6w4uHE&okpCEhw*2!+JdHw4$c!UAurDoYSFR
zL>pIJY#mV6Q6jU0yU--IY)@C?Jdx;uDB7>681V+rJIOTvFyoUN+iZ*!0pQ{ap`LNs
z7Qf|s?@E_8T1VWSU&Y@XNV5C!RB)e!0#iagSCBvu>%ld+kjXpdi8Pzc9=FF{pqyZB
zyImoTfGIJ<=>Ij<EWNZ#1B}-su7r68T?dZFnBU`3tM9QVpJ_FFZTjx*e?RZ9y<~II
z!qOr2AC*!=d{%5reLXikX`qLCB8cdw>^je3^?IFTcI0jnA~|*A{~`7Q7H?Iga9dFH
zi6MVGle_J!`OJ}gCgqXgE&KO1O40eat=1S5;GvSUI9&vmb;!HG#{KZ`Oq=i<j&pNB
zGV=?l%2Y#%S@Ll@Vv>H-;-01nU7$BVk#dSu%`$vQ_*oz_Ela;e(<)%#6roKRDdPpM
zu%aET$0QLTC!SKhUX5cwdDwjYY7>#=Za!%IaWOD>EG!H~*1G9$F&@UmXe2tlLf-fP
zVfCa+{$ExP@BTklkCX+d4cyUrf3#NJ=fpwe`{8)tgQ~{+i!wJHSl(}Q*PZag(!Bf_
zz=ndGG1L7Byf!xoimEyMZ2WZ#r+185U;sp?qD_wogTdN?_faOaZnJBNGeGbB{~~*O
zszg+2i$w91&;Eg`X~=O~#|(VH$D7a09T^R_70eE0orhl`D&`a}PFUuCHPPNz9wW3&
zq*he#BFKnIKHD1)5&pH^?h`z{_G>j9ra_2IEuxf5D<){<{-glS)J?Y@CM+;@48@QN
zj-rT(t${gY3Qq#6cD_OzR=ehg&9(wYD|6)0ra>uEQF$q`(T3@t8$F=U@JB3S3P=Nt
z?iIiurF-ae5ctI=u<xr_R%eSTNJDMLEGERVu7CCXg<0>(q<vEBfSL>xzMB-K*t}qO
z@}qKV@MRfD@?2dN9BlH&%;M*Rej21!c+3vp?{NpG0Ya<S_=nm9^Xu9a+@cjx)%gey
zm7qW^BAjnbnF}jGfaMGiEQs>2gLvR{idnSLkYD2_F{9JVXv^0sc+BpC;#S^8rrkh}
z?4BCZhKfx034a83?OPnhL=c%Pby<kxcgkED1!>S!s<IqZXZulZSUnLq(uxf<J|N$N
z{^r53p2bWxRr&tY>#fPmW^HsWQw%c#Txj)}E+jps$~dUn?)4Q?z{>MJM`G&iZsXOT
z7ELY-Kdw-bOf=>+&0)1!1_!wYfjDg`D$%G>D)C!&??X9W;qHGj2Fl-xsZ}l|R;7}G
zVA1-K%weU|sAKs8_ifhIJkgbk!7n~_Q&_vp=DpT~beM>!>rg}U5jz@rQTOvoMLN_*
zBjlICy!S>Y+No>5eg2&lQ3U#!gHGVrlf1`$G1;g;{8&pSr;`1KiAdzPalglfPP$RZ
z_Y!y7>XvzH4jylzRPA=IyRVu^wu4Tkl}@=SFn@zftHnNZ-=9B{*X#UrPom#JT55SW
ze<3>FQ$$&HLD!}|u9`!XO>IsJM#NPooxlSQfH@zlP!OL$UmkFEjs&K)&WjfZsOp}L
zOo*1CsW&oN<Z26JEHFslfB-qkLa*`vmK2z)FP{rI%R3FY50XQsJ_)?Rpt>i}^na4j
zW;aleuNw9%mT)2SD;Ge+_noyY=*qho@53u-%7dL<E;nW`C;J|Qnk)EWjmYd?#V}l|
z(h5`eSh6gAMJx;puEP_2bU`JUGnxwStpc9laAFKj#(%_6!+wKNb<D1BpMhP-v+H0@
zFJUlQoJ6@2<o&RvI2Y=lsH7t9iPmz9thyXIba~ffH$(Ee%OCo}ooZp=YO}Ly$~#p_
z8W&qWco1L^(nKb$oVpf(y3Qt=doBUTB|480_zyZ+x!l8uzRmD&$~q6$<9CS8cOQ7_
zb84YQ>)|DbwMwsh@+iE^Wb(37Ytwtdn4`L%WNflz)F2!^i6-fUO!Z)Tu|AtNh@D%m
zEFP!Ln+gAmN7<14H+Rsyr%nJIG%{E1=)|Nx?E%6e==aaq;ljSf_Nd71rcIn~>TIwc
z=P6PXDk;g)%l<#;M4OFp#bZy6eeMLSVTJG&W!{7~vLSo=&e*}azP#$#2@bEcg(%<U
zdV5YMpGx#W%mZ8C3ta}qhM9~D3kOP}$!2LvyEKEnEPbjS_WMN@+=h0j1n^p^N_ti3
z3<8d!={-bnTBX>}6rXIenf$icvbp5G+OoL<6T$x}eZgCteT09kn+x=w!d89CMS;E2
z^x`08$$HOLYie1Zp}+a!&(i}BI_ueZEn}~NpLM!tkaZ-pWi>fZu@jZ3Qu(aPd?we!
z4Od#D>djNfZpM}eJE=W|o3qWrNlK6>Hmip|st0@<$Oc^dARpDkh!T)(jvDC30-1WB
zODPKVDxUt5IlpUBw{`uP50fmZXn4RWH9#SR)yIHH%AS&@FRuDcVtvK^=KFe%zP?Q!
z^li6Z4J^bGpxYOZuXitM#Ot!SWMV+1C7}OVOvQ3!*_v#=R{Alvx460-`qyU0c~Ku@
zVP5;2XA<^{_K^VAwY`i>+@e92pN!Fz8vW(ZoL+~RX9QG=4|Ok@b#~D!s@Ai43S=-I
z1M%XXYtTZa)pYV|WD0$!M%&om89LXyfpWUkf4tf<{AiX;84ZoRe+G)dP)nX-bg{da
zIrsw&Ls9?TeOzRwMO*eci$}%<BwCraL~0LD(pj0=>#wYOrkIC&QMcw&?Hv8JFK6`z
zq_LOB$CTOl$l<u<OJN@KkvU$?7Mg0P@-REZsB3R8egOe{n$F#ROI5mY`wZ{eZnl>p
zg5{0Pv6!XsZ03kyLvv9|PFy74EO+<#IE`<|J#b^<6q6nvwD6Q>#r~;tZJ~)2fl-zI
z)AdU@M5|{21Wma_G%i+ewKVl^emIzF@A$J>eoXOk?9)~UM>x6!i^G`fGLjD<soxzz
z%D4SpTy{zv%VvtQC0`vQ8J~zhvrnj3L79lZP~oqPHr(a_W#giX3^1Y6^niIHzF&aj
z`Qi~NS1UnP?bA^x<(xLB7PC9Hte;RUDxB-7x2{u-h1MGFHVe2M7aH;EJ94>0WYP9H
z^-h5(PTP7PE`6zO;&z2)w1v6wqw-ZO@4Uo^6xk%Tgm0k*J%oF5f%{;kyfAV7DqTuZ
zF4BnaBKo;Gr0@B*@OnQ<OvKlZ`uVEq;d`3^`M#_8)scJ~|GYk(osEsf?sR_~KfmAC
zd_I=oH!yXL^!RYS#p`~v)+R12@c%eOjxCb_WS7-Z47X0z^hP^GR^ayaaDSD$!ET(m
z0JSkF?GxiaUxD_~rhdR2_Fh$r&CEe9IwDNUHv}JJ^Kb3~g~AIv@671!e2KpHq%*+>
zK5QU!_3YunWZMOvXxFg0b;JIqES(gh;j-<bf3vtcA(%WnU^6W_;V0PR3a~#d*`2NN
z`BWz@ISn_Ni>s)04-`ly#kNDd&`uH-=0Iv5{vKAzrUVG4-QNaH6C;YqvrNZY_dYO&
zh9mcpL#B+872qNB6tI4foaCU9Zqu?zU=ckp7zhe$B(8dvAZBAQb~G8Pk~z@wtE?-=
zMnc}xN!dh9x&k(Mt;QnLqUnQ$2EHwu|1|fi_)}_Tuh~mmP=Ez99%lDNY>&SnF+Z{%
zfEd0*M2RBtMRyvR%!ktbi{KLPTX9mMGj7u=iXJcq3YNib?o_xcla}C+GERbX=dvX2
z^eE)gtiQg9rymMC4=~5^W;;yT6G<t9>c3M=5vR(wJO<8ZJYga>v#3%O#Kd0%_oUt?
ze}s|Z2b;GK@b%3ZS^JIFr5z~<M~d+1=V+R`gW2F8GI!$JD4;p-q*J?scHS>d(bV-s
zBS@m8MD@A}C}*UW$aDP3zdyfSdF3_v`^-XVAiCsI=#P7Q{#6>O#A!S-pz|opj*V<8
zZ74`9{QbT(y7lbDA%g>PevMU<Nu}xx3U}|xPPzF>!&kS|Ypyn$@JP#}nbaj5pSA|`
zo&j>Q1a-IKV{otU(EVq<Mm?Ksq%X+*g##5(S;1}bvSljj+rFN-S1;Ok-KsJK2oU_W
zEFU5XMGBRW629-Q1b9{O)w{X0g=94ptTclrP`3%cYz)S{9*!Mp0%b|+XU0EaA-FXy
zLL_S;U`x_?tzbVOG+uLa7eKZY!5f?Ho!4N9ImJ~~+eK|4TqD9`tN|St&)sdHi5v?X
z`@<T2t+`CQ<3mm>b6_H-tUSv_KNw);WcIhfmy-#~agxR6VToA1g&rWq;b%$SIj3Wu
zFWe<EfS$-SU3u%Kd%5eha#VCV^@9;J?oOs}=`d<K?TTftu~PfX^rDr;ejEkJZPDZS
z*{`{Kk<uHa4snR3Q$+#17<HjlPMCjQL*ky**tf%gVEK`{daGlS>O*FM=a0iLEIcci
z;pnL*bI=f*dV+pKM{a?w>o#44Xyv?%X#L-WR)hsD@UNia{u8xr(pa;W%Ffx5LU!j_
z%>&l;aEUlsX|s*Qk@2dVL*a%89i9a3&_BM@0GgIKupy8{4;B(wRYD2<ckN1Kyr^rS
z{o*s84<)JO(e{P|@*fv3437CHC5_}}v)LoM;~j&Vp^g;W@gF5sfS~I&q)n<97~%yR
z*<LjumFwFM(*`~t@4J66itFzA!<fo*nuGUm>6m-cfv!|c)gp5>V5$JUHa%`n;zW`%
z&IF9azc95cJrA-Us0YH+tZ&ddsv{v+w4!%j%}1p&$SY|Sf!nFBOiRJBeAui!QRPjQ
zrE9Cocd0!*;`baZJ3&Gj{h{ti?#7+<exr(G3MF1%S04xDM`4!El!8VSuyvVXUqrx&
zOoD;dHT6HYdzt3SSX`#X<UiP5&(GJ;@)xc46sf`6uHtds9-a-KeTx`Pk>EaO-gmPc
zM}VA=*$Yd^#q0pnolme67+2+Nafq_3OQ8l!{_Z{1_^pim9;`>MrFq{~11bsOty|kK
zSx2Atn%|I6CERUYGwuTk7a#k5*QJK=jrh=}-E{=u=Cd4hX-UsWjH9b<)xWa#dsvs2
z7Sf|&1&ThMu%vsrm7-tYvGoy`cs^$2_ExJEbjE*ExpG;upn7ODWMW45M@fVFe|&o;
z6JBF`fju)Eu`^Zfx>9roiY_*DfjnkN!1aM=Vy98Q_Uobeg~U8Wwj;Q0BT+0x2ETH*
zaBh1u;3_R3tf)*J(&sGZuh^B${%o2Z$_m{;1oBTC(mnl*O-*StOr@kFVs^kb>P%g!
z?khzS`mf_p321%M5x|wRFO{~F@kH9d9#N^6cms!lJJ<Q2GIE+6x=a^*Sk0{e67|~0
zUyG4br*Ae4S{WufFRDfEJ8Rr)3A5P1m|vBS;VM#ycjJHnPLoTbxC5eHJxf4Vt9E&#
z?$vwTG+?{ffYeWKFxi@JS2lmc0twqx-?Kx?Psng^j<JOsnOQa@v;&d-8Gs7@p&6>z
z21vUO6S(#jWK_b2ZoS7GFt6{N2MDM6t*680&cI>Qm0lAD^<aLmA~fk7ngmQY*)n@<
z)P7)4b2lId-HYg%A9l-!;5)DJ(=6km#o0HpShZge;_~aMTz2Ohbg)7+QLJV7J?y{q
zeCYNzjX{^<j^u@*iKK8ZkkVq*9%9s6Izya36b7)Ygu=)2nsZp^+^*Qy+z=4|N``m}
zPg^|-QE+1u(heBs|KjjLju01ayHy5ZgUdD`nq$GsmhH_OgNzpCg|oZ|Z-bIgt(uib
zWyd4$Sui$3bGlceV92Mu?prMA;;@Vj85K3V1qGpfEoeMO??J`xtX~u0a_|n}B`968
zq7HQ<DLfK|?g<+Ip(Fzun0&@#Ma%Zi6`ux-B|Ouadp2=-Ul)MO>n-!ps~D~41hNs0
zH9A|`Q4mU84eTHTKO%w|{9+)5k`riT;=6Fl#<#^v@p)-LMTkP|*_!9ac+Hva?XesA
zJTZcc0e7^ws+jDnPa#{U;_+VvJfSKsra{p|zK;8SnRJdpLWObAo)wW>u4`PzGsQ5O
z7*{IN$N)Ds!LRHKWaSvd`b;Csb5EbQt_+7wi?YJwipF*jk}!DUTvbw77ix7$zx!RC
zmO?*oO#;T4%iS69hfS{lLyQ=dqRG;%0M08S|C1XiXgSWwYBqYJ%l_J#!DAz0l0mXh
zDARDp%;0hHOLi)yP!dzpLn&f7X7}Jc_RS-4QY)~D&ZOB=ISeHA5%mg@LQFAass3!V
z7Y-=Vw*9N;)U{Ux6QSDLHL*A50}U~tlrrO|Ae@~Nl&`*4K0&yth!tEyfUaP`ZJ5z1
zSJhaftxq<`i`Uj0)p3N`aRp;q2~7K{IoEmE2gAGSXU@zLOtT;$*u8DLodTYbX?9SQ
zbZhKvU!9f(?P+pNcA}$tcfDs#1_aA@Whrniec^0t`+nal6Qh__)YYwgGHSa6_wDK7
z_yCje(7&P9uK|}P7XYxPHCQvU1oU(aQ3=&a6x(Z0CxXJ2wf=6iEv^%+LbLGd$q5eT
z%vGsajgE1RW((onxUFsYVN=~cj=wrr2-<vgdy<^+5*g-WlC3&rrQWV#g>X*1NtP3U
z*9jYR1VJgJV7^D90z9b%*oxkRjiQU5mAU(U=(r6pC5W(;C}-O@E%)JhG29vHwMFJt
z)S9|617-R95KBpwxs&ZeLdBDuj>Ys;KW~wFoZLBKzjD~ImAQ{W(?ufb{j^8jM5#Ar
z&s)V$B`76^UIdk=Q!r@yjk1kKBxA$0b-!lZW^8PtNW_f#Nk^m`QqE|=4979$Rctls
zzg12tH-iB@6pz$=a2>Kv?AV92HtIHI<xW8*B>8;P6+n+8Z;AJIUf^pWrOnUq&?+Y+
zpP?k$9TSPsISq71H<drWM@;nRyI-R9WN*4|l&{+;+YA~Zb7+?e)9wEUIqIhVsmAkB
z>RLltLQ%C=BQrQdWmJ4_TF<+Rj7yOLxx5sMS%}ZD>|ZnvLuS4yJ8qUHU=vNZR^xd2
z1?Fu>to!=HU!tVOZtDNi?bj8@n)TEsVl2?$t(+dbYdSGsx9>ct?N$NY0)3}p1%H_K
znqS&<ILA-g9Xs|H#^5ZPfkx8rYHYPi>TH?xe|f#7ix!>JNNmfqw6TJY9Wd3sKu&}4
zU`_%H6M|@wM;TG5>P)x4iiEMZ^qS-}L4?U6Cd>7|@A`k+h!htQ>G-qDv7qNO8~W|T
z^=F~!knC2_Gs)PO%(ay7nt_iLHY}NSMuN&TaU8LYAt~{O8NJ*HP^CtUB1Kg3G5D~n
zJBYj%Cc=gYC9-6ADodrK*;pjJiXPA!5(&x(rtm>lo|q!R#^P|=<gc&WU?CRgk6EOS
zq;$_q7m+G=y`Lr6n~2J@(u=r<GBAZWBBz<R;DC5yjcjQx5QCh@NA6N7XL_O&q$+`G
zMl+VzP^3+Y7Jm$pr!KXByZWg~ySfv}SI}lZbhK^#(PBu{T^@;gj^+!?JaiZP72*|z
zX5*Dps1?G|_{o;CjEMdvUcfdcrRNgoo?De^<w~)?9wy@d7w4Fe9An)mOMq<awGf}3
zgrchN+30mR{n60!b$~Mm3C(ROmV$a#N_hyLj-|$kD2QuFc9x0W6Mm4lmWnMc-x?$`
z=8W*lLSCzHaO_M!l0f1#o?t*<D^3l(x@m5gO!ks53@DovO&;e2XTSR$F|E4@=JHGh
zYMa2dUu4pi<>bmC<Q8yt1(o+i7pMl@)GhMIXpViNc(Z}wVu_KEWd?b-#xsRry&fTU
zs}gs4r-NcaTp!eDCS_#4wfjHPC8oPutGE{lpbG(D<Ar6fP8)lDy1E|m7peN*IWnVT
zm3JUa^P)%j<Rsjo5ZP<tt+259HE3Nk>i^;q?n(-&xNBwJ9n!ElCMcHwQZ3dL57L<N
z&tmUk0oF3BlQA}GEnbNU+sGGxVmGx5w8MMFrpSL#i|&m5z}v7a<<zaE>S_G*EJjAq
zt5wsOq<;viOlIO_di3308bc<9@$bShiJYaM39EPVJi0hy>n^OYvK4sBZn1$t^X5Ly
zI5i^X3)<2~S*}u_vF`7Wv`wU;p|?6*)-<;LikqBF%wGb`v@9{~G@KPMGBX1Qwr2ma
zwLiE1W0=1s-CkrRCjcF&=_3DB>{!>}OIfYCdH`HaqXGqM%cw_L8XSylSF{y6(`S<c
zOkJZoaelXcCjuGx2pN5XjDsE;tt$z>^g?ybo5)6rK>u^vJceQK){#iKIDM+XY-!B^
z$N4jnL|H$lWs_MGd`yYWnFB+=x~17_NMzmGDb`B|vSIm*STL_zcpl}FA0ZLXq}(>G
z;Kl20+7g&mJGK=xSaj!0YJ#UcB=@&SP|{UtiXMgTQ5O{<7nT%XiUJeFR0o`s;<+~&
z#!r!>W}D~M+vu1d3n$w;=_2WxHOSQ56kiWa=Hr%;q?zOOdo!eqxfoRugLvk=eHlZ2
zwo_AhtQRTOa(cGW`TLuQrCKZ2nc5*ftfQzWx_DbEL%RT<v_1=KSf6<DW4IfhExwtp
z6dKG~&>njcRPQ%jtmo2UEP@8M18k($&|z2;0Vgsua0=QOIQ;KEgOQa~!OBcK8av=E
zks)z4)kb5~SaJe4z5q&Z*~SBIoe*tv6@mfbvx_bIEw`H}#$%8ZIkXKsn+*ezSVWw^
zA-<K2Vt|pG8xo0Hu_4MlBt*W7WH-O2!PjvKS56~TJV?}WIZ`1i$4jr`v>zZ6$^M$E
zjp9Z(f>jaR)(gSuSXft{&~#VV)I1mpg=3`%9;68#zG1{G#$mF%n_g60TrLV!9(3vL
zu|JtSvBkZqb*+2P!wf?jvf_~Os4>8WjXZbnND(dwuX3`_zw%3|(Gb2VlFDf%5J%&K
zrjq0%*@fE|zgmU}>T9Nx5MLJgw_Jk&mon$&fWy~DBN=Hg;AuuD)VKyg<pxbC(4l3f
zrR!=`aA`M<J)d`$$f9kaDNV-gyFi1uC{#2Rk*zL1=V=lDZeTddM#VOtz`0|w;qfA&
z_T;E-wK+<sblsf6UeB!cZnUxxhbw|AF0}O5FNrmJ)98AbZJnb&wTq#h3Qj6_WNs$D
zWO=Sht``Qca&_JCvP$)jv9>eD8Z2*%a%6m!icw*UN0fC55%EUZ*l5Zu!1OU~E9Mhm
zNXiX^<M&fa%TCHiH?+mwazv$=6yed7uT>0?+}4jk6Ga*5umAUR4kl{iitNmuqr}Z)
zYy!P`{u{2-SYs2>pmp#JPCAs*dxrR4hO~pzOp17c!HUI(SAerqGOjA9xFyI4qfVUs
z3q&?<)nD|@h^<YnpN)&et;Y7k5XznUBbVWOyw<mBwv3~IWXTRyMi(S%a0|GpQV|92
z{={ph@@82~#m8(DjdyCK^uxL`*62)_gVU*|q6j3y>xs?eOG=S-=qER{@Wpr10{((w
z-N2<{G3;-+fqq)!eh|K{C(%RsAgOyuj_s(d-q4bqepz@pr_ycavud4o9{IV$+;y<3
zU4NSlZhVB1(gwb~^!*Y!J4V9VAF>rYmr8q=l<QTv{;O}e{p4U+)Y;ahCXxq%48Jjm
z>!0QGjc61m<e{Vy#))3RO*vdB5mp5pn(^=L5O|Ml2}a9j^tnl{3ubRN4YiwW`?5Yv
z9qw=q?EF6hiC%KNSH%@(L)Kiw?_SkR@(+Thzp6X~1(Ih0Jvwcj;;-~zEKS)~742D7
zI{frTHgKF$D{|+lAS?)L1y4B;7tlG^k~(T#IOFFDf`;nzUSutFh0L(+{Aez)@gN18
zBICw8bwB1?Z|kd2lVMR)8}sd4iIj}uvt7ihG!iB<n=V~p#!kW9nOhTqNwp%IseMxv
z^(AJGt>P%t1RPCQ@E(Q{#n?a_X2AA%`R@;3Ijgmwa)0oNNrQAu8fM;ggLKUeu!+eK
zHVxDMjsKNp{ziXoYA0b*(sSxeijm~uXcyjr3e_ousmk3{M1|V#!!*M0B|&ubDYj%g
zpG1#PX@%s^TncC|3b&FGpNWq7_={qg+T^=oQ>mJV*0r(W2~YB63@N}Y0!a-W3|aF^
zJY1Rb&VLzL>TD~PQY)MBYWr5Lv66YX3<OwoDh0w2vXaWusbpzw{u~9#2&O=#2_j}h
zpuPtIu4pO^M<)e>z$ZZ`%O>9JM9$y`SW;op%Ggjvy$k)?oL$ORWze`oTh=}Bb0oL~
zenq-JKe+%_9A!7*m)@;)b^Kj^FP^&i+Qm80JRI;_n&<1paQz?=^jwm<H3&h3%3E<|
z)yp1c<qy^kKI83l6o2|Q28t?)55bl3It<JeXpx5=s0uarr%6g(($XP1xb9{h^Ay#c
z(}u$X=LiI}`gH^1&2#HVoSf9~{r$cEJvqZGS)2mVUA717CLnvykV_k-Rx2)H1<tPV
zp1-3_-VeBX_0>m2a>SREqyXAE2>$cF=_hqg{OR754YWGD^o3P_NOr~jDa))m!vTsd
zgw=m+ZrL|$XJ`)<%6GM2bSXoI$3$`N^(!SG``fy<csyyw%egPdoJr=fH$2716)P@7
z{75rtsc(sw=WN<&BNO4tnCC5c7KArv{ETs2Pfzx57CCJs+u1NrIDIIjlUMKK{^8l$
z<a&K-v1usVRvIgNw(}{dxT=KB>Pci>To!j}2igaF)3dTSU)<T#7Y<NVe*fZ|#pgQo
z@vrYAK)yI6o(EIxGhU_a%*3y(v%3KNLrqXfJAPyY8t#3c@(@i>5IEk;iKwlHAa?``
z088S?w$PzMAcxmt93FA^p|y|K6aLcuGdH^n{1GN4nAN71rm?ZFo<Rc*Y(hu^n+Dnw
z)2o&y?tdk@uqnZP^$K=hK*r5|9VHM^?vuG`-r$2gnhcW<3J#AjK5JmaIpVVuju39{
z`v$37K)TO}hx5Sk1A+Mcz}nAPa|jv%<jP(xOg!I^8f8NZ^-zziCD46F38~|Y;E<&w
z3-cvqi_D7$XNs{U&A!5l*-uyLC`W6J>cS>?8zJL7!Y0`s*i;WN$?lzOhrS!LA)mj~
z$cMgG&%Xy~bK&on>G;r3yWiL^_BZ}E`%TH(jQ;%o`djN0#!?(6m^fhFkqU=V<rq^+
z?Dsm|5a(Pf$B?*hoQSJ=Ofv$eHvi}P%gw*J|3)a-MAQ!0giHf$N_roY@b9oSNI!eH
zGf2PV$EIP<{2j}`L;AOM*1t{rt)Y-^RywI{_5Wv1*3^&7hPJ%YkKEts|CG)#FP>^z
z2uEkb+Waq#Y5AyPGg`=QJioCRBI7ap8}zW5&TMRj$-4OP;nE*}3${T*WjucKReJcp
zXJ19u2rwq)tgdEDzlG<C$(woNabkvI@mj5;%M<>_Hdk#3V|ijTJ!oY(mX9#39wAt~
zO>F=5Wq<K+^xJ`;HNTxW_1nvjZ}zn`Fe#vR0f8oeYH6&W-W3YWnqdD|C3E8e!q*)x
zkN&r<zC~EPxb%MYXh(HVR+j_EPC#szyB?0^j5J~~Wt0eUj)Y3#{Tbv03Bzv3=jiNF
z3G+p&O7f{e-fESj=0ZsbkXjB-sbW)=P}68pvxeiUf{~<>>G_PRC>+7E9Y(|)0)$c}
zkk4v!_z2OF!PzfaCM2kgIkbB`1GZz3?&NHixo&L8HKRIZpG#|+LohO}9Fd|VGg4y_
zce-OnF2{Y2Uw5Y>`LLJ6x`GW%c^4e+DYV@sLtrwH!oUl`CUcKFod}o=G0<A}u!<J>
z(r(YLBvi{Jg*^sCVm1L_mEb~ccp(wvp6(&uu}?0s{xx9$DP|I3BioI`E?P$HfltWh
zUCvgsZ6E}Tj}#Y#f|JnLl%OlAgBQ>4!4_+euuEbHR?u$p3*|fu8Se6<+{6tFYKE`x
zcIxP<H+D7KI=VjA#P@=OxDw*GNL(CIH&<{1eK;u=%~z@9J2}3e8y^p@sU-qnt0!5e
zf5p4fmDb}@f2Vcnq|#}&oO|#-U|)7;tAe-xETlG(aq(#N{F({nqiU%h^T;YEf<|s6
zvq*Tu5>N?S=ut`cR6R9J=5tP6Yw!@F=Pw$4-KPRn1`L@j0#d8s<k!AW#2<;Uz!TIh
zrbL<B_MP2?=$J<M_$=wxU!10Hn~66&{cepV90RMKC;(a+g!5+C^5Ru?GHi&i&ma>^
zs{y!99Y{;8RLiY32$_gL@yuYRkOEhvv6;IZpSDnMk}rJX?tg4XP%2&p4Z;7%4r)%T
zqs(R8_O`!y_|19L-TD&girW2(0qv9IwUVjqVuyR`JTD|f!kF3TCFc0|Ek>N}0+l@U
zvPUrjSi4G+*=1#@|CuoeB!geAJT?!-!0n0mVQ~w6bln1U-2L0z2u>rnnLmm=Oa!e?
zXN<XS);Nhbi#KdP+sxHy$}0x;!UarebB%u2_s{)VXe4~is5?&PeByr&7L1@9WI@ND
zo@x?w^@wdJnmqqmSajY*BXZWicd?&<4X&6(3vmW5KZb&viY<njCBGh@L+c%?gaysf
z;pf`NS8G>o30t*v4Z|tq()&Yl(4xW$@m6rMw1w#-Y96;yBvpdoMvoP|=j0Y)#LHic
zJK4S8y;j)K|6ItA_<kMoKLjD%1W!wjXNe}t3|{g^!TVx;AMr$pq*Fc!D5{Q+=}0&`
zUwu!CZhlrQ^sa_>s+H8ggfs5E74a+orz3Yg$SA+I*WPL+fd^HG+T4>#Ye|c)<i^}S
ziA)t7@6~HGG%Z>4JbNeZuodYVhef~~W)MwKPXDK`9}n99F!spb(5vf-lJI8<-wsZW
zD=UBKvLsPNFHdwRSRyf~WK&~b_TTz7_8tg-hKM^S6YlSvT!i7-xA9w6Q3f!+G%1wF
zh*-7f=j2x~{xVtZJ8OiMqNaH_p{AD5YL&*NFdI(Xw%q^(E;k__CS_=0FE_o2Qn5^k
z=KPg+ERk~aY*sVRHhWRnTfhVZI7$XBzmp-gV6auJHQP6OA6OJC3>-V3OumX%?hpu%
zchb(KBOOVY51pexv_cOL)G1ksR2`A0==aW;zR%af>*EYLIe$0C&xgLR_kAkl=Ye{O
zFW=YL_ua+9!tWAjkN3;e)zgvw+nGGSsfkCd@0Zg(amS~X0eQ)P-h=uRBr}T|C`KS}
z)cFzh*fMA=Uo*i~?;qv)QrCuS%u1m<(Eddo_(xiCG*oHpv8@r_nxOD$cmr3{Ga~)Y
z;Zg>asK`vzB3y*IX)s(%%3xRxK_ksIo@j?{{1Q`vi<@y7b_o6o#&FM-SR%(h!cJA@
zFeOz>lWP`^TgI)jTAP#Ez3Um39wAK_T65A_rgB~7Ac#Y_Q?LAUotTP4*CKsCZIB-1
zOh|2v!9Z=i&d<{fM!F?k$m);g#nU>2>@-x+)hQXwW;yJ}1uz>i7s=bBIwXv*)ltaJ
z0A@a3a-~Y3IVll&8oz2L)O0hL1R2WgEgO)_Xo+Z$7&u#&`2Kaorzt&6MiXx-<Nz(G
z3+WcdkJVv3f&lqg)H)0rQ3QIH3fFcpjEmIyDTc{I_F#&KDHNK|WghV<U|9hU5qYtU
zv|UjS{NxiXkrkC=bC&+&eASE~T|q{;S=D@9XxmV`2}<cWb-@G72x9p52hN#0sFHE7
zZ873L>uP=$Ma9zBj}~96w`0<G(FkyRuJ_~fe5jEu=KEtXg3bFcyIaq(Mcml2Bw>&U
z<A^NdOaDo?ev)t~u`Ud1U@-2O%o@zgMw7;!eRED~CAjJ$50SwKc>LJt8i_jwI=tb7
zyH@8tb!H{ggfc}NcpXbwr%m(AAilVz)%kY0y@2)RpDu;T2?cW|i)t{{04f!U*}(v`
zII}u8b45FkGeh5>j%d5!u%%;$E-;u*G{{&jx7*vmref`ZSqUZ+$M)U)S$mL4aQ<}I
z+2$<k6Uwyu^lt59nHN(NN4UGejOR1}piQ7v+gXdVgDw)OMkgKaZu2a*43Z8hrXml9
zmY_ti{;cM`(d52vPF;os$bM61+Lo{=j$k!!sQRempmB9EK1|F56R8I_K5co($s$I(
zC!-+@oD=n_(Yese0)%leaC|{|@slxN-ErbuhS}9ilvd&w8RB|V>g+>55QZ<&^nW)u
zWOI*_iHf97Bg2<f5u~QQHkK++wCId$mc6fXO!lQJJXJ*FZG`$Z_}vB4o!_t^?qV72
z^s|BwFhXOQUQ!)5W9Pbj<(qfBCg10yz0?x1n&t(B(GtT`*>Z;yxlMk5Z$Pt3ymvQM
z(H=%YjIiuJpauk@7E2{a-B8R9gdmFKjj1teOmo+@9eD$kf~XD=+@x+W^2P~Ek%CO>
zX(s<aw!Se&lwj+2Y}>YN`;2YdwtdF7ZJn`g+qP}Kx%bQa@_xKzrMkOPyORFX>Dqg(
zwefD*0vOO>zSt)pyF1zm=tskIb|~XgF^?eMZRQKw==g}W1<`RQ{GAFyZZKs?ur1c1
ziWaJbcW6`4$29WY+Ok!B6h<l{nVPAg0Tg-?t3+pZVwrqf)W%Og*e$$kg1{6Ouqt7P
z8tFf+*<SU+Z6%*m%#KdrJtFP6&!Q9AQ)j6KAPHcwZ$z<|j=F3umHr91L^YEjl|`rg
zuuPF9p|C`Xwll%k?KGW4*0MFzFE=yJV&8gzSJ@zIV!wWB*Rf6N0*+_mHIZ%y*8i1i
zSu6YMQ^(btnJsoeb=kCBxd6B9hK_f}Ahxu6qd*F!66?U&>SNY`?nLWO*)Z8wkG$SZ
zuPV0g@>g3fxVd=O+_m+Fvx1!6mqHUInyQ6nJg_-kjUCR^jn)`pf>D)HRXbj5oj8$p
z6%k2ni>pAE{t{@avFp!v7JPc#WykIVXqS5xHLiJ$LWf%-eL-&EZ`QMVn12B@XC4QV
z+)(zR7Q_>A*jXxv76@2kRvHPfcr!1~80CdxA4zZ*)(rlK95lhzi#`<t-Es+24v~6z
zS{-s84;ka}v$x#M9#o_tWpurm%L58|DFUM%DGavgzx4pqDV=#+kCbds*xqZ(+`W5N
z1ZuUSd2vi2ISei|89Q2wNf{KyUgxArYE(LF7k9(d%f);04^2kR3lhixLDqT0doJIS
z{QYW8PN2LQo$qV&2pu4CQj*CZlfI~)h&U{j2l%*coxbeE(B|KjYSKC%zSVV7X`_0A
zT@78_LDTy-GGFEEwvx1X09#>Fv63=Si%tVxGg}fiLC1P)dcsKN(Lu@V9FsN~k5OZg
zao=OD*y319x4eRmQ*0+yTC#FRSRP&$z52%ZYM_aL-HG*?p|b}XsmbM0pafUF2=3*t
zoy#Z!8S&qgj|(`aR4L5z=1z`1@dvODpvdObu9>%xAy<Y++PaQfOqw#UV6hG+C*3w$
zqqQ8_jHpb~;Zl;2{TNk;v{@#rnUhCnFI_k6z+}z^4APgXQFS3l&DkW%DRlL*?&1k~
z@(zTSh9<<GMK}YYv3^TFuvcvtv6~v{Gq23ceE}yZhd4_Y%6@cxgKYBl0k?_|0c_{Z
z2FpwE%cX6H_y@kVT+hjS?+hq_g=4)=8QLUh=4<_`_T+}xLZh9WP7+P~9Tn+LDN-Mu
z(?3+QiJ4iVA4%Zd9&S#$H@K%nMJ;o2i!+eX)nDHMGABZtZqA;DxUx5`8L10@NEBz7
zt!dt}d6--ImM6GLd8GV}*FOM|s6g6o20(~gfL4JyW~Y5jUBU$*fE9tkk<yoN&*AXP
zujWHBGeAl;j(|F0Y2>BqQ$w&q0*|kr!-IYlT%-(rWJ>&@y^oQR<Wd}6XN|r{8FTUe
zQnf*F${}?+)ethKmU03ufpXYUWVUVnt7-CZ-GXS(&Ld7v1^HtK_9**jod1IJ)yMO}
zf6$N!yVh^>JW!}N<<dAfKD2Nrdbpw>7}WH3msbhCpmn6_V;G!P1XV}yEB|_Y8fxvq
z+Sw3ZokXT5V|L@h)(=f`zD_Z4vw>fVRKu=X`@pa*vnzooMIqx-CUNslNY@@vNxCd4
z^R6OPj(W%41A%b>nvXo*S5S%zyTlG!KG)u!VAGyVDW}V1Ejy!!h<>G8ekkfoV&uo0
z@%yDG=aYl&=RNt$LMd1cJn2D5dO)A3q-wnNtly8(C{mdv(gHCE7*cl+TR@Qk%W9r>
z2B};B9baW7FVSYM+m%_kdB*2<$kta@izYi3hHh?h)58)tTX1EYtqGEgm`+{c7K0v9
zjcKR?1K1xC3}LG=N*nFcRhOYW<i$sE*>op`@Q=sv0#gVOy*z+#-(^R=A}qkG{B~2a
zJ_Z-COX9!^Q6?$r1WKE1Sw^@Je9AEqa5n?eFZBuYNI*><xI%_9Qg;%-+X=oSY;#<W
z8+Bd>I-;cmV8xlI=Sv0v^b#)U2y<m}9aQS{{y$`>mvQatvu(x{6E2ewh0g(CE+w+{
z@^*p~<$?>efpxlJR`h4JjQ(fOFn{?=zu$BjH!?$2iEf?Q3BRpfEn@G-?z)qzee3f}
zv}RLGmz6UeURW9>jiYhr9aRPcK{&XeLgQ;p0xD<@cipHrN?J2FP`54%%9B@m9!>s3
zkT(5P_eKr+gYC<gp>9@kIH9Ri`z!~7>rGYC2ax95*-<GK=6-2vu0C8$kiR>p4E_X8
zItaI4>ZY{c&uCb2yhhSFz~Am|rxlgJXA`>~_i++L6Em2H9ynA8s0dc?Cq8w(6%C3T
z?z(Q^3n{Q=H+>)QWjCJ@;ERi<fG1q_o&OG9b=|o1t;RNhT-Q`Pgx}T)#O9+Z<CRhh
zl|1dmC0vpec23w(;vFlq$gf5!!}@hmE67V4YP`1sb+NYxY_Z%hBy}MZHi)`2G3&=Y
z8<pQq9e3}B>2pcq_)~*3$QR{XWw2YExN2!pr55FNQGKY#Ljf>=ISsC1EmHh1wXuAg
zUnKWL%xn@?D+?XUUL8x{?hJqH{Bex+34tdVNMOo1NfuL*Bi-x4KG@9i$}_GXGzX_I
z26x2mk><710^bl3nkxt!@_5cBo8$yg{1*{fHpO=taVMV-`I>8pJR~3Pc(t1KWk)XA
zP&wt!N}`z3eq0{>eJ+??OYmUjII*%UA2m$xH@Sk$Ui1AT+x)LkEm{@dF<ZGZB9L?_
zGFnPt%I}w$2@RslIi)PbZdO-e)lu)`%{t1L8TM}dYxIcPeOWqIMAV5x8wsmOH*xXG
zY(eP4CE65+KeCq%6_sf<>NrI<i$3=g>Slh8NZ~vxg$;QK!Y%`(Ovmf*7ef!s^P*@6
z{<5l7aAKt@KXV$=ur0jy%NmbBJNmtSE|WhvQGQxR4n<oB4;Yje%7zxCPs~UitPIq8
z2#vx!h2~mgKor=d-OQ4*zd5+HJGeAt3Eb8~cke=W7^N~5sPp>L2N+_%gXyCa#nUlT
zyZjT&80snHAwD~v_iklcpk+wJBypOu$afnAH430$L?t3*q*pJBt;SAoxof~Ed~J#1
z{gjC%9;3-u(V-pHUw|ovy5--5fV&v~Lnw~^p2r^8q*+^$TDqLN{Iq>6@S3SK8`i_u
z^Sv?UxAl4TYc09-k+K4x1y{9o#8SYSeIMMiv-|}_`N_9;J94L?9fp%?VAUNes=)H~
zr}`Y$-dGj?ye2Qb;&V-Hzc|MsiaYw_RAz=Sa8A$bqD7E2!3wyuS%<!|Kl<=}U~1_H
z7C#vSW;6B^Lo-I>KqI#ij|MdoFeP)x0u^c#cP_A#H*IlV?rVa%)+-^R_30I>)TeW-
z>*iBFAQ15jD%hK3LQKX_0@;i%yUjc{>&XJCNW-h&IQD8$M=#@s#jYpz%ON{H%|r+j
z69|bk43meHLOjizco_y+?9`_NDiv*b#a5aHIcXl+S2Hs`ZwfUVqXkah;aGWUjwMmi
zW5)0^-zP#_l}c-Nc<oG361Or4)D&z=HgCmecufE^n%{Wrz7XLYRxV9ja!8X(H<Wk+
zzJ|!ZmIAyxtiR5vs-`G*Ycd+g{`_%1_a*;BP4Zv6Du5T=8c@$Ih`;c@azlTv)czv<
zV;xMJ5_?nb44xk%$Xz&70oVzsw<)9oxUzLK;grRSW++Q(Y-7rQZWG)joirb&g$mUC
z(p@q52LnfFmT9PG|6mV(|2#l&;XIHfvwyX$(R_`<Z<W3saw-iH0$Yif3WF^Z0$;=h
zG|k}=17D!$LfNW@Eqc1bVeYau5(00=0oslNup9ehGxaWQ{PzL<G0=D@Q2g>g$$|1-
z6nk2_{Hg6_d3|oO{MU@i=IGXCU00IH162hNy|#`2@EFEBmOr*8jjc`VeP?5Q1Pq~t
z*4RO#S6$pjonh0eceHM|&dABkJ%Np-t-Dn4?0pbPtc{F)TAsV49%@ATXFJ%9)3F_f
zFNU-5)EY4*LZXgo=mh<lf`udH$qcv#l?B~#j?xo|700JaK|2+pa>%2+-_LVs#qEv7
z-MPQc5+Of~RZ25jiX>4E7u23}{nim;HqO6MC8O=8w)+TMUF-qBauk(;fx^i70@hEZ
zv^ndS8Sc<ja>4zVo`_G`0P-|{N`f%^!w)3-_WW^QmPu2<j&q(eFwN5{`XqN1$qt#O
zmJ*7hOy>vpEC{Fk+78~|`=H3h6dN|f)UaN=S{ci@h*l6f)xUsRpLDf-O%=*D&wLS<
zddz4|%0C3}w3-`5!1^3!Qj+lnTsXSsZ?1Mb%_iW~b@y29V~K?^j}<~JRi9kn(xpg$
zT9(#Il!Qs9>Rjy%j60w;VEkNV2qA`Dg+72D!8-&_F2h0Le#`%5K%!u%J+R3Gt4Ygr
z)y+`cVl*OkfE08;3iHN_2OYPi&qg7*r`hG4LVUL*G3Eht+!CB&D8s`5#?+Qay12z=
zsPz&`ZT@Hx;wD1S1#<V<6e-+xdLeCq;V|!)2R02xe!@$e+w;Ab{^C+!7}<H<^ZFha
z5{9Ob>4iAN{PpE{wLYogfkUO+SG&`X!QNes=Y7p(ls?fK4$wdbliE`O%pGd+P*e6a
z>VmR{fID@dv5RNHpFbLeT%2c7Tlw!BIJ%V!ilBvY^b!f^hal}FJTe-S<%VPTi{~Wm
zxWF%3vLy{{;`k)*+s7|u{^9q+z*>{hHQ}}pe_TY8q?}@`>cf$LXs29SAKehN|MXq&
zqU^7&-@$-IkY#2~C69^{U8k^n^qGHZ8Y`j-FuNMDu{&#$Hl;;^3&|9dGYYdQ|9Z6%
z1R`}4vrq*m)vzN)Cf!TRhIQRQ3!KQP%1xjM>?l!DFDNQcnFDd9Od&51et&)qk$v-J
z5q51ch!9gJYJG`S*;^A=MV9o}CAxV7zGc~`>0n4OSnbpWi+XjY?Yw8NCqeG^&-8(B
zYAJsZ26M@x65CeT1d!^kUq96ZRD}z3=;#n5$KX|E%L8}c28tB?GF(74(XcVvVv8{9
zQYL2JBNDGlP^?*J+4;rPK(%ly;WA@<|L``zKuCSl>wp(n3g&ZtG5ZMkbidnrJq#pw
zko(%06+$Kd)~^_U5T>XsYxLkS@LDCDZmf<q-GX@C1W9nP>s&_hRVw>#yOCHCWLXu6
zF<|RF_9bS~`v~P%g<5|qp2Si8q7cIU*L#O&f9;)Qg<8kO4!h*v{c`H;|A$NBh!D0v
z2oE_!b%8Y%R}Bygkd_y+!6kb}MO?r@0Esgmi7*mSwU`lZ4YRql9uLzgssQ{l9h3n`
z2m_fbz@wNWu-DfL0w50yNvm^5Vc(gA>K1jFCkXjY5?7b8^eCJ=%OPh?s1Z^Z{S*N0
zK4EKgQYqLL_NmsP2GT-NN0~i)m1#YcD>1A4$eXdfc?Ts;dAsy;g%bB8>^L6z6Wi6J
z7qcn$47T_1q77Q`H5hMPDY^CRZYtZumlL<N#q8*J7Qgu1agmOjFOdX=7P*U1w0JZk
zH@H2#y{$V2#sr9991o(7pRi7sm3E*SKWIi2Kl*7>lHeA8c;?b?Iph4UT$<re)?o4k
zDg!xyKv3~iqFqqaF0}v8qIOZvc6EQuz<(}nk?k#U;c+Zqg=~ebiubl}<O-6<t3HMT
zS;9J?b_r;D(&D!{%bd`pSDIK8ORd*|F>GOWOOs~wqq6y4D-yx17(l(S2^&HSnXj=O
zwtKF^<QxS)QHF@gZ%1GQl{`S~omvDE#Ql=V$qKBf7;)v;LG2xax*dD!l|#1v4$f~~
zTAmDc%NN{O+o^02FRv!RLF|Qj?#J!WsD~PEsw`@TCo4=ls(Z*-BbWo|>^iiS;r<FA
z#g2fdMDK$OG!TUcuGH%Qrpg}8G8mCL^)h(t)J$Pk=q0DF-)1CYq@@^Inq=Wz&wE9~
zAMln-{)pzH&rOD~qCRsU!fafOBxAv-)rcfZ5a$i989Cvtz8AG2;Z+?Ji9Qdp;VMMW
z1>`_Q{)D3nH*c$``ZE*Fe7c);9aDGIWi^Nr)TS$(!gUPR+^eC#$4{1tq%EeVPewIn
zM#?UQ***xD;<8U+DvQ3Oq{`&C8}$8bim3Cmb9pO=tx+e;375<2G&vV_8TdCeH)-*K
z@<k*U*w}46(5YI$^8yw4<HHWw!C*476!o7`y3}nuG3V<u5S**e3^}BdC%iAqr>xI@
z$9&{sZd7)v0H0)r@&lZ%qciC0<BRI=<n?3xGae}nvJG;*XkSE1Vg<$Vz@xt@$_%}A
zL@{O*^u}z6tpT!6&B{h7s;rb_sp5KgycawErC1h-3gte|sb)VKKOBCfmdZ1aem#pn
zUlE_@ZxLDX4eNeOemr{7i-w#F&zE)6NmhFnPkjCdSREjrF#CL!<!|>tEA%M4F9^?V
z0<(ZH&iJ7o0@niJe5LGV4csvi31k&UA9~R_xCrsfx;HlGDbOyv8Sz*A4|($$3%4c{
zEQ_W9o^lJI&K9iOhO6Ta?X88-6WUQc&Qo@n>30{HyS*@VW8@X)x_!|ToNTQGn@-ZX
zXkHj(LL+-(02R>y28AX3L06BBfVeP?s83?Ya1E$aw6&|NcZOC~Z+$dQBV@?X>Mro;
z)&MpznLTrc9z%qc3NKbH(<0W<a3T}<`cH|6f3jhD0jcx4q%E++(UjXHRQ#q)AsoBO
z4>_VMIqaxoGQK*BAj=$T`qb0mvH9(Fi<U4|P%I}qiCkJ^%`jTwjnn<pm-%y&RV7uA
zX%Hf-k1S*4nN^Za#m%s4LeMh__PMiFx!I1AN3#C$%dAFiQ!#-PG;{zzBK6K;0>#_Q
zb9r8jzt8i+u9B(fi3WUq{TrjL7ONqPe=~knAql02$3`yj`|(@|98CQR92_nJ_^efv
zsG{ghuIt&ZH9Z2jrIf+}?cG2f>=iE1luhWQaB&Pv+UhgV%G@4C;aX92LVK}mgp4$&
zv|$TLlW5vJw)|fDRx=jK!7H<g+t&>ubtA>K-(2vZFg>5nU+!z@YJ(h8OciExK52yh
zcl2>=8hfogc<Ih{L`jckMzl9K9OrtIV(A)lpWaIBwyuLXs>H3@y2YvJ2VxPlD^Pb*
zlmd5!S;GF?LyXbm=AG+#iId0=y?ivcFfSTI+l$ZDRq0`qg3@SkkX_b(29c4dG*86i
z+N!TYGeP8KYR8^GIp}Q|Z}A!t^aM%V#7<|dDyN?&9tLgI?abw64x&&vE!v=y^H)1y
zsV3rFAx7FJ5g+m1yuy-y(eG|Ar44jy{D9qG-Qvcbx4<f-mvOkYF;4cUM<^$<zAnuv
z17fzY;z8hR(C}+txm6=-vr^N}2?M%TC;)fa++#G95gDycw7Chlj=QJ)OTX;w=~#X>
zRV7*M&ShX%;IE0uuZT&kvUYME9PWxh6K!waYEpTG1^i?<jI2ic@=$Q#K)pda&enUC
zmWE%oNg$ZWnW<N-ThwiUJdvs0Amm@{5wygE8k(^Xa)y}YiNF6!ZEq&lk{)3lVb#(G
zxAQo;@<hxkDY*Bfl17;>0Trk9>_|Au-w3tz@zkXF)u?aw49usqF^mi=%VvJL?p%{M
z5ihP~4-3E2wO6cLNZ5KWMYrM%NR1-r=^UJW8tU_buX1o==fKe3bV;MzB5O9wo|=}L
zL$w8_%}`alHXWNrI&Ag%WSa;~8a?U@aN=FC^6e*xuG#|3epcKi3p`Q~=28Qfqvvee
zCM()C_IXZ9^#p>I3Kp<)pu={%H)k(mMK#uD)pJ#I-Yvz}&$LkrK9;E>no-ujgE3N`
z6Kq=~=U!$sV-nN*Ooo8|0CDv1>_L^My?G*`Uwq}&U&y#Aq}txQO1lsQB@dJaEi`&@
z(h`t7kkiOiq&>2LFpRAFBCQMk>Q63pE%D^<HLoB^szk3*?(P?(YT`5A%ke77SZ23=
z%SDLB>m1q5S8m+T>oL&(JYSV>7>F2Ty<K)O#JaiO?@!mdGcxJn7il<6qv>%QLcbJW
zmXXya8La`v;eepG!g-c`AwA~|Na|<T;rQ75dkL*oJ3c;YJM;2D8er&0Pn_Z#X0j`;
zfBbI+XT`)^*55YcnYni~xPrO1wI?tOPY$w7AY;uVvj_b4)9s=Mv6&$o^v+%<v2COr
ztQG6}MF;*YL!}ODmt`7>8cwi2Rz|-kiGl)*MRbb3+qt`5yx_<|EfrJo+dPR)GsUA<
zvs{n8?Zj@1U7c{zF>Crkv9bIyq>~X++;Ecv|Cc2@HdeWEnvz3mXh0y_oG}n8oVjm}
z>w<Ye>>8@#5|!G(AdGZGM8BrucARfXp}h`W5?Xw*H(=68&nKYv8k5td)Y!*)fs!-|
zcBSw3xb=EJHRQP{I3e^IUA()3o?GY5ds1<<Zkf%VKcwPTG8~xB{A%rN)7|hbuVYor
zHp{pf!#wVU9q*9bM99UPJc@4Cn3i2aP9`?UwJ@t<W<+{rg#b5eNpZD-AW%^lUWwft
z7c#o`dV=lY0s%q?{en))p!4NTJX4l*-iwQlA6W@C%^{9nR5P_+HKX2@)f-#^7|lML
zQ9KUg5z?bwAxWo9N`AYg($v=E9E9D_h3=HoZE)to=p~!;RAqC5$#b-(xmeY0N29@8
zoSl}SR%(W>-|&Y+2Kx8BuwX7ITSkMF4RGY;DFvugR+2w1fN!EAdEZ5cDQRPetY-`3
zr&C8^CdxdFR8>(N_J^fQVPB;w@E!g4Um?QWX7vWDNW)lPo_9dLvW;czgkY85@fI^^
z>=Lo<JP{tUEc=f(HLG|}85<MvX@0+KUxg2Om2m16>oSnx`r442%O<=q{8Rd6fv-$i
za+P7JC#&p*yl(GlcFPve?kRc6v%f*oSNU9zpN}Au@C`K*ceC5Hr{a7lwVSocl)};h
zaZ?n7K8?C25y=oy!og_OVOk{dL9IPXvd8rNJ_S-CN>Ey~I@S?1#-zLIWa3PP{hwmv
zw^5wdLZW!$7lxb5g)Co|tk25QExWf@-twcfukaXO53cuGzv~~C`JeaA&&5=g6)%T}
zJD`rhN_${<+K@Q~a@eMY=nfI!0!v<ksn@e1DQc^^KlIU$RScW#vLc=ni!#^ste5}%
z!c(m*Bnay#cWcTFWGuVxbp9}5ZOvLO_jk=8X_jHzVS{$g+o_>$P#Lt|$4Lx(QWO$}
zv6v_rAmeFi%J;-n_%^!~eC?CnUocLYvlty<b9Ln#>8!n)QO@7JC>FVvXbz6*GM#B3
zxxz8@p9cFu<bi6;7FcJIH@S?UHx5Cdt4Nbf*d-?^&-UklkaMiNl8U{|i9SHmJ7&=9
z&IWp#*FD=FvBj;K?>>V931XHf5$)sJ3MJz*N!XTo*!n{|`%Z|NcqT@4I0sYaYAIze
z)Tf1K{Qx0J_ljwG?!YuY1CY9Ia(70vg2Gn(^*S}Nj;&X}sCzKg0vS5;(RnJ930f=$
zhQ6qrG-t^hxNYCC`pkz4v-aAVUpl%|CuK|}6TPhq2t&~^^chb%AJW7T3M-dK@RafZ
zazov$Xr#^#f{cyeL40{|{L7tPbWUj~lbQwdukw+yQO(zbBOd|Gt)I@r4Q72E!%`1{
zGpM(o0Zc;~vHtSVP14p)8L31TY`w6RL2@e%&AN!{M&<8ISU`naDyIyov*oP*MQ%0c
ze!uFlp))%wB{MigFJE6-{nJ|-Gv%4fD#@wa(<o(nvQtKkqnOd4#Knlc`e0RF=SXR$
zEPw?lx;itmP7rL|Rr#fCogOxD_c=|@cb|l6Yf7_J_E&8n>Bz-XmrU8|X-7#+#m)O)
zQ$4tV6wg~SwN#I>8o03~>I{h|`1r(1cy}H*^D7{+`BeC#nlG@mm6-nL4tCaXdQH0>
z(CQ7ak|EjnT+$<#N-enuit;WvF10~`@jx=jh}Bo9vD<9cX^58UNRzdCGR1Y*jT;&H
z5h`%uq}l7ZXIO=RandQO&*KP=udmA+>NOrrM~$0gTU@*hj_@+Ln{65N8~&`^PUVlY
z{l~2f>P?v&-5#%>gN`M)1=<Nxcw@_V9c~O-n6%s*v*QmG8e)=Q+RKdzcJx~J{%LbY
z=<UvHc2{sU6#KVhAm$I}LvZ-b?qZt3O$$l8-S_XZ^|Sqz*1QTj7HH2#zV53_3VoH*
zz|qP(8PqEfTTNujg!*2ES4RgLt(rxUs!nm+RUqY~K4J%cbt8;nGT<(L5;b!vr48RK
z-VeuU<VC8VAaUg%<7h@s*Wl<F%O%(to=YB>(0TU_T}9emk)Al3NtFihz<Mr!kp70O
z?ptTo9+hGM1QRiLoFeRd>DF`AoOzKAWHkjPwu-v$<a74w@Dvgu@s5-ka%le`3=^p|
z%i_dBFmvmTu#v|XMPr<M&^J@VH()P1lymYc^jaU}cV#BaUDtNaL}(k&x;*};DEMtg
zkQc1)FeErAV7v{l;6feQjVqjNma~w;$ywHXt=g8wlcQKHM)h<0I8JKQYzR$e7Ut&|
z0|b8lObCThqSCbqme5X4Kw*vd5<*b@+DonAvlZ0|t$9>wTgZS$YfV+8P~hZ>Da{j$
zq<<`?7O7VK;}ledoGYV+sv50qMMv;e>sq6Mhct>HemcCY_|Db`_TNkRah*4V49zY0
z?L}Yj5Epitdm6q65TE3=y6{|_^_a=j=}o%>!_(I5TwE^eT+PMp`iyWW90tZWm!Dto
zrRb$MJK5bI8@icfY~)@i_}ebLHGXyln_iwk>ORyY+E%0GAuI*dF+@aI^rHn^<YTT>
zjZ>J(#{KG&#+ahg;}+>8&>N?DPZQ*gq;Cc~PptV0Is!aD*RRIGb0J1f5CE%Ey!IG<
z^1iiiR+%J?i_{;sLFB4Hb6lJ2*3nM!b&!A6*9kZOT{W2gOqNV!yQxB~;g!s&gZ9cC
zh~~X&d$p*!gWd0hp5lbD+X+nw6C7PQOQPxY)`+!CMwS?z(9_eUI)n(`cZsJ&*ewZ<
z?Wf|$14YXt3a#?$aX&_X<1BUH7EN51N^<d$z*y!*{4IY#E(-nFM$ANJqXu;mp1mB?
zzuYx{(jnZd*U$D~=M^^bjE>oJhQJxW7oV1&6c*aE*iqjdHku;J#25w$Z+rU_^tNt*
zfpkekYVhbeY||y0voQ+DtZzLf*AABgj<5A90|Z&+5NXdgfWV}=S3$td{P*=pEwgPe
z1JxD|_@g6U$do6%gGpUi$U83Ur{LGdXa5x^HRM-ctls_e(r^I$s2hl%73>|9d9M9$
zc}+ugEY^SZd-e@gHw?!*hDJoTHvL12b1WUj1WyGVC92Z0__zSFLYhhJ&apEIR_JLY
z4DWa;O4P_HM~z+xbV}{t^6<oZiRAan&-Z}e<v1}Nnhi%r#3o=guBZo1EK`t;vtam-
zB72%P$vM-EBd6}H$Na|dLaAKt_gSo8@DHEQd*kztnV<Lb$S?Wno<Ha7PVV=*wj!77
z^YzG|<NNmX+YRiUe{|s^&0i6X<tMh(s$~ghlUz}(a1P&mIQltgHmb6aH)QqeAhSoH
zH*CYquXWGDTH5j?<E>L4fhH*O5uU7}abEx-e`-p%@{H8r?KGnpA<9tkp2U<>**2rw
zhs*c*>GcdBLcKCK5iGrFejgvDRI%D0?uXOD57LUItB)s4wG|(+0yrjCq6u4CbPD{o
zB?snm2l5f#SMBe`#gUm^>)=g&(WJ#Z4(9!1`Y5!x0$)XsvF`_z-Z7<dqF480LR2u9
z9F4lX4$dQp@KB*97Bqshtcc>Y(#GYCVo_HWF8WF5_rZMms&2f~n9ZWt!BAX<z==vF
zP;`f&3x*+X5Ta<|n6coAM)j~!<e%YlL*%ynYT>YaT}9><D(B=@jcL*8NYRj7-E(GN
z=MU?Cs0jKo^Wo#=c><;syxi>X+a=Mf6B7g}(ePv2DAcxNuqU`VdfeP>RY$oGomB%&
zR>Cs9b)~K)C`EM9Ldc|{5<MaD!TMQgFQ3x#l;n)SwGgCCM++uKOA($i4U!tA@5t(n
z<Ixp?8A+!|54BV$tLd}AL+PeJ<BR3BygJH}JtM62FvQV=-nv3rysNF=ifBZs;*1?8
zWATS8#2Mnux^-m~POc)%F|*$&1Lso*GgX@_M4ohGMZG0pG_i&{T)1J0Yvr1t#LPja
zLysV8Q0PN{T9%slEZID`Of=i<=Dk-dQ<m8aOscXbJqQKEOzX`jBwP&#0#Y<K!Sr}#
z#vrpB4uk2mfLc0LcXt^TBM}-kuMyY1J=PF~@V#)QD)CmD(;xxn8lhV^e9NdsWXO?s
z$#yC1&tI;F2QsE>L^D@wvoqz#v>tDzcmrQNyW&vY23yW?wU@RSO%v+}_+84~ZfjJ(
zjds>O18ZHDB_xPy=E^>Ki?{v3N?yA>|9ZaA!`7}OHY`l&fsa#wxLa{GARWN~-OL4}
zG-xNSFbnx805tEPp3%Syqtl-5mUUZa(}Htaf`N`I#1;k)oe-T(D57;!L{nM$;w&*U
z3`rz9qAO!^0^x{cJPy}#1%xrH)L4dfCpB2~=jrCKwW{dpn9o&R9Z^NMOo3nK(F3uE
zvVY0S+jnrv$>kH>V7(NdjIlS@O-!_%WAR;kyv&@Xe9ldAR%M4(TRB9>uK{SF(qF*t
ze(KYlE8TOvyhf2TP63gCK4qxMmpPTj(DisYct7v<i?k2`?hC<B*$BtY5??{SaI@T)
zA}~YjjFbd5p=7@MDocSzx3Re_XJa+>)`L%D65^8t1xNMLJa&!SM<`ZIoM+*_4XA*S
zmRw3md1Nm%N}Ho&){^OhNFtb{{Z_1dx`aKAPHv4d{6E5P3tl4DNZ{R*Dhdl65(0HZ
zFKo2P-`Sn>T)BOl-0`2w0d}L?Qwj<f-r4jQ{-KlI0JH@LU7yEkm#Z)aY#fUcapO>`
zYfg6<E(qx0&L}_O#wuI!BCjznZ24*zy0%Kp)Gzikz=R*o)(b2(JSnr}QS+PCbNnew
zvKqeBsHhsl)m_m&EgLGj))@{Cs(*O>6_)X)g!WW`q&5#%nB(%e+bwgSa5;lT$N4Yg
zS<`b}0-oD-a2}L2B3iiRMNZEd>PH?C9^6zPJckQeiIhlo5E<G<<L}dYfQ)=Ok|fvU
z>l&&$Pe2gP%JJpTLE*^xJl9o0yRCg_rJV3Qb0M&9+ji9jT+5%Tae3d#&vKFM{M<gr
zbt10#eXgxd;G#9;!`z;1#8|)^dGPN{-?0I$)eI>=H93%01Ib#T7}vrJkaIdz$1T(V
zvc!asHkFGG0Jxw%0;IIcj9L_+S!Q#FK%F;Kp#6O8ymju|s?(R?X=__DSNe7Ql>6W;
ztPeaGYR=;SexcSNr_2X8P>5M{I_(hC#kvIE&ppITFR%)WZCQkA76OsR{K|p$O=wd6
zX>GV6?DA{S*evX5K7L;JSLXWkUS9kZQ<LbQe;7mkynSz1g7l{F^>A=5Z+;%%uXgBW
zbiWhvKi`!!r|oWQ^<Ml8>3=ZQ#{@TU%SxbrEenv|AWAD(WiwpbtxWD<pR}GVuLAYF
z>T)EiLlzM1@T1jTs|SV&_hk>+Y20w2y1IzEqvxYV=c2pIe*N(jV+YOo8v?RERHC{p
zg>xA@j0Auu*LhW%MfKtCl`z@F=IwBAF!lks+e+7uX<o?TAn}p!DhIfS(M(O?%aS>u
z9{VisD}pH|v&q0WcDYOX5?Llzw!hYnD(~fwYb!vuVk(h}oLNcL`*f34(405ezACKe
z+x3!d)-o&imx|R)W`X{mtz;&@Sgcp>Gjb`LkS46*Xy#Gn-gCieqytz<sHkdW(;C55
z+(WF|#jOo`_+fPDZX_ut1A?F$H>ik~y<w3I_o3@DUVk}gOybE$RX&;D(pj7$TN;JL
zTYRImroP*uR>H;if(&b44cE1#UgNyp&D#L`!BrvkOWwC3_H_T;B^W!$L!6JDs3iw*
zN5Gs^2iL`7N<fq<rWgd$YCIdcR;u3{4*%^-9R8Ow!fUk)O)9te-V82cM?XP0U%{m*
z&DiHeRsvTYjvZPBreq?AK3oofjiXpjgNXCcihgj?fo;(lz<20fJOsh>t(9R_rIqef
zsq^~1|HXYzoEf)bEl8&>_}uez_cSDUx{2rrMd&3x+-s#OaLvd#RHYHEO{u~8$2~Z9
zlDvgRO_4+fz0SR^rRw>Gg>NJAu+{WKh&*AWu|2%?xO{m*`<@fo<c{qY!My4&vpHii
zO0uvXS~m@de}rMTlzw^<F8!}<^|v}LF6=W^&IZ)v24~?N7+JL{>@<ck$?^gMk4>y!
zdxZBLZnW*7^LvV~w%s_E%3kBt*~sqNIAP@p$i-{pv8@uaS$Os6S1P{}UjU{s`93Ya
z@+^dL;S|Ca^ec@QDJU$Wh>%v;yae=6KMCoSjo3G47c9DHnM`o-R3uKN_})MmWdaFL
zS08i4erD|1Wc-ma@7i>AFCqd<k@+jA5bkz}{75@0U8D7LS_!Pkj91cNUe`^T@z(xo
zu%tK{@LVhZt+^K96{eeh?K6>HNIz+!_NM<3uD51WTLc+Uf+x84n~WgsriJvk(hqVF
z3NWfXr3(lfgMV7jbXk(-$B%g#q57N<n}yjOwtS!%_vk2+`awi!nhlnq>PpJ{QeFUz
zk&numoubSdd}`G=1qHrs7cih#J$+XgCGg!b0(QR~>alYrLtiiO$Lz^ASFHfE*O6$c
zS}}H$Ml#=E`-dvIz?KiBCq|>E?mZ-7He8W;11)^<<3QyXzy;VVknWjQdT(||0510N
z)jBF?oyj8te;u;#<)Ne+cAlS=EqGJ?IV6v=^94^H_HK(W2=KAdqn&rA+V_7`RG1$!
zx*ngP>ivq{X!7}#Xw2v)>xp$U7Uc>J31~_Rt$TzjN@>Pp>pFY)#bB;WIp|*z0$2(v
z=^{7OOK=bMwSeN<x9Nv6nXyBOJUuxq_>NyN96hR|m)kfN5cg&h>mM=k;FrN4e?s(<
zz0$et3O*~UvY2+b=M4q=J(y;j-D3fQs!7*s#}6d4b?JMY+Pe8w{2J~6()rRH|0-Ug
zDZZ;6{Zl+eIL8r4$1WI;)<u1!?7p_ipG?$uXq!w76?onIltJyS$uZ7zqXQB->|22%
z80_KW=fd*q-p1``|KYWbKQ~BsYqR!3FTz(^iMNStG~0Caf%+9If_bpN&g{tV1n|uO
zwq!<&f4S8V(G;t$N+`djD`FBUEt8UbC{)5XIb}cIhUT}v*`JyFTeE00VY!c2Rmg1O
zT+VN-G60&zxi>KGk*POAB3la$WeDV#tRtV_+yAm^lb@3wx*EEieLWpdMDfu3(_}VY
z4$<7U&YKhWGVK%BGnZ+(q%RzMHe5!*aO_FlFSU_Tzz1$ejYlLhNz({`H1IKC=ve$c
z0VW<4Wvch#g55Bzv8#?Ljs87p88I3<w)Z1i2v3!87;%7kL%d@PVghpOqt0G7r%lQy
zy{O)9SrK%!u+j%PYyu;08tCWhUp5DgeGfv|Gl+S;YPiw2UXDbLZZD5lhxOovb>ab#
z;z3;CfSuw19chCabirCb8D+-xVVo15p6S!vMo{d2WMw~<4iAZEBKk?9AcqC%?(IAE
zte(&o<g~cn-~>D1`P<?V5!41*Z7&bPh%>^I&s-6w-as~Vnl#?KF1wH7di9%McQ97l
z4-8w%)YlE0xK9^g%Cu#1dk$q8bIK9tfKt@&P+zNpdL3}B@E&jGdI941m~0u1?m?{o
zd9CR8al))g`5a^o*;25VLAk|j$`D>lEBjD^^$p!HH@A-5DeRwxKf@DarVX=OIiD-p
zd6*M}9^{sykgJ7jGDT3+`oes$B7=US?{y-MVHWW^6?ct=U^({~Ig34!xvV%LrI+9V
zA;J@3@)gbo$H5b@lj7t8rhS&$X+lc#sWfByOqj2;|2d$~F*28$X?&FRoirh_)!0r9
zFW#Fh+OZQFu@EEYQFuufT5WlM{w_g;;ro>tKIhWsl27cJ@#6FosS4Zk_VKU~c)ria
zb$<SXDxNMTR(urQ1a;_=R?5-+u%VvZ=3r!nvlFu)VUyGCf~#S(ZwDHRgY)}`#x!dv
zO4+3f@^@1$MlXs~8w7&yo89rzF6!^ga4h8RUe`9QR5vYMYsE-IF)=|WCH9d*<(5pS
z&Ar#7X&b#>%E;juQs)y8r&=8RgetGPs%t-lOP~6Xn+e9$PVLV4GC9qvk%`tf)c_AW
z9ygZLgDzF<67Vj2iI_VAzzJ1BQ7T`{Y3x0R#T`5S#5<2X&=xM2UTgf1?Easy0pL#c
zMAs!b`tFX>V7OZP?~}|JYq-@|yl|g}F`Rv^rwHS_zks&9O|==fTpv;19DWOOYUT`!
zhL0rZZuh^%3m*4%XkvZ~rmdqk2!v2q54!&aU;HOT2M@Z+ThfX{>WN|MNkPx$z4k9y
z#_48;{x3x3){fd%{|j@<-{t>bsQ>S#cse|rIyumG*}v;1VEICM&|NNvO6IkB?r~5v
z!Lu$Em4ETr-7cl@Z!f#<ca&0?Tj`|}9lFsZ*(ombzgMSpPAxDjZ}XB<*b_WT)CrAP
zVp5(whzY7|7JF#DPPZ-~;O#y{v3a2bp#U3LOCeORsA!?5TXreJ!vT~UX||*&yBiTa
z?PS<pq|;vdFI1kM51yHEk-Y2xW-Ne<3y#hOIj03s&YKy^_8=AwUKb2b7pg_p$f?1&
z$Sc*s!Pmjm`m$_c9oosZoj07CkmjAaITmR1q}lx$x1NEjg6VW%=j`o9=SQNcx1J+v
z0w}iNa-3mV&g@&)<?GffIOc8gCGa0es)O;iB$NE=@!;+WO|6+1nhX#9eqYZDK+(BL
z_ykbCKx;V6_Tv*H25w6%1)$!y1i%qKu?dUJnN_hHpXZdfK=1|-x_#>j-ydiz4vC2&
zSPbF_4yGPa{RrUk#ArbPjI#$^dLSchW+!Qzo~2ux!_b&J;N}Zr<~NnrU+Us;MUPPZ
zw%q4JRpY4w+OVU%`JQM0m@ALr!A9fBV+D`(^E@;(JkSS@sSbRsAnA}2DI`)ba;t47
zgT&O|Oa7O&K!`&hX#oaAtM8!9tM%)UCD76nuX20^)6L!f3>g8OZb!TExEnuk`T{UD
z-p2~%SQ;-Ocp|WvCY3j$L<iyg7oKaN`D`ZW!JfOpSAp_3{|`Ej*wKPDFRpYOhA@wK
zk@UZ~&b{XmPUS1z2GG(yRl_8?&O2c3z>r__9IK(vwBh;H3{Dnl=VU1YFkw^F*y#!T
zzm4yTbw6dM&nHZe#CRAzisXY8qsGSNLsxZ)tFO#Bdx}AYsoRiZNP1MOE(OAun_r5O
zD$t<7ZP+Htjg1_+RD>|NN#-7h7nBD285XUG24NdT$CAk1hewR@CZsxqt*M7bu!2;m
zBZ8E=UK-am5B&U;qW3l!In5wDiY)@fh?mMeXjrkVq-CF6g5~xy0(_R^wgLCVgiS`C
z<{dmp$!m94LDcAOigxVD=;#-2_%*}`PY2^w^jvscXTp}%c)CDRT|B32+GyGnkeA0w
zp9Q1w^?Hf-d6>;VVmQ64Fg}L|d{a-F<LxM-H3ZVWXhGNTkuqHX!1!r8zg+__><Aja
z<9gp?`*(J?h0pn&MNVuqkiq}X<9CO>po;ln3qH2sdh&AIz7q_5#qGZB0j>iBpVSHv
zWWs0sSk!2}YHlV%IaV6n<7X9rrzAzaoCY*%s()TV=yIzS)y!RK$FEOJqgtFqENZ&e
zNc_%aQ_oMMmX}^?$Mc0?ZnP0KCI8P%!|zPW#(EpkZ^-Y;E|cGot%i{ZChyN03BkT&
zc6>`;^Sn2L6Vh5yE`q^N@}un{Kp<YG))i+(w`9RYT+Pevls|p+mK@ROd=#PO%pg;O
z+xBZ--hVCagyXSkf${uzZkga4{(u#7ghr<X6LM*SVFzD8B#^DwA#X^?V23?2(Axpu
z>^U3rE`p~JuEK9UVnO<iVqq5I!DE3;2xBw++Z4C0>!U!Vsib@KArz~#24)X5`3V0Q
zt2_KMP9DM!C3nDvl=_hC|3|8>N>({_AYJ#Vy6kaU0V_E!u>2>~gFg&~CN{VlUV1=4
zl^cpJEhfO4b4DM)6?DQLL~8bQo#@6^cn~MdqK^q?jY<E2P!49eMIV#Pm<i(|&;(-N
zM4(CbdO0}{L|t_?+L*Pw3kwNMiUH4b_A@<VS#(IhZ6;kCl01kMhnCr#&I&ABc5*V0
zirRaMERI?I+9_VOe_mfh1;oO_)vFbYCKg*K=!j3v2euP7MPPBNE)mE|9o#F(Bzg16
zxcKwQ7?uStMPGWFq2}?A?4G1LE=_(|wqS$#9Ph=hYaP#{x2+?S4$n;9+vlLE1Hd%+
z1Q+-|u)c4dHRjvzwlmFp>IA<Ld4dfWP?;C|fpwcF$~B=V{q@tPt@w)wDPDtc25sOV
zh$$b1NrL0#^%fneBWbMu>whu30;zQ;I9&0?%AXo%e3S1brRrkN-`w)=VW$SAzzUK#
zr$MeQ_#Gi9*lwlN*<ua*nNTKzhhok9kpiul>^$dWjz#&0AtzK5_+AQfHeG=!sA1!F
zEm1(<yZHPQLNDCO#Z?ZqPQ){j*O2)!rF_WAo<v$(-Nf|uyS$wYqR_T2I>eI}xsV2_
z3eI@N6owu3{w29s#ZnY7r38%J<ux!<3^S$V$EW<=AXS6Mzl`BQacP#kJW5H2*kpad
z{);)$C2MAHY)Z2cF;msiEp)h_|9k`vP+`sM$(%BR$=*WM!7Wo5JnZ4hjpUw-DRNXP
z|B80NZ{#t#$di-+u6PGV=}xUiqE}?zat7c@`;c?Upl*qxdHhG%{LB8kWIU#jlRDyd
zn-Ys^zt-6TYOExP)V@n-+44~7Id)O{nFn4|fM1q{2VHiTb{ay0S7%4DYF?)~^A}=k
zCLMRN?x|N~#wo6Aw!iSr^*!ydW{-_Q<NuX{y(C?gylmG;V@tJid?2jx`J@xH(_wcp
zZ#~5MD0h{PIiN7EIXbg;Vs56U7I^Io3*D8=rP+f({FXkwRNmoNMP^^QGiF)N+a(so
z_Pe()CX^wNj-t?XS^y+<Q;}0jr6JWTRGI!Q)qkdl<AM$P8>8M;dkWUS4!mXd(#}r=
zTA_LhBdFPJh?J82p5X4(fzJS=DJE!;J@OHi?DVt|rgT2Oc;!li(bFIx)JF;T%4sm7
zm-vR01pM0+K}?!o^QUkYmN}Pr3g;&C8XI36ZU{^1cxJ|y*ex%J4ql(%=H}R^rH{rq
zCf1VtKA$tC2TSi-4(tpWOL@MYB~L;EbHi!ObtRalhO)GIy8<JXr|W~oA4RrqMo%?v
zvd4F48f%?Nj-675)9}p+C0(kOQhBjPmO8a@dV;KCyKXp65_DiQp3BoLv0sKdpqc1R
z@~>k#6N%bD?QCXo%FuBo;b$KjUvK*p$_!8*LlN1s0~05e$@PYzb+qS;G?m99n6%XP
z7(QLkP)(%mwCL3Y)OeFB;FtjTH_}`Fst1Mn7|!gJlaw<sL%MwD3T-l^{QHdCoN{Lw
z_)|KDt0OTr4xzI>kKI<kC%bmYV-zhjOKxlbC5`+ZkK4+9lCM9zU?H69ShlJ}nNFgX
zNG((xBEF)<OHv<Ydj7U_*udxrHh@vX*U>))zFo&<MR3{%lD+mZ6y;c3sI<glZj+*n
z-ot%<*S%9Ec9LT(z8ju~RMA0-HG=c+(M)iY$lTwBf2{&LB1DO)6tfjj2sdsws)Ug&
z^<slJ=>%zdIbstx<)S&T9y#@kNo<z}>E6NFXajS~f~~){#wjBO@~Zz2VH3C{*=v2q
zuhH_pUX5&lWJ5P*8;?FF>_^w+ne%udbNp=?d8A<_h4x3YFwr$J+h>;XYnKbe?8G{l
zmNzj`hW68#hlO;FtUZz!MkIY3f8)Z#=OAzaw7P$=ta`4F(T5hg*X~x6r`_{d18#>Z
z`z-}qmDgDtf(hO~Cx}I4iF=*g6`)=TcL7KDd0t7o(_}yo)Q?HibIbbhj>L-6i*D$d
z$?0k)_i@LZHzLi(Fx=-+Hp6d)E<*9LWw#ovmrEO3(HYKL&Gay&V&yUwt!PKp!z{{w
zI~-gBZcv&@2{^ggt}A%QiRk+QC&)zLG#S)9L>^p$NUfI-S}ErXWj}NSRaM2vyL47d
zH&>hUJcrVUqNm#~{N*wdG94DW57xmxYX@%pG+0NXOSM$|G;XKLMI}mJU+t<(|Dr`Q
zChHrtQHYQRZczZ2F-1jLfcx-=Q_fr~7W&vBl;F>y2&e#6#8)Oaao>2PR<nx5<Y_<<
z7bqwGOcT3sXV+nN9RW3wmiUCfc|>Ar#W6)|&_QQ_rTORKoAc#BMPWeb&GYDT0flQ9
zfqtFVqLAXP8dKad)Lbvk{M>@yl;$SFpFy~BL{_e;cqu0!j$wlA2$pzweqOhpSCcV*
zo%1E1>t5R2d@hZh%IWz$v5rCxU)sC5u^+P(8^!D4D^R|<R4fbQow13{4)<}G^DNQC
zAj~5obMuvvgQPuku2mL=Frte$&=>MD5&89W@^HT=7`GMt%~akbrRg>m*$hNWnd{WY
zhwe0?;>y)O<#Wq=W5N2DhEDW%?s!4s>!v4%_X8@Lq9T&G_3Qr8v#1-#hqL`)$QmR%
zbd@=k%a8me>G6#?Q#<T56!qfeMb7W@{bI?J=q1I=@$J}fi7!}w&`X|4g<EY}Bz<sK
zMtkQ27sTih)wl9gXbgo#CyJPnKZ9OOffAY#KfT0<n{&0BbG3^+Zb4PN!L%w5|G?ra
z5R_+<f|t_c?s{L(E~dxpZFr_E203Z8s5~`e;gZM*ahbEQB`S&X$F1CBBJGpIh%)Ri
zkEucYdvaCzlDgta_zEoU{%&45CoK`m%CoYR7uZT7Sco_i-m;k>_^cOlmcN{W0j;7c
z_jp@C-kE+hAv*rAXH`8SV`CHSJfI~arKO>Y@HzZqNxKo?!_bJdL}Y`ez%7^^_KovS
z_~;n+i7G4EVGxZ)0u4kCj*2~DTO4R+>{4`qCgS2oT-!f?4-=47rr^SIEpWMb8x%JA
zN+b%naCw^J7%4OnPIKj!^)Je!u~l8`tmpEzpj8wZB*Zx&SR6~mE?A3qrgqWtFgPtL
zD$Zav)jwTidH1U5p8OF@jsDcQ(4hbwN#(j|f7>hGC2%oE?d<y<N0=Adm?B+HtPes6
z$_c_HYBg*#$UdySdCBIYN>==1ZoSly7TL8Vse=_(vvNR1rY!rE7U6r;MeZq(EC%Z(
zo8!S``xdMoHs;JKT8Nt>Q2^aF@sQR@d9tK>&;X>O<<!Xl0{`V}G^`j%g*G(OMpM2f
z0Ie*a9Nr&VLs#8DR$X8T)6Fu`j3rJaHjw{49Q%uY&L8o`)5g)p<F!vdfc`!`Reb(E
zJRK8wyix_h$!p&3elv6y4JL|)1?xbL(N1zR{uX?6uI<2zoPG>|m7ae<Zbp>iNtNY9
z7FA*+CFVTuh>F8_m~MF~r|0*zv|<F5?^NZV+&^@oht8k%d9ii3k@{^4;{^^&E4!BO
zWlSoxS(lcCsT;ghW>if9o#<^3G@2gvQWW$FHjdjd#Xil<s+lVa9;qA5t8%34BHMT6
zlUt&KQp!06r2b%X)yT|Y*YpB|E+%Ymy!z$WgIvz{{A5G88;9hiOHuD{3Els#Ge4*g
zyBWWEqW~mS+%7dAucsoK5#gAFMjRg-7m<@lbfeSBaDy<D-b{D{KUQ=|#G6yGhn~+?
zq3b(WR)5U2Pht0H6@30O-1}sgI;BXCF>@+CGAhsF#_H<litJ)e`*yZwE<}2Yi(L(~
zG<5##$p=j=3@y#;IC_(EBKjv0aprK&ti6)hPt6C6jhU6VwoIYAl(L4le&!@EKf~s&
zS#h2&fB2omJ(3$<=a|8!Iws$R4Zy*W?+iQaoQ^K$Z%0;6{N5w?po#$aZKr;`#6g@r
zM$i}NIW3E{w&IWF$-!@Dql>wNWYAb!H2FVaBfb9zzCc00r8zULK=AET@}K`nzWMLJ
z{OONRpYE$e>=}va;y~RB^^M4KsQ><N^2Br_Kz6L8N6RIiJ^hPr<ts81W!`7UFlAV<
z$#6k%z{$|_k`FG7rmfb8p1S+>EA@Cg=8_o%r0u+jJEsolT+rsa1JQPO=J9}Nmoc<6
zA&YOHe`9Fl{dB6{{6fQJzaY=PJw%+`75s7)fS@J6F9_`p+`0p|?!c`(aO)1-y2dQ7
zij`Xj8``_^hX6-?@X(%SI)S5~5Ij_g5P?&!UahGx;D-l6XYD|(U1QkFMy(5&o7kZZ
zk+pFp)@T+Y@TsOQdts5|%6OE5id>Rwp^hsmBbLVSX&!@UUCfk>n0c~+3mpa-&QwVv
zb*lC)nl<?uE44LSPAOMp(de<!ZPzsT)rCac1)SACK0DQE%tF<4&c~{E1iFU}aY?Se
zdiwO~(<?F}S6_Yk=RbYf!<51<<8z+!c{zVhx_z!g?&&MQEIk_677S)9{?d=KB;=LI
z$!j{jp-4z(NzvH5$P6~bMEf!KBETPF0tfthB19pJoM!%Ayn}XjmL0Tn2kqQJJ9p5|
z9kkOeJ7{Nr*+Dy7%MRMPgLdwqojqj-?X+bF?c6~-YcKAgojYi!E<0#vd#88M&K<OK
z2kqQJJ9p5|?y`e+?x3BG>3n3+&Y6(yAC4Lp%+{AY&F7*lI#hQxLWK81ai92hzqL)t
zcJDKmUd;HkLtV8)eLfb{XK3hDv=10m%Px@WE|6-o${p6UR(4p^9o7`e4r}^5z?!ZS
zNVSp2YB`>&&CAnw$-4iTt2=aL*BG`!T3ZUHSjoPIfb`=#Z31t`r~K4HEZ*@Xj%Xfl
z4)<NJ5sajF5+u?>XbqjYA)#q161Oau>P5KfIamZenQa*Fi*jPlPDfX_X_cE#{bhTx
zHT~E2{2t-4|Ki)Z)~H0O?GlGKSV7fXcY_1Cwk)<AkoW44T$yXXNjV6_)Uk}+OE{_p
z`t@iSIv#gl^t~Ijcj>#AebjC_?^)~_qjAEd)Ve57>YK*fy*dERtg2;i8K|kR`*i5P
zl6fVzAqS~<yM>Yd5b>@5cs*^x?%k>j0rti?Mi?^)JFi}k@Jbd3%q*768I$#jAsHvj
zuUTASs(GqN=h%HKjq%!@<t$<`OS_uz9_z!8^gik70Tz5CqSVq_>smLu%(~9*6@H^%
zc)-QY%1OfI?42mi8I2dmahx+LyB0BQg}Ul&OnK*Py@p`xf}p{Qb^U*lmu%c2)~QE5
z)7qsV>6vuiawhnvh{w%|Krt2!_*Q`DsVvlC2*#3Hwz8HgK?0taNx`#(*-z#2w<HoH
z_L0k$6Tjau(PxO@b9(JN%Gzf_eb{8Wjza@%4A?EaAhC#USgyaR8`#>G^%&u847ai4
zlmbefTqH@qaPK(@t6r|NQ{2Joo5u@xnC>;id3Q`M(37X5+N*D{mQilf4!-)IFW!B7
z^i6Dj&V=NJ$QR%}@a@qzRuUXR!}#;_Zwh+-ZHFvpQxJ~7cs~AOxKu@8Ro9t3pb9-}
z>ffUZZKJxs`AMoba*s2Wl}XZfDGX)HrWP}6j)$*$2u2(=DA{_=I|ePZlKJ1UTM+(1
z;6I(d6UAB1Buk6V>s$McFW}R@D+6|@<0161<C)v;s_SvlpR6`~NiO;m)XJJB7(o9S
zMO?2&ShuZTm)HYbMZIflS4$gnS@1N{T5j`X!XjEq+mDVabrKJqPu_Gk6Y(LLl!fMF
zOD&>XAixI^D|n>@mxOgw&_LLi-KO#gr{w4}?fuBpYuvi3Q@T$hk&fsn6Ycu!UKd2K
zRNIHf>bqJx{J!O>;zff*mFAUVxyevjzIVg{hyL>AMkj@@UFG1dN(#4T)0|<pAMIp#
z^6Is=i?vFOm+q&{YgcAH_!J}4Hrfe#tmQn8S*z|)380yX-P#Vp@!={H@g<vQ2`$*z
zdD=qKy@LEOA>O@7Jn)*nsqQ<@m1-L+>D;W=TSTm=W&QBMwwF#v<q#Q<&e5h=i2N0e
z3el2JxV8+f-*S=S#|@b}XWguXkSTrw?!IP%3sr5)F|zt4;pQ(=JB+;Ousr$6tXan}
zg_x1`d+Y+Pn4)E*D|16gFp^2v$2~hJ;So!v?}nt`YU(BQugicRpS|rYp@mwmJ}qzm
zB`4-NQ>3vtqs8nrJuye>IucJ;olV=Kc}+>rGb2@00zTO2yG~?h+HM#KyIMLKJ5of)
z$HNl&>t@h98Jw@!sJcoe?3N|wop$+YJ<T*B*NK?W<V_cWEv-xKeP_-s{>3FKOF~_u
zpEbnE8O<x}++3u(A+rvv=v{~w7}pfBWxsfhXOE7BQQvY)n=EKcVQG<8?~9`7M?+Cx
zwTB|{(wx1p{$D@Q(JxO&|Mk!PpGNv$pPQc!{`x<L6Kv1nIj6kE_sqY>>boVFF=%?E
zF=?U#Og*`HdwHhA$aFyKXauot@L~mOHJTEdu)H8e&abb*I+_v&&C;l7&9&&!9hJq5
zrNt)HN41)oinRJeMa^pXV{-BKtOf;@WI`p68XxrOUj_1tMTRQI`iCe?Rp+sh#MA*y
zGdkf(C!pOA2!x&nTE=lyKHTh(v4=tyV>T&!+#;5G3h&n(TH1Prul3eSNFuHg1@b+m
z7xm$81|>L5C}<t77dO}`BxnFbAxK80J5y24!0Szkt~!Y*^$8I^)ZWTG+*vlw$f1*?
z`f~QRzF9yYQFpB(=js}EE)t)g$gss~R9#E-Sv?~;JQP*93?=jN7*#>Or8t>k(qH4H
zsd3iR1aFo+ZJ0TH^|hdz9p6XYN$peyogA={yaB7o5ZB^4Pfwx3AUf#t`6J+AvFXKM
zUh;L;`O{gKu=(~#u%--~^Gc#MK9*XPwE}L9K^h&S!y|hUhUB4HpI3mjZ-z3-wFFvI
z1|$dXMO6wl7l9%Syz3QV-XE*CHY>u^S{dRGS?gWB=h#o=30@jU5q?vSkF<=r+8F~~
z9?fS<qP6}xN+|ET9lJ$~9^e0XNiw=f1P$<W52kK1gl`eTK4x%go=REz#5U5Lkow0<
z5rpw!$b{hck7-`6b5UmUM6Kw%fDmF$#Y+9_#>{9te!#>4MZvs?8;08(<2iug3M#{<
z0QXe(!?&yQm?rw?yBlfZgMG;PHoTA<O*B@c%(+$We1Gx&9r=+>$ZNJB7px%r-~agf
zBEXNAXs1e06cmD7vx4Z@yf<uNLw}e>1F%zskIW~xELTz!O&72*uqSNbl+*ZZPZGs3
zMb3Xgc6#9rfQw~YE0>6Cu5M!~i;7Eh^nN?ki~LPn9ct!a%G9sMhdf{j08e-N;!M%^
z+#m95TfWzNX3iOn*P51E1vn=;qwyy^Aw|CUjz%|PI(<t&t~x1=N^oN4^drgDqkvhN
z;Mb3NcGjO7OE5*gFeCnyC`Lx2%L&3Q!w&<f7`(Ghm`R$()wKw8383j+h%&FDCuy5N
z4uSj9Jq*4X&>XcEL~K~(Sg}5~^#LzQ!qXc(2PnSzaC}{slU3y&_fzMXHNeFI0<t;+
z3jxYwn{oo>n}?ei5W==Bt3VsyQOUXmmI;-P)B=KGsB1KFq7zt>uP%+&=x^MzBQc+s
zsRiIB0uZysEJ$>PSSm63PyJ6sw!zv`DRsafP)(b^&Zv}HU;9979OMSM5v}(CrM72y
z+fsRNTIsxs_A6Yu<=eU|slGmG<x_~?eoa5KjvA}mWsx-3w8cBIX}OGMYz}<CXBO0V
z=PxfVAr}a8m{y!JY>%r$as}G6tDYJGzdSEmabBkQ+)kmjp69Cip2yHf&pNE(lG+*B
z*R#UWj72wi-8|I-QGlVk<tw$O5tA6<&jPbh2l)T~-~Uf1s<;Y<qazzbh@p$i<MYeQ
zHy7#@xwz;Es_wI7&V($wgTyaocmh#|R|%e6pA1nJ*8)0L0SnqYwJy+SPI>a3DAR~(
zKdFG;FMVT%VJz}i(7IBuzRJbCYqw}qK7_|fV=`w_((4Y1brVBXeF+?)desgr=hr;d
zA+YtBAt=urvJiFR{dII}jrQ>x64xDJcl_wu=uDy{i(J7t@)=8wDa_DgdpG@eHQ)UV
zV&7c8xj64-GxY<!@rhvo^$onr&g}!sn~7L@)Q31?Mb4v^jZ`Nwe5+>Tlq@Q9#oR2?
z$ZRBhyKN?Q7}~9ag@#~)LWF_($U4L)zaeHlaltG?qyKYO%=)8WHG|87+tHdQe(#C?
zU?+B#3pE|A3^^I9m-`{q2D#;-jql(7|3_z4mFy!#80=u40U)o0MmGuX%fsk3<`1ye
z_8IZ>vKKHhEIHYEnXp=1WM|G^>N$fJ?Zj^+0a;Px@93Oer1XZJ&@Py8RYH+qghVu&
zZLqo-OEO<=1GE6aIsjjIC@e#RL=EgjuquMA9G3}8NPeVk%(A%$KS0y{htKxf1y9!p
zYq-mgs9qjEBZbZ<;v0OWN7?_!7r%}U{<^>a)6>y^{qu|ce~jTDpCA17;8*j<7Y7IX
z`#-&Y`?t%pm;dAkzy6e#^Ber@*ZrT^%YOz|a^Ta<td$dBL*e}IX1rjJ;lT8Tx$5Gw
zb@?x8N+l2;x77h^O{sLaS~pz3e-EBcs$AW$g)BtQ#y{VHbAFMRvT%O^E!WRC@{CG(
zC-Qh)d@QaIi2$K#v~N^j8;v?m`VuGRo_4;3)GZpWi7Cuxj9lR_m#UHrRS7EpubdoP
z5ZM{p=?ek3sX%+)kivD$la3bbteen3wo_-%OfLHrd0mOZB&hZ&-UJ=D*W4aE8Q+Bw
zRwVQAlj9J7;EXt5boh-`_#ThS`uo=xV6T9!*ZFRkG{0p$abu*ergLf31IC7BWlXWo
zoHAl*lrLaVh%C0;XH?5)Jt`78a)YV&_Ukuq@Ug4w*+IQRNC4dp$rRM@k=dXzcPR%Z
z<auEF3Ztzcx>}p2*49h)1^n)%pgs+(NO>Vtmms2>_U-p-WZS>0X=ob>c-jq%5FP;X
z(MP5Zow%IKX52L0XbS~)O4hYbzwPL>s}5?$FKD0Z8FN$-%l&U!FnW6KKXpR1&;9ym
zcYG}#seNFF+R(aoe#p7`Go{ie4>iw!`$;pbuI?0PX)%&K?#F5jbHWVO=mkmv!@)=c
zIrA!>MVs_3@+nq=kM==In2j9o0~|L)vIhDO`9NJmMfXbly+mBm3cJSn+Sx!fMbGiO
zUZ*(%2p>Fc+xOg-_SI@2ui@KllbV6nO&EHw$8vugatoTy$IJ^cFIS*jo+&%_2qlmJ
zf|wd$tS+>vKA4$#XrxwYhofVN4<mqcQ^sP80CnR;H$)~djcZ)nMr?zDZjr;CB1umk
z22%!lq-}$J40DDY?h2_L9lcXA+&^y{voX*Ga<~Izpg+Jc_s36!)CRge4n42#!R7I>
zIy`O#6R?V_<F*_f2l;3X@z4sl>JE2s9PHj0=4bLKreUC4<8Y_OU<ba(LmESz8Mooe
z_y}eq$c1t6MdUu+7q{lTxRtx#0Jp`#PKzN@#p*7LTR}MubXFWnh}(8lycajctvV@g
zepSQow-ZM5{u|8T+bvdUJP?+!*U^loT+SVBT~4x`rxDM*is1M4ROCD*=ieQlkeFqO
zSj>A3{=Zdyp8tRYeII;NxqdpqjenckxAuEvGk~w2McJ61`&74mhTCOGsI%Xb63&Og
z9YP^(=`I}`L7UdBpAuTUNVA0U)OwNP+NwWee$8Z|{snF%h_3T%<ocaT2pJJ*u=fq8
zC%x}s7kgjn^<nY*r3R6P&vez}>k>dy6Cny&<TNwVNRV}U>8n;UvTt=xfKRFk*sE?@
zC`23gPDNkdL@pt3Z)eKjMjQhDcGLC824{xk!1}H3{oDjktYe|~`6Sc^;5y{CCLj03
zt;aGT4|yObw8@z^#pkMQPh2|3e_ud)5TMI6<>|H0?$DF^8XLtHPhPzatTbqnf<%Un
zkPt14u7v=tVf2WDNYX0@^(O-k?7+i%0|)g+IB~1*tXqE%C+^$4%Ny4P1l9Nl>2_ou
z#!pw9N`D@&ZWpm7_k|j&%fT&NzPYe@DDMsaw8}MT2$#AiM~C}yb$C3^4#7Mmi0yh^
z9=7Q8up+WQ)OB>I>%%bWzCZVeEl*RB6U27hAci<XJZ2c=W*s6PBV--RZ$c|^&&bK)
za;=9Fx8x@AIH~S8DpvP7O?c_5uli1jJ-`*C&3#u(MraK2IbgKs;i}a@5-tmeT5D-Q
z+qyktq)cO$CxG*j1ufXLOe8BBFkiU0E`<cFwBRjuYe~~wc0u~QI+~}&k?z~kH~0_C
z<$Z;1IK8onN?R(2j5Je`B;wB9oKzA@raTGAP%=ERaaErl!O>?BU1?;p8B;k@ZOhR#
z7jsN(yp0t3VV*A?Z0>EHUTg+FO719Vppak)B~d90o0i&Sk*$`ewRVSqR`GkeVT;o~
zhxyt7&C77bxM2&p9srerDy54Vdpz>%-a|A~GlSd++5pQtG;+s_8BYl%w<0OKZ_uG~
z)eY-ZBesv-Xk~P-vRwEL;DJZ@T*My3{xH!_)u+1qULz@<<1Z6lR2VhIax#|Bxs+fG
zfJkdx!e;imxRw%f57U&0sGx~ftW8*P$5=|9K7INWh~w#>|NLhnazI-|e7^i5y!G|7
zXTApikK?y*AdPxfNHP({Ot-5(uT?D%5%#Cg6xnzRHxD}(zE)4Ca3MBV!}t)^AIZ<K
z*|(}Plden6ZBXi`IlrF43~~%kmhcE+VLIiYvCx3ck4~omqMI>ToPf1IBniJ^WGerb
zi!wuX0fP6XIvMnp9-FEtql1T3B^*o?3MEn-dy|BZ8W)ofDxn3xW%#4M&A?Gr2r{Rc
zvzfj0P8UR{+oma@6Dg9iz=}gZ)lw`%MpcJc!shDcyEh*1g;oMF2P@FLW|RIJHs)k~
z!@3=sMlh~!J4#@v-JYl`-m6E4I^BD_?bOBwNb3)-vF#V1`|f?~$<RLlA6!R<)-_Zz
zw3dKw_3yy_QikW%#HuwFUlAQD<#yS68$w~flz~G4*)Jp%P$y$^>!~?@!<>n!IgRG{
zhEc3#B9{6-&{45xc06KRt@A%rebf&oAm2it)QpNLq53T?#dUHC>W|?bBHlsMXP(1l
z$kB4<NT79fJ}t=Ij7Kw9Hjpz>Cb2`ZW0aYCn{ZEwz306gJ&2#<9ONRS*WToIL#Cox
zFNs;9<j9msG81=(6xAgm({Hi3iaR_Lo_Q#QJG)wPvHrA#=AukJQr3?%mg0fQibK4C
zIURl{Qf3@H0({o2J!8TOsy5ZL@w2BJv7raA2+E8~=$_L;liE9dikY3Yc8_vK<M(OO
zdn+13C;H+G^^O3&&8HA2?ht>v%Xy&}_Kr(N_NO$FfW$6SD{_0hbzYzl4n`aJe0}qQ
zEGOG!9GXMGcBuG<CHOtr%|n7`;>i=TkG1Sck_%Dv&SDsv0cYjq$82Nf)R!MKn#L@y
z-R`$JMc=U*y=9U}KIaL|6S&4-;K0bFEC@?)c`i~A%WrAU!3gLGkN;!;hvV~qy*qyU
z@&MQyGb6y5-_2e+)op9-i0Qvt7+{uWJYWVci;^bEg0PQDjN!NIG6}yT*dDx{Z>)pB
z=)WM`b_t|ppt#j1X=$lcU!j{4DF|L2b&Kidg)Wk_EN7CzfeTX`o6P~LvP{I#-)<p+
zF5p%hMGPFWC+M|U9l++w+8us8L>{Ae@?}D0!K3dI5#4}+c~g9(t?t^qq~!R=3-W@?
z8>`{QMdXsuqM*@Cd-(J=b5l-O!iqf!5)7HsXvR}!1e6qlfos*8XTq=yRENt#<n)>y
zX)64T-bsd|o~TiS1-?(w5@>6l%FBQl!b1(sSgTRYfXaR$3pPi9v%ZRJx`mZlh?3mV
z6tv*5#{#@+c=nvUOl6rf6WwaLDRs@W&KTMs7nT#vfN*Vu*Zu9i{7C0n!sK)Egncaj
z_~ej0`8bv8KWQ<QPsZeQo+Uiug%W(yDa&(vkHrs^IOIq=D_POENHKa=-@kbO9K`xq
zkUJ&Ovs-mMvOE{LxnjE045xM^=2<T0+#ZX1w|JTx5MnzoxbIFwRv=Vcv7uGxhjbHE
zdO9Uy&Wpk*lZ~;COIwMeOWjHzQm`r&CB725`Sd7ew?{Ij&kmuR?txZ~iAwV1*%N;Y
z7e->LX~3&`rXsfus-Zl2`h@JGOC_9?38S|N7t(xaLD)Pi7G7Wc?YOUo+;qqa)MM(^
zRt|O7F?Lftb6E9?(Khka)t{^uR&2{$AUv@FHgfu6(-Ujzg<E^d|6MY2`of$W8OtS?
zh2lza?TqJm@b4eb=`SKBFTcCc6$ONVc&J(45ZcE~m{;8QfPLsMWzLl36fCUSFPb8l
z`klO>1w}~=SY7XwIH{jN%9`*r)*LcS#tM~rA~>9`-+GO(jiK&2ADZ*x@2a;a_<Mj^
zSCw}nWryUP(HOi%^*?{idBMhen>sPo&KT@IZay-Dd*>KVVzrX6-vXo3OcF66dY^1^
zR3FYy2M_AQ`KcL``lp!IhSQ5yH)R{c*|zZgsv!-Bi!IjRza&v_PMjX!lOP?u95+1e
zWwT_7A*e5^kXRaWKyyYeW>oQPGB1;YXI>k=CND*gQk`#x(9}I07$AAU5SAT3CrZd3
zQe%6CZ)r-eRdv9?$sGUm)>`eGeN^$L=2Jp%DNl^2on*zq*hstn?CXUf5~gfp3~=i*
z-;yet?5k%-pyoap16PL^!P%@53xk;F`I=&5s0bG(U6^yh`_hN=(~U?Vig68-K-3ql
z5(qrFz$Ar!GuQnIAzP=<__six1_LrY5{~`M9Q+mr;)GZ5j@5==Kw`SkT=ZCTQK(;$
z$?G1Rj633x&=ZOe4j-@i%0@MT4#UsHvv&t{Z;0=Kmt)vIugfzcmd&Q&0Z`TJuP*AU
z^b?lN$g7KGF3>w~pcR5)NL0S>Ns{m>D|qjqLV1LVaKC9DVd_=1Vl&{HNdE9EC6P!H
z7U_WfI6daGRW8#^>#W8%e}U_?zBnJ@(jA?@Jbv-^<#--{HWPQFLX1kuM%=eQy}7@z
z3{F+pmy!&NAII1f6%A6cg6MvbN@&t~U^_wn^^yxw9Fm-(W8REvb!?d=xI{(H*rBUr
zJo<D5s@mi{YU%3!D17KS=@XpD%3gyYN7a_-qV~JRxfTLIwz+Wy{~%djCrMUBFe^u;
zWce7Ye`GWMI6_3VOt=2I@(|KeX)`-E$~dj_51RPLL*k)_Aqh<JN>-S1Ra|A4p56dO
z2^p?C7Psm)!tRdlM1I55>(L!AW+N1F<Po^m9DN4=32GfJcE@q7F>|G4(=tI6n;a9G
z@gG<&xkwK|!Es1R9{)9<=6g->OA9e?O)p;+#Vj_x)l{8s1X4JZZD7Eh#zNvdYB_3~
zh{p2(J?JB2T4B<AfS4C1mGd;-Trdu-tuD0d-?VwsLOZCrvO^SE1LUaVI0j=in(H=S
z$bTmz?7=9DtA*Qu-2V`ujK`%Legsg9O)NNhR08&+)(G9h8ib3{+m`C8^9F+LNgZz*
zg*IfXZWx4&=5)>=51#Sn)RFc>6zlIZmR=Mzy74W+P7>QmVj+^))=?jZ$W4Y67lg!9
zee6F1hVsb38yG?1EzQC;q2`N*TxEaO3Qkcb{WFq@tW0RZ(6bH)v;jfL@wwi3Y-`7z
zyT*}&Jm;gFp_h}AfRwbOs~aFa-Ipu<Lpjse-5j3&>5qR5_(F%$<4n2^BAIb;NQLo^
zH!^1B#~B!he~X^@TlK}?7B(_Shdy+3L8T2L{E#pj&BzT~jF6Hu%B{Nr;Kb1Ju72=G
z0ZQ=`%dSjZ1|6%zb<{AIL>s^6ZYCsiWA1v}F(FWtWTqq1Ld|M4V{$re298L$R9%25
zjk;&vHd=aaYlVFvk)q0Usdfxl5YPhfdFU`TaZai>&;d(_hScwxRk9O(7<45tUR$gv
z_0j-}T=ktvNjS{loaQ$yw)}St4s_c2F<>+{=mT8(TVgNljmLXBB1G=SQwRye5NKZ-
z9ML8~=JUn8F=dF%9uNbkbx145!ZBrl_)3Ce<Fs}%@NTjFSUILVz(J4Yp^kejTZy4#
z%JxriEL%Otu?#uQv4o%LSVC;nSXSFeTZ+A7${I0vnpLb7i>F!Hsxf&?8N?1lE|6II
zWA#*T^~UU}_c2I~5Q>-xQ5X%S!_^c;52qyBhJq-Voa_yE$RgO(e8!*528DLTLGQpt
zP84$lSyfARI+XmTG`E2iyPDD~lD#?S>M9k<$$k|o-XI1~(}Lww8nFXM)zUk5md)6l
z<!bJA9ma=wM$<UK3vk48;B4$;!Sa;$r$#@yI3;n;Z&@zM{&!5>xEL+Uyx%`6SXToz
zZ(L0SwYFwOv7^C>!C8^62FlM1PDBc)Ik0m`2nmK=8&@e3d9LIKXqZZpvukzj$}zQD
zZ@j2_c^p0=*2vf6e&MZ4OL!(4G75MADyj0V=ydM}oFb)&I4I1jRr9ukH&GB1ZN#CP
z53Or{6oh73;)S&YFGDI~c2-UjE@v0pG6}V{f#Ay}cu$vUD8THLN)D2lI`Ndq35mln
zA-}2J-AV$Sxf50}^T>Y;SL4u8DwM3Oe*KVUwcjI}_!20Rr7%q93_=myM6f`D<BAr|
z>^LblLAw#6(`lVpN#>aDK;7L^Gy8{xCdpEWW*ztn=zV8k+ZouZvbuq7>qvkq`3ZHx
zb=4wp+aoaaDD@zAH)f&7{u~!Y&L?Hz-%2!&IWmy50o!i?Nvvk(tOfw`9g~^^kM!C^
z4!6*%49jO6z8xq)jjf~uLJt18CrK=#Qr(2BC9g0%s09jJIPZoCbTsox20^XG;x4_T
zd3=1<>nU9K60W{+ZK398qJF0nQ5N1)#e`ro(aJtO(`cJ!RA&S4GksPX&y`x(SzCA3
z)}6JLH1{iJV1QeJ2~1aGN?wMdhvT2nRjgevDz=Fte$x-vxpjmHVnXlrN`KtQ2Bf$v
z$a@>Mj6t0Ncf6K4*sEOVE?A-@TT-`Whw9Ts{G5OwM$=T_kt`2MLMJSdhgt=Z##J8E
zz<SkIwx_x`!iet6pvi+)tneNBMKi!5er*G_M>963@XuFjE_-53wiPak5<ClrfxK8g
zmqbhtYZ%xkw;{2xOc`j#B!;Mb!DZ{EHYH~@V~QduI3E>_g+yU-`d)((0NcRX-s14X
zO&0`Yzv-Y=9&iuCvifZd%eKwZtD2(^twOyn;{-OlGe_^t(d03kqn*?BOdFhQ7Uv<x
zYS(;VjMEclt{3_OlZr5gLSWAsv$V+TsH45{cn@($V}B-qT9sun9sPx{G!n7u(<SsZ
zmj%dYmDX<f=;wNLH53%|GfXBJcmkNPe6LoQtb&<mC3o3ifO?{AU}G&>*_3xA;d2gw
zVq)MpOa_E0!m^K_j-#wR)YXjVY%cP}p{+_itktdGz(C?U_hhng1hXy4Wp)BWLW)$S
zz6UFNCa9(D*{;~e05L@SIv!SLWyRB3dP{C;F2kshtR{-Z{FY1MHBVNBri=H1G)q8!
z8Ojgq-whf}V|gxW>BvP{WM!clIuU*OUz-ICc{;4M-6##2`Pq};3ad0o`~Udj*U`aW
z_xFE#I{L4FezE_LG5q86gTEg9YX11*;9!6Mr`K=)c6s*lpZwt0pVD%EgMa<H{}X%p
z&%jC!{E2p}Qj-dKT8u<K!lif);ameNGLyCH{;JNnDqy*h^tZSzhKlH>bB|F%AA*#6
z7z|WUg<#fv!8hhMZR)E#_!MlOiJayO5^EjcqBoY&RwLU(7h~R=HZU|`5{r2`-*~tr
zsMVdpJBT;0W7!*cj(*J~DWTB~-qP$8hv-ae5yGE5(IAL9qp8)w0}w{UY){&EvFSnT
zaI~Lm^y0p*=s?M_Z$VJmddTE}WhaB;vG8Bm8zqc+4T2#j`>^wT&?!FHbJz^bpr8r?
z_h%idY)TRlIVdq#HbVk@X?Q@WDHl>v^IsSWx1fAZBqD5h1W9t>E)H}OOnaA*7T_bF
zmvd4|)l-qy>!><<XY%|&Y%HF_M>Rc!pMB35xv(==DZjwC-CUk!2{$U;3w<LHQviBc
z!CBhWDuXw0%9HvIHhC)S#FnYXK|YrK_GpE+HAJ<rlh@!aH+J+|0B7y&brVX|!JO29
z3GH6i#{1r8F0DRGAK1|%(jmEcEj<l3iR1>}S0nZRjNZ%GSSM_X*eCo3bOo~C-wQQ)
z2`j*TjM)T22*{d?TSeV}=&j;|)b?@i;mq`)<_s?JR-ZB!qwiW$bv-XrPsb+*1_2AZ
zK2=wy#O8eheOu1dT0ktbT+E3~X(nf)0DTY5Xv7OI=)TBlbfanjn=16Qzgy9P_AGFT
zpzftt%yLm)&%n_P--;3{(KoOkHqctP)<Q@UFH$<^k<Iv#i(4+a(B?O2(>Gj7&TN7P
zv<aRhl+Ve&WQ@Etdjg+a;9UnbyZ-DnE`(9oyqu{HQ)x8R4$cC0zPH0^+}`Db5UOn-
ztjGa4XfhqKG!_-Ir?<}Ivr|-c*V2#aoEPvQ5$UxX{n76E-g?!kmJ*)E{FcWhP4GPP
zkMHE-6kFxjvto3|K--NHN5$YwU-=R=n@c$Q3Q~yvt;n>sLyh*1E+C4mhWpkqN+ulv
zR`1h4&CQvq$;LP0W8fSSO+nHIYlR{qU=Pc~^=&pMQ;Gcq&woi3ae8i6p|_sfitsMk
zJWFV?aY)dQj&;Pb(ku2u(|AM^MeS!loM`7zWEz9ugO}#aNNo;CCAzlq3kYI3VKMN0
z-LnuoySPhPZYb#Nhm%9X$82o=vQ?S0tPt1e>|&g~{Fnm~k8vojsll!L>Kipk_4M1(
zH%`{4Z?DwR8IYjss_~WU8DVqoUY&{fB4g25XWYIDaL`hPrA59NlQRM6KOW<j!vxvv
zXJfg7WwPq^h!!jb(V-{PV^y?gIaCjfg~I&ogC-cGvmBB_2w-zw4y?*?O4vs(A?OrN
zHLMoZUK>WxQmrZiu))bP;Rlhx&_7Q_@wugbC*?M{9o!0T5`rqWk%DO^AZmeL#>s-r
zxh&`n8<PtqY`I7mT-=mEQXv+TGA($&j}OsTAKMR@5=Rh&I0a>-M29SABO~_VTLG#N
zo&L<sMm3j*meyw!bro3*Rl|CCK)uB7&L!6eH4h?<D!C38TaL*)5Z4kvRU>W<)iT<n
zG-VN!lIDv;NCe9Z<5r*{<w}h8PX<jf-D=Jvk;)=3BUn93Cb_s_Y2_Q_C*r!xLxsr(
zz>m<W>unebGN&<+&TD%m^3Q^>3q+^tlEDjDsfm)Aj0rTLr$$$OSQ!-6gz{vQ-VbwD
z(3lo<TOJT^sm*z+0ah^64)97#BIb4^GVaFYIQ!uws2#Wt!Q?_nyh2f}HqxWl0$d7c
zl88GUxYD$U{FcQeE`#;?70(W_CJs{2E7^5hi*Z?@lcKusL91|$HgT2~JZDZUmY}Be
zI+iJJsQQZHl3%kzR)}LfQ3Go)wDg5N1R2k)vQ{Fs4k)N@q!TIh$*E+8kVPJ9Fvi5d
zZ$%t#VP4H-Uu&vzyh8sz2?|Vn0njY67ElIR`Hc4Gx2~5JwP%$GKeD<0pj#v8*63Ma
z2Li#hrmSET4t2ygMX}e5K~~FE7rJUmpKuziWZ`Yvx14ds7{e#&^P1?VZwOXFgC2eR
zMq@M9D{3PD)n7kYu~86R+m#2wHJ<9Umgd@|t|&Q}XtYx|?2cR{3Cm&Xw6>;!>V(W(
zXrJ|mXEMbo0PTG)Wp`FGr4j=u8ypQNFbzDnt=;h5_@hx19;XYOv=<JMpiYilt1hX#
zUP>p45;z<}vi)hC(1mc`I%m`HsQ@je`)ODkc*NH}99x98xpxeRL~M$tidt256l0@R
zHwaj3Pea=tjxhrCH{cS(zgV4}5Y&=Ed*=Fk4SyK1!Gb6zOl{IClwA1q6I=qfofaHv
zwF_QDo-l1*HK762k#l@@ioF}w_A6ik3oR=aGoHtzjON7x^-+hlo>{NwAy}VPU`HVt
z65Uc;VwfUh!qm3&L5LDlnyb3)QHQ!>n^GIKo0H2Zg+75%4}%6l_#y7mhPp2Ysfw@+
z#u2TL^(S@CdVlhfV&k%o=0h<C?jc$)DqNRRD-?s4Mb&gj_*5O_A{~LrH@F*>O-&2n
zV-0Xe%?NNKr#DU$6_X?TX^^8A7GRKA=K=a0bXZd+;n4<3C0)206^C&f@rI|d+EH+9
zg04lDQN)<lZE7ABF0<DT1U*%AT0}D@i4+jKS{5`(SZwWUxR3%QK5csoZqE@I!>7j4
zGikMMmQbx+o0e&WxLjT=+`P{<;T`lO5_E{+V&)WWDUQy=5)YiD3p_j3m9Dan=)kJ#
zD4fvf=8ooZC`6k;6cbu-Oh<c&QkpAFrF$+agr}>DjqbSioyl4fCl9O`DVa?sD#Q68
z(Eu1)7Gh2d9)aqSPaQ+!+@^Q32p5zeKzh;hJ#ZVf3!rOEm@`Lu73$MrhUv&t1N(i6
z7#~0}<ctwMSJx$)79{3V8@9!mi~H7W$X)bD03SHDq5d{W#GNF?ov<pd%A%+Pp&Zs5
z9dNMg+7)Y7>+A5-L$ycmSdys!_Hor<PpZ~2^6M01S8!>RnA%%wKh8y#X=BFxVD&Kq
zbSA%L5>Q#jQ%o(@HA`7e3oyj$(86%^H9Hfk9K^E1UCp!jXf1DFZ1awOI-s9C#dSCP
zbHGAE@V5i<LE`e*6Ty1k1>MZi3ZyUR0~$Y0vYFGmd&jk2)Ac#3_3I=TQob{vY@v(0
z`>!s$`){-C?!O`Bw{ZU@6<4~iJ^jv=wCa4(nX`4~fsl8i(1-{Sh-s&Okpcs~ql<CM
z3LU-8sLsz#+keZIP^E7=&OS5@z{HkwS}6pccojece&3VY{I8yauQ;hCff$nujRtEp
zz8t_RW(DOTQ3l;&4yDVE!*J_|4*A`wX{>|cw$&?@%ddmOb{z|<7uGd0o=(X*i^MI<
zkwjj8%xJ2v=&vYG6oD8*sjM21U$hPba7<!$*XxCzd&361#fFVj^=iauma|(fN@?6F
z$^wsVS?Js8j9=U2;s)Xj2$wvzJ3F`svY<sN>zQ35FycRe;nuG676n1{AsKRHtQMcJ
zR>Lq?WwM65GFjbanLK9al6u*YS1?&qAb5lRNLa;0vnS(1Rk?pfVxE-+bJ&<>B*Tut
zf%~i$Ec9qjQ+mxtwhN=md+KQL2{=gCPi%yR-KJ|VyG=Kw8|Rvun%hpx3Vqvdm20S$
z8FZUm5;5mR!3;FoZlgoOi&`KC%^bj1fdFUr(I!Q%1o=T-fy?$Cmnf#EgwHcflmeT4
zq&*dlUf%XP0@x&BAHjNp9s6DIp244BM2GM&BsD@dAM0R{bixwy?~>&UB0|FHn_~Tn
zAc?T#F}l$hd)PL$WMB+?`B4es5Xfxhn{~6IDn8~gdY|fPv{UPf*@)s?N$@5buzCFM
z#V~d-5GF|0WOjrc_sjs!s(k`{#sW31BA(o^#i2$|>s;^p<$+y6hlMK7oT@S`26erx
zLYY{C)8o0ND^(uOYe-V2<zoHB?c{^+J?z?HlR;Khe_=7}x#qMCCQG;Ny8HAETkJ_4
z|4gKE#xs*V9Zuy{2nNd!fU7o*;*I<?JtXf$q5ks{yiR~9UkE1Oi2{DP*VVwmJ;YjQ
zqaFuS8(@qv@(FlG>p3@&MZ0cXlGBukTu<Rj`+%9Iu~B1TsI1v-t?IQBd2OjS+5z1-
z=nL@)=sy8WVSF|)4Ja+x^#D{yRpu<ehG^VTaKgK)tZ<NES%W->W6(_*s>Z|;mh!It
zg&~tcpRIH)U2Qf%vUvj@N%wo7U2)ylVJ*&BQPh~zOtF>!r6da2b^jZZM9VQbCX%Pu
z39CKRRtBe<fz5;QP?6p(O&Iz$($pr06w@U+^H67vR>!=BmOZ&)izkPJ)S|>a-c%K*
z>60p?YmMPpfeR1?PvF^;Wzlpsaq~XzJez=HYNhT;LeUDdZIeN>y|(;w7tTAC<xBg+
zKA4Uh!hi&OB@N#6&D=Hjwj!MkJC3_HR<>G!AKE@}e3rQ!x=70j-kmrXt{08SweRy1
zJ{OYVRf&JXQeal4!d2u<W&-i6tpnAP$qdrn8`N7tvNF$v)S1niL_WxCNV{+uH%jy<
zwv?~-i;b#$+z2*@h9@T=Rw~*D5!@dGti(%_jd_G!LI3VO#IHCeHg%;aT=Y{R>iq<#
zbBxjz97dZUos?;Xj4@oj9fSuVz$T(hHA$J^VVju{HA3T|Z=2Ty={S|~sT!yDs~<AX
z8rTSo^*K)NWYNB3Nh}zy1hjUD^WQ!-dJy4E8*!wRoH5)PvY-V!#I&8$#7Ser$XvvH
zs_|_Xj*apVLoDbB32s2?;BE|^#?A45{BOlyqCqs%#O1XEA==sM`uK+xPoj|YSEj6Y
z^gxmT6FjXJ|FiO&SW^o40T`p0l2=t?Q!YUZ&rN7GwRLzJC8ajTBac(uX3I0Z@*!V+
zZloyVd128#;eZCw%1XgKz*6m?SsyqX1Ek;3JM9Qo&+}4XyFsr_djmPt)@~Zrm2a>3
zBxmGgM$?ofPONI5vRB>iih@QnJRK-e94=w%RGtZ0kU5QJJhgE-Qxk=}x6&#;%qD_p
zZ8h(*CVV$xaV;IQw;mg~cd3plU!!I^Frj$4ghLSC^|#QS5SpCMtznU;&Kb}22TFc$
zB%Xj+Uy#RjChkZq$Q=Vrk`hk=!!M1P>x>i}&LT0-axv!?H?FBBXzK**@TBynuBu0E
zPs&uSY?Zm^)d?wRe$5J17fH+cgyp{Q?c2#SxAhFNwQ+k=zmjwF6*%UATsIXVG8F<o
zP10J-JgCUy2Yn=$sbA6x&n$~;_v4T6hGpp6tG??ZhdYrc@g0x-BL+k)*;kbv_(&&E
z$2&N?v0r0(cgN#llN3N(P-%Vo%-vZ{A5rs1c+Ap5v6)<wefYv3XyYZvD1J~sB<h(@
zcv^*%td>umKWgh5Ex%+11_*<&3Zj@1$>(KK(3FW%`qRxn)Cz^k0SWtv8);J!kE<H%
zVgop8RZ(SYa)Zw~tMYP<kE{$~!|kz;EYg8WvZTD`y@9WSQ|p3CXApT;(N3Fc!YZ$R
zDFf1UnwafjVKajXXD8isN;huEcBlE6Wh{*$*WRm&tZ{xewk$d~+~Z1NzGpJl)ebX9
zAutn3fFm~hSmadk+PUJYw$3S`>B5_ZH29u%zk*Ku+Yodli*i;3_%{zuRbeWwPh0Kh
zr2wD!)VL8<`F;ahOC>M(Z7sqx#K)jg+Up@43wq<qT1X2&34=PAPf02oy>y+WECiwU
zinnrW*qdX#eVT$NKUQ)G&d&I6*^>DmN9CU(J!;R3Ll9G;&VZ|E+uk|nrtuvMQ{)U(
zqKaFV-*R?$q&?e4cf6R5v=8<X$lynx!GD5U$NTJY9BX$~9YhwRLX4f%$cNy5bx2Ac
z|20_KG(av4BE413u^|erk(PJXmrX@<(=UV76;=3tLtCYP)MBTR9(_usF71@&9gbk2
z=u|h-Td6j+5UHrHa^Wmf51R`XSZP5eD?(JXL${?<wPJei4%Lsqj>sS;jEUMyM&D`~
zIIX>@q}!1BQpKdvViu*0ZNzGYqkst8!J9|-?!$-E7sF)!>N_I>!@uj(6B7BJOSA*>
zf0ynJ7jiaOD%SOFX4FBO@H%3Zru_w%H=DXAE>&FLw|_f%N%XJvi(*}g+}lK;f;mu$
zyms=X>xfkbyO_(HPe5bcyo;G+CQkmMg(%6LjtC!k*SqA|bMi8kWzH&?bF(QWUTy5=
z2RQ}g^Lx{7-y^B$DSedc^o-^O+*&tHp|)bfb)6s5O_1p6)OcalF&SLiN-BT@9CSm-
z@RiN&Lyls0dn9A}>=3$XoWAR0qLMs$_Qc=91)uYT=E<U#;=Za!9loYPz#Kk(LiR-t
zEk`sZ2{XahGy_`T{paA(QT%pHCRw}<`3Y-vj`vz(m>1O%$5VCgjmZanDrqqQsX<MO
zdE>FIMleIzx~it3blHefg)AGl9_b4B6+dAYIHcIMWk+6|vrKGEV#MkiW(8iTAB5zP
zz?c?<BEO5ugsQtB8V>r`>&45n^Oq;bmoHyDCx6qeaQB)qCYNqbE5|2SXST8ZIMio@
zNBd^8oI>sinv&C$7gdIRbhArDsu5SJW^M4e=7o;@jSZ>CrncTDt1K6g*4d6=Bi0g=
z-gx6zPn(+B1kFNYYV~{A(fih<sWAy(M2=}KasBqj<GnE)`g`L&BY7qk<Ezins?i|{
z$LbV1Cgi>Gu!bnT4LGqy3Rl@@F}Pcu&I9y*pp7giZl^W+_?qA9pq?8uVpLrlL;>!I
z^zHfl&F1=q+jU@%^d8s!iNt)4Ns?wZw4PnEfMY3y{REFGjCog+x;6vH+*Q-w-9Lzh
zn+hA3efzVHtdLf>y^W@%*U9CiiDITt+auerqw|-?FW$Z!&->Oklq<3{&IC{WQAvh!
zMO(3<QuBk8?M{b4bLO@XnMlO-YFXU}%-m;)`XAAeKfB(5n`AND{3WuOnHj96$zGa@
z0GG>0I8zTIVlPb}YENK0oAiHGLc5IRbB^A0_a%F8byYSccH4d3FPzh&FY0;_XIHHC
z%(JD25QwR-&eyY?jcl5vDNn#HsuD;XHs4#hQQR60FxHSPnhM-Xq_z5V3=i!~5NUII
zYTX#U#xzH{w&i6xzvT(LhTOzFy_Qu}J?%{7vnQE6#&uiLTlH5JsRlRIyZ4unAso;a
zTUAJ_&UlE4kkP1r<uBjAc)$O%x~as;0r`>XzJqU7k@Kh^cQawLDZ}_H3IP6qkURa>
zk$N)~9)bWVp;i}X5}kYu5@QqBnyno=#yr%v6@qk=s2;@QixRn*Cp^75w5hzNLdRES
zL_IJYBxf{P{b1WTX$?5kiY-_<z{;R@{of7qLZ#546Y0s5Piraz^*<XpVz`VX-_-d6
zmDLWHl$>6iT%3LiM#3)H0|vFx8%H#w*>PFSUT_H!Xom@bOJ6&_ZkPmJ8|1ts&&|^4
zdQSd+d`4)gCbZD`T{k3HRb#%u_zWwJSbw|bcug(a9PLAZcy~tMdolU~JNQHmy*%Xw
zr-jJ3VLz)?ZWVK-EW}*zyi@ZAfRlnGsHI9PZ+*C}!fKqR>TXCQ*6{f_gdC~ZHaG8h
zTm42WuOSmr^6m3)9P9D7Rf18Ic3Nv2Bax;o3Q6c4zFPkt#wPi{(}w;XhyFiHn&6a$
zOnZ3uYE!>)YN{`+9+zE3gtq~MDkY{B!oe0fO{H48VJeF~jU3n``$d#_4e49+R7}d$
zm7j1-m$;g5tf!){ds{NQ!-m+nnp9V7m)ITh89XCzxGd2917C(<Q0OYAB+N4+a>BEJ
z(KybZL%wC57cfjJkT!J<O)Y|CzgT2Caogp|8Pp`nU;gwIM9#0i{L@n}jXa#s-|xkI
zzil^)nll7M5mF-K1^Nys#t*dWUty$WML7028zy+}Q2#sBe@GBEq%>rj8`r})bwjL^
zWj>88`s~wT(Hqsq@PGGh<B>Yrd!M@#yslQq#{`Bfz6*m3@pY|SL|?qS_}81`?_R!v
z715|VwUhPrXVXybjc|=1nn*WiY)>0z_LRJPburMwzD@H(I_;aS2iMU%DHUq!2sMe2
zj5HwQ@>XYvJbJ6Jnkt;WM`sV-#xjJ-i}}#F0zp2vxf6Oo?P}z$xjG-!$;hNMoc2?s
z-;G!;Mta!m9)Vd~q{2-x?bgb5j6xG)(Xp`C9I5*a9UZYJ@gRVt+cp#9R;<n~!3vx4
zC?RUwCJqItXd9|XTX8eY2OToMgi0f(XjJcjcpneC0OV1fIX`YmQLtGhK^XJ0l(jZ{
znu$WBD>`kqeO%`_XYj^}4ICTD&Cq?tnq?ugzZM2WYK*Wl7z?xk9<d9Db6>&!!a<(#
zK=*6)ftl;m7g}UDzSC0EDhVW3vP`h|D!s&~FV^1sA}{VlJ~X6P{j&y!Pe0SAQ}2xY
zf9(DHcigtMD2|_>^H*TGUDr~pk?f?&ImfrRU5f3bYW&dGQj+hzX-|bAF*Arb1WSOD
zC#UCs|14}g2y*xUI1h~+qN^*`ki=tSV`IO!*YQ65BYXu%xK=2*?I<7ONq)E!yz?vn
z6Un}$4pShtGaqS%m)zTu)?rYO%9Gl=RF9LqW!h$DzA=5v+0T%}-Ji6XFO=0xmDEfU
zxw9;F3wP=~OWg$!RME*L&bX@760`gC9_KMSzwENsc!$v`<n~Eu9vnzlb`5^ZIsraG
zQ!03+aE7Cdk+j>oBS_*U36<_CfQ3mBiv&(gwQ(Zu2}#kjXU~*E{n@|&`@bWobQ+V0
zF4td#x4wM-yno35d;azf!V$<lDp#i(8TQKUoS&e-UcG-;=C!Xr1vIhX@sJxFFJxB@
zjl}|>4P_^0GpGE3DkvemifyWNWpus(aMBdeFag(UDwhZb43k_>d8Wfy_TK6pK`!+K
zCG?h{8UHqCMOIcK$_bYukuLV31}ibgBfHIRd<OKn4Kusyvu>(0QZAh2{hCxrDE4&f
zX@IYceQA4FTck_Yl=KNF%q#u8v*#rPVSMvenTO#rtT<+*B4n=ff{U+<G)_EA01PX&
z@N#W56=I=H6QJgbBEr=U-kd_!15v(xqinC9qp?}jfZDDjPZ~}UE(DuEEguuba{Ae4
zp8Z2PjT0z|VVS)30UgwEi)i={)3FA5Y_+v?YD$T!xukeWP9)t`^YR?3mN%Kxc}jAn
z1%vXhwNkSFYxqvd2=e-o1cM_ypF_#DJ4rtCB~IusWxD1CL6@)JLhKB1=#u>tq(3NH
zH5&>qF{<RsPZ4^}nSeCKvUj~1+*X1CC$Y&iVNriV9t$pAnk|hHe25kV$3)i_mF!iP
zk@ys$m-0l;XawbN<+GT?g=FF(|A6Ok*9(GJ9url&Xoe!UQ|DrWSS+YoIi(`Uxh~$T
z_rP;7Nx@X@C+HK#g)-ErKQ`C2@H)MKUsr)Ov^S|ysKx@Oas8ZeL(E0AP`7#w{}EEs
z2o9-BNYwRB&H1t}szjVhzDg80Nmdi`QPO64K;TY*fPPbYiUgH91;oyBB2<38Cu%(@
zgJ`!Ws#B;VRS1<3=%o3RkTu?se5L#M{%lxT=S@nE@22RuSK0Bv9yhN9Ij~~vrj>;c
zsQmc$3XpG7f_z{R^4*jn-*zGL4XX<eFGjwN64-k$NWQ<4<QwkG(6Z#)*_8(>O@08y
z$se{n`Gy6`Hz-lQA-WDPQ$Dm%`H)iOgNv09E>}JjE(1%JZ=-1W2AHrJ>3QJN<quxG
z{4mOw4@C7rA8lU5+&_v!wavv=gLw@)qUp+%ve2UAx?~wJAjqJOyb5)+Tw&dRR|gzu
zW(tk$0krZ$&kJ&bVwOG?TCJ0@SY;F}G82Jdo%7-b=pT6$Eh`(&i5v>wVVdA+V&r`A
z9aD-tNLFAx(wYYBE3#D^P#4Kg8Bi6-;^PilZnQIWRXG?iS{K>?Z7oZ7E7im=BxeEr
zHz;mGvC+q>TQ(oB^s-e@@dHQ^ciMUc(c5K!M8KMJrnU|&<Iu$vR=(3?SZ?G2s^%PJ
zb;u3Vqi?&`nWt3BsF^O>qx9^Xp{NZBFVeD%{1CP9fUOK;a(jKR>of7bc$LNdEzSlQ
zo$R-j+E94P3SlDa)pJiULRk~RjLmLG3hqFWX!z+-4iQyHpc6!Jw2<uKL>b{F18X?d
zS91M|Yh?8sE(Fu<wix_&oHUGO#?<TK+HXqpt!e3c9WbI%<mqE-)MBtgkk4yLcoWLy
zWNyjIp22|88dg*0mXPN}JC79U+Bi^RG;A!;LBS%hQTaKUEEY6^9AUC!{jS+fyA2^~
z2WM+Ik*p3(8*-1x^$^Yx1^6y;eoJD@mYt$Yxp1SK2)V}0bqGF%cvZ>bET{AI^z^CD
zs<xif*?XX1MMUM?y~P<<sual^$!#=!V{|4>*L7^$w(VqM+qUgYY&*GP+qRR*#I|ia
z6X(lwzw7(arLH>Ft7=tuSDkbA271clRAQ6MI<5Dh5?l+b%z`Y>+*q9S+QRu3SrQ5^
zc_|6+QawR|pu!&jE>+%{oyd^JoP{&`BkK+1Q0e7ObyMlpl@5$-Ih}pY)2a0p8Gep7
ztG`)$ZdYcn`Gm2bs^;)zul<BUfmP9ZX5{w3cY=N<-Nf8)7+{;h9b(&$y|j|dQ~G;c
zOBrfMb>1$g!vkM-z5L%FhIX&EX*p=TsLsx?NA3hiM5Ute%307ulqHT?^04yBe<fge
zx$0sq;c~Tw>$S?&<*oi|MX#HwZ!BXJgQl6vQO4X!8bFfB!_Q?XT5mFDdpxzf$&D5F
zn=k8m2KsQb;9LfrHlRLkK=QxB>k!)&NqX;;l8SfLI)G+eN6cW2tvQm*mrGw`yNhJX
zqM6!Ct*so<=M}d<fRBc^)Oix#c=3wh$=I<*NEbAF)L`HJnO16-b7{b3R$)|4C}xyD
zgteX>Gg%7w4CMg`eU#ay6<Qj`l-dFw#z*pb5bhn3gzBChwwG&#@63t^b3t@ns2t7g
z<y`b0m&y+<>#x{oyks}AI}Y}??#j@$-p(f~j*Uj{S?y+%lZ_k@|I9*rC?f%*kON{B
z_jUx3Rocmz{W<Fk{J~c3-;v-qz1dQ&CM+6P#EX0)OT3h+$W@g#L6l6D9^y~ab<#Zt
zx0J_TxVz~gKj4X+3;F8La9mLo7|+dgl++6CN)KS~rv;Vx2WMwzDrRF`E$iFDlN8^`
zoAgqo7$Qr`nhw+8jt3<af&=F1Bz9KI*X!Db*9F;YyS%facK%K9aliXp6rHDAZzCXT
z=#PuF_E~!Q3S=trTgbP__!PquuO!`^am<DyuWwzYQt1qGR^^Wd$En_8O$>{QNM@vH
zl2Qg0ZxZubccCAUsC81*0pKn|1?JpELNVKu%cdukB}w96((_$H{M&ok;knSw)Ufyq
zyyM|R61%QX0xxvLDaP)%u}W7)^}HV7%(ZM6`Kn*lNLt7Q&>@%P)(CCX;HHRAOyQqV
zfT!+0zeTT!dL%LhgZyuvw~d=`cJ8l-xjBUyitpEdJA|KCXkT|-2fqlvCqC}p4-Sfo
z@_N1Bubz%B`W6oSKLHpMI!`NoaegFq-`8tncXxUIyoQbF&;g~!f9@mKk1=<}xp%EK
zc6YM<0Nr6{F6n~P&4BikK>=MPy!K7d1kiA;ScEwkG_Hto1y;d_8Ub6UKovw^w;jm3
z8$Yx!htA2t(~swXX$NaW@tL-{2m12ZT!*5QjdC1(wW6XEotmF4Z<^76_pVUyd{kIe
zr@rYEFjtgS&pw{1-+P@R^^m#aNz{w?Gq+F_!U35ShBcVwZR*w#d`8FTh|67@@tHuF
z%qdC#1R^4_C+IP<hRGNREu~4xfaK@6$E8GBE0dWFpS=460>*hd9;8XQq|DEU|5#-_
za(jg6`N}O*pgETwqM<K<FCOPQ2fYNLOT{?fH|<?N!qjaw=!Uwl=1(iLfjNo$Mx(A}
zgrl<DGZ%3iexOHc;@pVsG;>&vWdxSUlOHv3Gu$`|o6x8)o5<p~AT_I%%^Q<5dLZr5
zO<>1igz!En?}tn;6B0P(k`HB<N<Rl|lXqoQD^7>pwJk=MD_pH(tNRf!mG2*m_6D)=
zOybMd0H!y8aT!b5p7Vc=uu_+bpQl4uA#fkI0}jZON>bYt-<k5hf$239A5_|0*IZuc
zO*t3ZA8Amih|^&oKd`mun~{iL;qdNGs(yjxHZl!Z1k*tYQBI({?Cz*9&(TP#Ju;cF
zp}UPq>?n(rlb3V-dd2z(Nc;Q?T!-+jRevV^lEyT5qp@)R`TZDg!_LUN!dy>K$_UFk
zqcxW`Mf6A~SSFspc?_CE*|oDY2Iv9N>o}jVDMKtEl2qA}YPzAIeH&cLeN3ZwW+~G>
z<OKqpw|TL+DpREvnI%GHl9SI0q$57+Z80{a>QcGe0&AwcE3sz`#JHP|kW>U{L+`FB
zuw<Kbu_Eg*G)UN!nQaa1hLuqDb&t4Y18Cj(yjnx2gNnJXTK+(2^oQvqcPXgR3kDrO
z#udBqE%SY?aCMSf_4&N>b27zhQ0t!uEo)6*my3F!th}92Y8%zE$YuFFMOAHJ0KxWt
zo|iSw$XO9;xJPGii~VIPYuvG`d9Q6F!L(-hSHwzG#R{&G%+6C~TNYVt_Ib{!GEx$z
z(uvfsf02;|y8fzM_qaDCeyH-TEX1Fls&GI9{~2I1JhzhYd4&$#KvCW9?wFx=kIdK<
za=Wnc4TN7T&}Q+<Ch&gy_OZ0FQZ~WR={Q<~OzXCbzN%g=_)oK><&iGyw_FqEsoQvT
zHo&v$LPYAVwPoJMT0;M_0<b?!p7CJyJyh^G4eK6n9Ci&o?(9ryX6op^J6b_pPyi!!
zPSQH*+*-W3Y4qv#r3eLHBEz@CBQIR0jtB~={dt&1W`BzPITf^}0G5T8EnA+adIVgc
z(+JWwPCqE=p@Uox4w}OI!LU}1XwdhT`%ZO*r*se#aY{$Bwl5ohySm$BN{vp3SS54>
z?6^?Z`9_*b*2#mERggxevx<oTW|&JL3jBs>&}BTVS;tI+_SQH<BNkxr0TmRy{pyOv
z?k^bPhh*eyqt^9Va^Lf3OX5YtzMUXZwjiMmKiGbxA@V?&PLjs5_!53yYL)!x)VMTc
zXmv1k{8}=1A>Hv%ZbGjFRSv;)LijSFw-!$1aeZ(LlVI7&NP_`(z#}}Z*Q;I2&%!!p
zd<e7;%z%$eUpYP-EZp^nvj;wa^~PtANj$3({&xtf^WC<NTmDYnIb`i)yu92iymh(1
z1v7dH-F53f{Ko7X#))5od#<!?;n|#O&b~T)t9Y=^@q?O7pRvH)f}kT#@?4y05#qz!
zZaD_}`3`CxIy%a!tOaE08n%&Ebr;G#0Uk#tO_FIDcY2#8SFmT(=8BZl#UPB%D5N#a
zo_yqYE2}#rS}6XAeDy`#oDEXsJ2s>2x}D4L<3;}fD!1&8AE&N!jN=oxq(hQ<`JA@$
za*4u`5!SyPe?js!mXg|>4`w>&cFW(fo&CeDXk>b3eUuA2iRdS^U_QF<J3T*#PdATN
zjgI+*(5AsSrfH}cLJM3cm{M$htC7G{Wm=-@5@(B*gFj-?DDwo3fNX6D95->6o_z`u
zZ%d17N%?_@S$w6An1cFP#-)E^VGvQXn)W!B=OBBO77-V?&?7m{7Hf6|0>XFkR2p$q
za&Tzr#|fiXb;^bJ2_FD@3LBBu69_Ja(AUw){v(vPNmEc(aM^(X8U4DBWCuS*F|U3Q
zLK)L<Ng2AzUY)<0%RH)AuaVqxT+h4H;3NJ|$Jg-|RnfZ%IOMYaIH;09_?*+O527%&
zp;{8)QnM9fi0dBF(8$Rf$f$4_B5wa~+OCwgXVh?99}q%YqP3+L;M(0+zG^2n@N9!b
zqtu8Fe6ptD{}MdXBIQz!FHsPIA)2bQKt2s!e@J7xbczI+Nxq%ey%FGZFWajp-mCl4
z-_aNEH+<kLK5buBiHhqXJ6@IGiQA&wTNOEv^(Eh2waSE7SZH^UhR>oH6k&LhD@Mlf
zI>})($*N!hA*K9SFouKWUekbyft2yNt3P9K&pb3XsGxsNm?hzh6|;m(^Z!_`4{knq
zMAMO!Zdg)9+mIGS7Df0B9{o_3{T-HJ$8SCP>s?TA8aSNzOmFU%g|~nsL66FDJQo*T
zi$Ws5;`9!{`@{*BOy+)4JEq?O#qYGE5Lrmk&x4&uk#q81m07a$WeWyo_xGmtF&^S8
zob}dWgZbNWa^TJq;o7!@J6&U56gQL-iFa3bO*Ji4c_oDZ@FWehr%04La1(=TuS|}v
zrXk!)e67Aw6RL5Nudy+Hd3O%y(gc3HOv+M;&WR`SFNEwcI%3W`yk}H`#S{0cvf{dM
zyL;liKSr@ErgaAZA8RguXDd*SS%aMft)WGet4AGHSVZAN5HeU5;9@L<mgk{$@IZ6l
zjFIA$RPX(3s&t}%v?lF`!&0jhjNU4@NjK|Z^N5O&jyf?}cdT@rwKOkE7rCGTs$P*P
zL<N1C=G#tp-l!sMQ+^C&M@jv+D2-ml#BSsl8deZGZS`k<fFLI<e{Zisk4QJ|F9<b}
z$(TQ`!UD<+%SL9cqpF2#q-{PUtYgd{v$&(W@W$?amCjQh8n>3HxmqW1${7%RAP9(|
z4g{X&Y@=f21#{>7OH7>TPc<D??QTkmeMNQ5|Co?^hNyFCduHaAj#eDv$%O;s&iB=d
z2q#i_U%IY_)>Z^je0u79x8PFs1Ata}`WuH9L5`0fD-hNa#P=F=Nu;?m(?483WldtW
zx9ATxuIMIbfJ=0T%w4;G7@#k;CI+{^x>P-{NVArxksF`x-jd^9*(UhV|2kH;o|4Om
zO`|*}6(_+*CIv+=uV%%?no++Bk|q94BlBOe3_tH<U*-XRa+yXM`A#V4mYj2;63iaU
z7+-<G^=9-RuE<B_%bEj3p+`A}m9Z5R&eaj>{#qJoepFT=7*Cp!M`j|shX=(q6mw1`
z8xPd~T!*MOkNg!~CbDaibJ}idWT2FbdHc2^#<w!P>7`&HMO-m&7Bm!dL?Zz#qa(UF
z{|=$o`-U?Y)wYdBg)bAx9UVy|lbM8N%On=G(sgmnCYcs&4-WJuCn4*owgNxlz}*SR
zs^vkj@6!M2#xHN5R~B_Ge5AXIFx{l}FX36EW?{3YyxR0k%uv*;T}B&661u#BQz9-~
z{MCMzLxvx!R-06Hw0TQlQ!teoT`$E1-GE%=RizT+k8K6ClA(~f7zl(p2C0#L72djH
z2%G626AK+|JsIn9Xp@}uxT);2q%p>T)kCrQ+7pBpidB2c!?>WETkPZP=>@6b{m9~Y
zi$3P$^j)@G)l-uPy0;_nwHr^$+hw2^n6Gqe{-1wkvS)X_=cviHCJnzo@(|ix*?;SH
zHTBk{bSG8J{rx@@MMF<(f(a;)^)7f$of6aEMW-O}s2)M(h|^i3Ed5pKsPdi~%8-uj
z17rlG$5dX80hLGxZ;;k~sBH9Lg&^4hh2SPVfiRj^M3ZN6jbOrHnw9tGQjheokeLH&
zwHx=W>m!~FC1@6$V@S%}5h*Ok`Ea`+cOcf?+o(JSP<}zDR*e7PpXi;M9ZQ?ZlnaNY
z_LnO;BPyWwQAA%zXIPwh`tBmh%iL6LHcL@OMP0o%PpByB9)%?XHEaDkg;lX4HRznx
zC(&b?d-O*{GU*|GLE;Yl%&t(u7b!U$t2HwLeLx-L7zwgk;Hbykd)P8&edl8r&U)V)
zA{i82eETCu7>uVrM($WAqCcdt%thWs9{V|-xg?E~f5(LsAl1Oe(lF=(<fJv~FvMDD
zgh*+<mU-6`|C);qsUV!#|7ko>agCe*lN4JET|60A$D5SAUwvs44Usm<lLL{ZH;v9y
z;gyt>Nd9_XT&r{2=vZx12+|VoM!|;fk3Zs@EU=QAtBCNLQAOlv6=%`cKRKbF>kQbX
zmg>%#c~<wW@12{baT}M221%l_fh4p4yzakHe+3w!D&VLF>YgO2rlmU7CT&$9e>`X-
zR`p@%`qqG0dq(~lrb%N;KAY*MD>n&oOeOC(fK(U2(fl5<U55DaV+Ma3SnA$MT2iUy
zzt$YbWK&@nRxVXcfeb<tY$5#FA#`z=HFilV%<@tk`s@1_>)w;qVeQ?d2mDf)YZETG
z&FUx72PLjkZ&hf|E0e~j*sH|<Wc#fa!PS72T=qqhQe70Jxhu#K5pV$<8?QY+53Rcp
zOIm4{Sk#Hz)H1LE`GsNquN#?idZb{a70){GMlxero7J0=2Vnqfsu+-G!HvwL;%0sL
zrKqZrs)Us@?gAj^QeNT>$VkDB1<zQ3qL&hY40S=%grsk$p<FLcF#U~RN31sa$2wi^
z4`T~3`=qc2LiRN0F1fR$Y}~UBc1E@~ZU)|lIE96&v-Za5p)J$P=wXa(oLzk07&M+?
z(|W2jC3-c*yOI_Bg#c%Nj@3avrfnq*%UHGU*~SwNngb6B#mHH9{z>x5Ozx}UZ%b2s
zN!?sVad|v?)0--5%(qMG-rsxS_IASoTN^oS1+C)YQA$NaT&7z;-X8htHZ4}Q7?})X
zkxyfe#+NmrwBnPZXEI=yBK1N|@lZc%M0JM*bc~25@;UGawxP5IN^{;>WbT~2!uDDF
zw(?P9y3q#h3XR&ll0!^qTqj272-t9GRB%-q5Z2mIyv6kVAn*RsJdHZSms!P6M4WI1
zog*G%@23Lnq_yxg;Dv4fTWG82-e2MM9_!72ob3*^3^anB#4<Q(sm`>tROljD>~i|N
zk8r2yM>@^1WmbKT?28y48Yg4s5J~lA*$)_z&-LtfB(fwmaF@V~I{Uj~&q2y!&x1-i
zDq+Rl2Fe)}ukNZ~#j{5L8&VD2jO@g*pAk<SJF_NDc8QRk*0&?+Re9Km80$=35b?fg
zSTu@$JQXmx+fBfM^0AFA2d;4&DJ0>L(lk}co|tY1k2ok%p2^EM(3Dnn3?ie*cB5cc
zS~Fw8AiO(3Abem}w}@H7HgS7Kt7_{1K`-1#Sr_rZ6DB)5CXL)ol&qSA0b!ImRHTh<
zdCLBqw)FI*FDqRbX12>kf#fNmG&(vPbN<-6wDja&Nxb}^ulOS8rZoV;vQnwhp>RIH
zrC%L36yghh5b)df`dtVn1IXw^SLWcGPO>*BTc(7|N)lnk4-HTR<>Dsu!a9V>ivE~_
zA>~}?Rk2sYKLB(N7(3Ypg;O$yW4|hRqI$KKkOl@QUQY~F4x4*n;;30%aIED|gW5G#
z!Y3GWptbQ5)dy<V(6S5ZY=l|E!>iX75YuohCf4s*Zv=UZUc7Y-;BYoa0(ey)!Z^fb
zJT9%Dn{vwc6Y6*n5*iB=H%{!~=7tMuE<=~qloUa(Bz}bxXiKbc1M|1H8Qb))2CEra
zmh-^bh2;(|8e1k<!+}?g%rc>4<CIc}fEEB}PvJVU!T^T>ZdCt#O$4^>^!x6FG;`Ug
zRS%<xjAwnP;(=#(eg~4M>B69Ct6T{z&`^|R_3yDt-aO6(ZSRTR^Ny1*0Ll%U*aaR$
zF>8}nx>0JWB^2z(&c`C#E}E?v2E3dT1*k8wRiWa{+KFOsP=7xc59m1}b#ZHc<35g=
zYwM{F0B%OD(;N7JICs>=S#|4Yt=goA<Enzhl0+70kW26jr2L=M7fQjPePoo?oal_H
z%NiJ*YB;cm6SHh+$jD>1FfwY;08M5{=W}evG6!kZAK2vA*44`;dy6+rbeqCFvb)Ez
zv?M!3lXLKn-PAlmi17{|a)=nN(miDhdTXwpafM^TEwI|#pjm7l3`Ds!IZw#);QXy#
z(JEl?bt-UW3Za=f1-zx8{#|{czpac^U@TjfQZ}CjGXutMufNw%H(JnGOkM%Q%u)kF
zo3i-l%1erPbmQ0CZ-`#Gj_%4gjDLP0=qT@P6Pnlg3w47Qx=c}7I7FucDAquD*X4A?
zqtjhumR@y><Bmb6pfJSb^Es~Kx^*FROZO&)L#rtO(ZH@L_x#DrZvmukS0%O7sHA~U
z*5RUtD@eXBI9<y}lIDbv87)Hy1hbv_&5`3e&FTU|r%07T(&DK8;9Q_PBg1~0#ekCG
zuw%H&QROYREB->{WKHRI>W3=oFjlC?vp%?pHJX+hE8X~g8gGcQ4f27XIgIHF)<Ha!
z>L1|90J<8L`2PGgl5**P)L&#~-aHwTni0UEZH}{HnPFvBWH#Ivo0>7lval^a5o7mX
z1)o2u8OnTXEwUFd3GxMS4E6a+*w9v0ER`VXh$Oq6!e{3DHMBH!R>&YF8|qri(p@&B
zwqld~d?j(S9SXe<X*6NRS1pm@yRhnH%!~PK11QWqESa+=9lX@2OX2nf=p*bni!Bsp
zX}@%14^^xo-6F!^(W#I{l2np3j-@-OH{zKjJQIaOEmF^+fNwmhcxqJZ-%hCl;g%ui
zDvqAH<d3nYIaO)Q8u$pbJ?Z_GK7T6=<kAF?wN%~xQmoq}>Od{QdqzC(eM^25G)3GS
zrnr9O+eYjZfGEv-;N$xDsde5-itqszC6QCiKm}$rsmf_yS=GEN>lSCXET^>sNv>w$
z;X!?Y^rob7G#$xOjuDx!g*`vHG)*Rb#k7FzuC`Bn5>(WC&eVbmStJy|7TzT)Rv0+0
zUsA;S28BMlqO<HlnG&Wy5USTw@8U{!^J-dhHIH7YZG`02rP0~TYy7gu-9u_MCWd!+
zU@{o6(viR2%ej~IHs(*|p>m+@_3p51{dKB4;(vZ(;}xzbF(1Onv!Qd(>WhV+p8$mr
zhm*?VlqRIa3m4&)fERvM%3&h_dl=z8Wt(*RipweDO5iO^>WXCEGLk7#J{H6Ax40c0
zb)8h2vRNW|O<>Y2o+4)!G<^htr(w2s(%591pp5^kn?HC`FDs)H;_^&!{x;ya29nK=
zzgdeG$?9Jw56vd5AJp{~ZM|ik{Y^NM;v-S-HR8cZuMFY89!R7s^53TeeCwc^S^X1?
zmn=K8!M=(KvqbmpeY^P*3dE3L;IX34H=@ouLW1uwKsZuI=Ecs6`7^0(M_o|2YYvVx
z%b?!Rgo{m20l9OHv$Nt8!V<XjutjD@&2%r#bB*;W0}>M;IR7gFUboc3qK93=z#w7;
zyCEQ9GS3rY-av@(tT#*_RCES|=z|*=9fb1Y4hcwuL~viDn>E7~VgQb~B>dPVTy0#6
zfS5tytH{qv*>h6p*QU>nQ=^La^%=2@X%s$vBO-YE&GWXH;x+8W2mJJ#=A9Gc$jTm4
z8Bk_dH$2W)8k^$z6D@J5A7j%#aM?|MFV7EuIJ9sa`&a$@2_7s>zS_1EM?M@(zBuFK
zf8uM4pOV&}TeuH>KaB+f*O5*3pz7QuLrH%GnT$m=u*?+Y*P56S>?9&a_Q$1oinG|P
zYi3wfPcE$f)S$Qf-%7=9`&pb`xb&<=W)S}^Q`GxA%M7PqKP7hmRmf;yiMKW}%l(n|
zUt1Nc|DQS8rF~G{w<oah%)KR#VfPxw;kU7?o?DpzNtnduHi#>%4a<6&Q1rBNn9m3Q
zTrTVBQguDC8IQsOc&ukXaW-^Z#^X<&V0}WHN5IvbMn2YrLUXGK^)Ke-(=)s9#AK%*
zd9wukp?EfrKde~9Nk4K8Fe`p?|JPp%hc?E~gzEfE=+DFkE&Qatf6~N+ajBtmjk~gr
z&2%xTp+a@>>|V<onne~r(zX#uKaP-u4SpW7uM~%$pE00OeavLa2F}RE3;4prF^5|X
z3xj?{6%8uNMM$@PGo6wsN!<H*98*VJYd=LvSwSPh2aQa@DG1CYvhi?~p(Ru65U`0H
z@<5HwJ*{CW1s2!P-%s6q6&JY+6iSs#QQ4OC6=0dYGv>)C8I?*`+Jv5Mu}be3wcV%=
zk0xhv39b#5*u%w3n-QooK5dL~*A$fO!@_7OJB|07gD_s7%-V?am|H#?jMM3!tmhs0
zgg$*g9HJ9;uyCx;YFgP4@5WJ{T(l#Oq2O#LsvIjh;Unm<W*rP#6EdV5I}GGO$FKA)
zcl0V3$N(9bZU&7wmun$2-Ae8fE|YTB^FlrU0VhClu82(p<P1}r8ayTK@5Hs|tJT^e
z{E`?FE$r{`G&9fAFweZgHf{5foWHk6zZmp;{5*W`riLyM^+dO$+d<E6^@S0`?}FEW
zsnSK1$67z1Ps1M&zkhptJwGug0N*qJI5Mg@l<ra-l244`n}I8+KX*C|`%Up{x?bda
zRE|w(qu}GPJA}_8?xEC3yW|#EjNwOirLaZ4SqlQf=Btsy{BSQU62)P&r=@(N^c#fZ
zo;G$s>YY(Al@O}|`-;$2ef-SX5r@F-G%Z7<+1QSqT>}~w{e%XOX_sF2Iwwt(r9Z|Y
zDk^wc+HxT1^(c>jeY?6&R-En0-0#Ff&k}i)f}f>LCZNa1@J^hBxxk{f7@+_qD$3RC
z`O}FJON}Mf5+|?H8F_*E0%y7b-_Y+A7C9|hG-a34daJ`+J0aN$EqaCC<c##gL3v;~
zDHLw6-gR1AE3-%quHq*SPS5ySzC=y=T--xnHYHs3OG#{1*KeAuNFotsuO>Bb=}91L
zb-iY}o!=l<*{NmOC)=EF0iM?HpTC15N|49EewlbA#U#Bqd8h8oy9y*uo`^QtTM!N9
zd_sI3Q0DdeKYfAo#GB}OHSU_KlXV(yQ2)XH3_Q$kd<5H?XA=+tkNxhxiZ#kGehTJ1
zf%&_l7AmY2lKL3#WiAegumHTgoj>Rw0vbYg1qg}!6Kf4>@bg=6Ya2k(pvajB%1Vlb
zq-QD-<%ah$BQUjwod;xuB#iH+o)l)4v-5G^i<}+a&dvz?yg&WFA0KZxuURFaob*p~
z$Yvy6GaJ*pgYWhfruwoakZF|*2%+d;{5lPFb#>Q&v0|)zpR+TCC9K@5LgZn6=IFe+
zMDFG7jBd66E&R2q&M`jcD<2Bv!G(W3WllMqBfE9tG1CJG6lyj$FU9V5eNEJA6YiOZ
zS7eUyiz2IH;qB}G;bO@}Ed9>#yk6Ir3{&#=X>yr2LZ|ooRYP_!tfguj!6tp0WG&NO
ztFqxwidPXYUsTOCho8+bmUKk>PC15QO3i%>jY&7+;%wZdk+;^j7@h)M?O*e^rF@ip
zC!rdS_)>!|ECC+2*h2)XpiDhNBL*O*yqj~QsZ0m`uc<ieT|ZLxEa$NKb-_+0Dt%k&
z`XnG|Vd-7pR!n*iCt+&%^Up@WT>q}()!<(kVsP!007}tUIRW#S;8P1$NL8q(2TFo1
zQ%$I(GR9ed{Lia@-<f#ducxPF7Rlcq?>F&Z?l9jkTX%W!-)3JgpLcgZiqV~(&*!)M
zr=7FAK0oQ`qnfu11BqXWEB^m34_{tp`run+=T&7j1(b;V14Z>8gU13WK6KM7`xvDw
zO&L?^Nn5^qcC|Xa8CO6kmE`}r|5aN`Q@RZ}o7=heAwsE@Qw5Qs&PdRjPA!8%OV%&*
zk`^>con3u&lj-LBCsE-E$h1*@ND(F?XYuw{k0o(gMe?Q1?6<mLb9r9Z-GFP83eQ>t
z)znFLo2f?-sk%oQsZgtf3DXo9q5k~YR+7?<W*<GKah&4cMVPIl!5luXuJeAzxb-~C
zw-okd@UUVSB$kg>Xi80I``C_&pS9tq+4K~E%NXD4Wsn^rWWO%CgoKWsH6w{es{Lrz
zw9c`DxsZcOAJqHx8%k39Q-X2jxmevrJ)6?hW%YCBsg<>14rEp`eXCm_BX*Nb#K<6I
zkpIF?RpxL26?syB!VSjwXEl-7lo@`t9e2$0?Sh4f9F0Yw;&(%x6g}z&pJvYE)x^|e
zUjQhKGyqtTr{gJlu=e3MQPfgsb%ik&(s&(dIgFO2wT^U;CwgoslgIZW_~<2Q{&~L3
zcT+A$m}A!iXQvy{8fIL_LHQ1~K!5Oe{A+tpL?^9cO3_FZxsXq($p2Z2qyA9>pkDsf
zv|>tky7YN69KkR0EfAlO>@D8arjbzn{q;4daz&f8qj3K|X3BD=`!WQFPEEOA+z83h
zQtG@}eig!(aJ0JFE?)ueX7|lY5s_S=XfdygSP7;^b&wwkPERCf;=WU`?K(f?_Y}U|
z=JVIuH(ehDLccLY9G|cKd%*fsos|tw?tiDzsWMz3$H95Bu+8w48{RObrW7}+)QLUV
zYuUnl4aNLC0fKhGww$NUhj;qK13Wyncm`(K%b8?N(riP{OkE*GIDhaw_C`a8d%=52
zseWK!%$4nps2gEw&e47&(<2=-Hv2di#-_<+yWOohOB*u8T9px2MGZ9gErIcS=J^@Q
zrtj`j&MqWB91_&Mpx!bitlFZtQ$A;invSXSjRM~pzCDoe?`+GFoF$VL1&zhEtmz!m
zrU19qDy6jPivBJGKJb?BFHoK}!&Z`Ke?5P@rPr^xFc3*7E%$o>!C#yq0(4K8xxVLC
z?;KH<@b(r>8W3Xt2ES&4)nhBh7+bwQ3n7540gv$>+2ykXJz<zn7w5rJ@!m+of-o)?
z6`LF=;>tOUf%YWf9r(=*x}-n&1SO43hZZiF_FEna149U0gzQMH_FsTIbO<x)xW9<P
z&3m-QDK<~i124oq%OIPQUlvzgUGy{(`mERt%Wk&ho_83kygZp5_<Y3*@eRgcv?*Cy
z*QQ(*!BWF{QOwpjh~VN4_u1@2xYF=Vn>4oGH$~)(+AP%~+Yg&B^Azk4yv=v!DFvm2
zrM8bxp4&@nkzsbX7km#00O(KsoqV&B+V({m2RW?jkfjJo;JW0i!n|#WQrtp1{mL=$
zbJw-c-O+HEu^lGpR?rNtp<UXn_TY)gfc7tMa4H9opSLEk8RC(9Q_8c%(0RL8m_RIT
z)xLV0{*KB+PE+v+mXg*4WGYgLF<W#ZKHjMIF8g<jZe8QLwkafJV`||8h`vsAcU_fD
zVAmbe@_xb430c%COV{LDjC+9zR_scTbyJ)XR!nMj<s_?9TDYvcW=JylK_RBBQNHy#
zt`e=DAvgcalqgfcHL9Oc1--yQh{)5}r{qoi*~)77p)b&S3`zJrhuKb0!Oti1+07bM
z(eO!h#p#c+Q=_`vp*l3D0=IJ*8<YtJL|RKYV<tAH{aQvL380A50ZujVbT{4Orf$lc
zRT8IV{#gEXOeCRS|F5D=!)QL6VH+Db;{s22jA+SPxj=nJ4CA@$ezvPkjad_tSTa8G
zG2~F46*Z`w_9}N#60-^v?%_LHz5KK%iP*xEez)LhDC#GN!I5GM@~8VHWxnbLOrD?p
z18jhlIX!lN%&{(3BJy9EOppiNYs^I#=GIkvT4}SqJn3rygHx~Yj()c?UftY3f;p|R
ze*{&oXyfM1WD^z2ARc;62(8NiT%xYb_Kcw6t9vKC(^D)4vpD8;VHV1J4f^w9T8(n5
zx(@z281tb}G7@P-`5VcV@lkxKz-@-n@!`{XHtDF<G4RAk)5!I;n(eH_0R{1A`hP2g
zrqddHD0-ewAMwX2=P-2Z^3MVnm>5|D0EfUe-!Vg>EmE^)TIGwB4d&Fdv-0V7Y-698
zRK?9XDg;#B;;q+g0{fXNdy#q;8=S$@)I(}1#W0s{GU0o0@y46e`IWKhk*jLveatLk
zSE>wyDG9{9s_oOQ7V1yKB)v;Zc>x6F90sv-a81pd$m_eD^Ix+#_-)lV?@CYB*X^S}
zV0H@p=D!7`zyqvY7`Hny#>24xF{yu!uYI1bh9{?q!dz!XMLv*^FuHI{2{}2ZBwA+O
z_qRFJO;`1R>V-UVpd{UM|7mF0*-1VNYS_q?kB=EV%Z?Ib=8s*Szk|zi<T<gxS)p|H
z9Em7}PLOpW6ch$${O6l)XsQ9^4FtK~IaAGu3{@auZKy!f)GPA2N1CE%olzj~n3>AZ
zFJf5GOs1n%u1+PnZJ)*UlGdn$Heuro-7aXsK<s2nZS&)Z(<l12P}VEW5Hg)Cy2YKA
zkUlYo7kCbm%^5PbX|J_1&i8H)wiX8<O-TlmvWIw#n@jQoxH!JM9s@@XY4TY4ZJq@M
z^{3jJg`h%9wBbgoc>=@A?hWvgTx<DNEnnjh79*wn1Alt&q}8D{-Ca8!BB+-<_aiUh
zT-kc21C*PWfOS}Sr%Er{*4R2WY)<M&KAQo=br#6}btfDF2GCF^J$d!jZmq6xDG>|D
zZwqsaBzuX-b5hT;Ko%v?@St?250gqABzZ8SF;6`YV9h316@K4OG>!RxeV&#@ey!Y0
zD%c_G^D9m}b36q@XC<*5l)`_jVe7Q_Tg5zJ;Ylu{Z-XRd?`kI5`=!qEl6)(<!}F{m
zT-p3$HGSKJFt9zbXc^jk8!ab4&(Kk@%V!;LX_K)l%tpTXF_+NPBWX2_QeyT38bl;&
zl)~;99eX07)P=d(D6W3$g%@corq;udp}GYD-@S?OOiQZ-2FgqFkR!(`%np1T+mlJ1
zP6{dp(WB6u)MS9vF{cCXWimGO=fpk|)KCPjl%lTcP6vK@BWOkLD9L+Ha`L8!TE7C(
zoxAh7>wpBmL<}yWPMKV%P1;@hpQ)5XN{997HcRS|v$S)~OE~0j3fE>8Pay^-janVi
zCHJ}7j`}`b%+@rK-yz1|nXT*>a{cwWUIW=VeYyq)G(Zl)HZzj)d+R$K)@nTNwR7NI
z61EhoiKJJt8uKB@Qg~2}-Gd%zHPpA4fohWywe#*0{VPqGg?_ZChv2Tg$rmNt9xG3U
zJ6C-MkI_vebAN3EZ^#f{ws>uhdIQwA`TD4niGRXCZcPM`{Ub78I+h`_^w*6;^ZR#x
z(o|7%^$2{tH|rT+jmSnu-gmLI5K{HWVWw}d@&FCR>f@@mfw%Q(AJ3h{Cwwgfw#Hu4
z3*N@wDg5~Ax&`rN4^v->{{?M--k!S+lUqDb+b4X&&n<HBgoIm><n^MYkLCh1&#4BQ
zC+tQEuk?i#cH`A>f(Kai<y0+npZY-u_>>7fJU1%@K~&l|(e~Uf%k{pxgr4%cVpr<a
zsrBbigL7Xzjrm$^S_-_&Okk7ejvA3FV+KOUqd~Dj@GR^I9nzTo)gdx$Zjs&7EpbSi
ztR(;Fmb(_d+F8Sy;_*xki9sir$l%Jk$W&8P8eW=#-`81Z0dmitW5yS5``4sg&|~zv
zL9fV2t<}UX;a2lmHiUsxKoz9*eewMQ_>--N0?Vq2K9Nmh^jdC)@-vs~QQ3@6I^x(V
z-z~oVvu`my6%wB+ab9IO{G+nD!K}aE2;VqqFzY)=*fpYlfoO!MRVy-}J?SLBtG>d>
zN@^NePp5JXxv(^VriS{wteID`r#Su=T^Wg}C49VILROC^)`PNv@`#75#1C}-o2m+R
z^%+OYOkJ2nr%6assp6*;H#$OBfE?PrB*097B<ilfJ!htMHXm{znJ)`BSY}-da9L!i
zI5ZKJtS-A7l{cM%_3?iF$V`4+L-R`+s*J4;9js86=z$aCPs>XlX6&zfMJpi06!o2F
zK@#0SS}BNbdv$v1bb4ya7QAJ2@sdDgp{(-^QG0r+0gGyRgzul$`eSFTZfg=t7X534
zO>E+M-pAUkQ^$}(Me;avPxm?kei%f_cw95cI5Sz2K!=y*YTrUFX8)J6^EV<lf<)5~
zcXbO<upEE(_~3UvI^J*!sz@BeQLsMj@_Bb<E+MXg_J(&F=-$alKC-{3-)nr;xA#;0
zgN6g+wp(}afve#bLmBe)Er6o=y%hnr*zrANkZ{DpX_}=4PUT^VF{<!d!CKWJfVAmc
z@d2-_@X^8`I*n%+%L6a`RBnbiXim@jq)neZi59e*O|NeJPweUa=hD#kj=yR#vm@_)
zkps7Rqy@1R|7g-yY`v|2nF>|ChbZJd1XD$5)>~Ss{6EXF{po|MoaZIEYoC)am_x8J
z4WdI*ttIO>kxVY%GdfL=!)lpiqN#OI3h&F(>-%{hTF-a8%lIp}Au==J38Vz7z^Pqo
zW#^D-PUA@?zmV;gDn)xkAFB~n^PnK!0fpEM=uX|aME46Ibc?Vd;SBTC^qnNl&sl!4
zahVi)%Y(^BqLR3|0T9-rN%{O0{$1OAu#uYu)2Be@J9s%L11BLK8vQrYiTGBMfGR4;
zUZ}x(R5d**g02kwwS&d662j+#clHuZJG6cTa-CgL1t2a8`6b#9Rg^M;`9YRrc{`iD
zX@XxcK`(;XN<9xC1e(H&$mkb#vM%dwsmxPnxyvl2+*dmH;#Tss+geelY6ipn!-(z@
zCMYtg=%>Zd#@_}ALg6O*W%r%m3|S?(uf*?*d3Y>hc&zo$t~}<3_^kDD*qSzWgxH#d
zzBKJWyU5`tmr0<N`C&Lm6Nq+Z(9LvU`$-@TyZ<uTE3nyz9&98hN`IqNf0qVaI6~L_
zTNVtQN{6aiv2C#nwb?S0`1pbQKW;1OqR%j;W9YHT*?E$s@S>Ose!dJQX(a;qW*tQ6
zK8MR{1gyRG0PpAu%n2>fC(JcGiF*nji6tZ~kG}a`dFLJL)rU~s=;xWW?#C>|3h=jD
zvL?U~&`atD0F^+8qZPRRagC@5y5*8p8BkCh*ieA|U2@1K1J(I@K(Ce4pUAJ&wvcD<
zx=KmSo6=2=K_|iK&-VSHBEw~0_MXPb-n;A#8NR#z2mH}n*bo|uDEAzCQQV*+g?1T-
zV!Pnn1*pE)54;lt2yo%Rn=X*ujx)xKSAVkYRU-|mGU6r2#^$<YIIyTJKX+k9p>8SV
zIPQj*i#ETR=3QGy80%O_&OR8+RT8+<KpR_0d5RK*Ibi_Qw%xEoD5V-9-+3eU<RB%X
zb<RZPC!roTO69njq;>|WNFZPK=*`LHFjfhfig}LHu0|??eVmN46mx#{Bry*Dy(4bX
zm2FK@5zg)nOPZx8Y4XzK0He>ufx3>7zmo;7ZK0sHYxo4PQ6rKm*l#O!rr{`Qk}0ZD
z#;2uIH3U`c{;~*6UVzyt@jDk#uLSL2MVA=$&iso!t@apKh!??XX9CoS?&e&VI-iW9
z)n2O`;38B+GQgcg={bGBG`yi<Tq{8moZ#DC>v3scu9>cbla7CDSwT=lT2i;Dxy_A|
zg)MAOJraq#rW(7FTSiBD*Wkjt%IX`{tB?I;sIds>9*$`T4`lMHed|BlqLm6Y<+_%P
zi!+AUN#MnaJWzT3mYnwDJ_Agqyy+0?7cHQ04<s-~6j_`?b&9%nkTDMhkyV)#C7*i0
zZQ65ZY_H=HOa7dc{E%g;j3Khy&T)2<bqbIzp(u?%ao3JgsDE&>t?bXw5VaR(Pwt^r
zHnr?wKcdO4XHS7o{NTk`Rnbv$`Hd+vIOk($F=x@|q)O3aToM@RokdQe;f_bWf<zF7
z-yp>~4|iO_5B-=}jw>W~+_(sya8#8U!Q|giAD38B(^$B|@T5LN%NYBAU8~{x-^?WF
zx4|h*jGJogM4_kJg}CjJFI*mGZwm=fvQJXLk)^lPNeUOz>rXmt%FB&|IqsG1f?m^A
zz9R|amn9*uEVcHd%*g$7UJ+bY717kwqeqRytIkpc?VZIFqnm-ANpGZEW^%@rVm73&
z`!!A*=aHqXS{2ay)!?kgwA4^pe|Cnc#ySyDfA}@;K{S4hUWuA}273OW=CP5Hr`_SZ
zzwEwTspwbuB9!6}RYuO9#^?=)s9W6okKBd6ONsxV&|gAa)r-Vm<LZHXcGT8XTxz25
z4s423$P(SXw+MmCQ{nH7I$V|QCNGj;t6&^&_T|=cD1XGfg0`87zYm~b|Ienxz#T-1
z{Z8*s(`09u%8+`11d!}(e@&!HrzG+OyCh$@Gs)j2L2+w2Egs<ON+&XShg6OJp1XW6
zK`0Sr1tJ1!nfzNrT_B+PkPtwv<stWW(xFQb%WVE{-+d{~C+k16Bb?JJ?0MC~m2!uH
z55FgDO>V06J0dnU-ZjA5sOqVEX5r;p_vQcEFbc<)vU<3IGceySecPcYd<V10x{TeB
z$S-&b)6BTOs+Qr#6F0d%fy*N+Q41cPy7h`ib;eZLEJQ8-pVB*g4oeN;H97imEK-d^
z1EIR-mU#FIn$Notn)V>lHn&a<Wtz^ZlvT}WAQfM<XfyMM=fN~|Z+b(zF3cMxlbZn>
z%8V3fyMPV1o;UedqYE7QjO4y001;WfkR;IOZ#^wjz|;*TmNZruJxf#7utZt7TKuZA
z43hOWQHqUg7S)>Wr@nnRi-YQ64#8F?EEsLiI@msYy(>eH3lVDfMXmGzjO=ITNLGW7
z^nqr{U8t01w2hs~5qE{8;TDy_d*?uKIm2{`f>6fN7QHJ(wdLd?r2F_&NoMRh(v4ac
zN>NgB2t9q0sQ$a73hk?e)lvYGrP#A>5`@y$<24{w9zlwYypTD#SXT($8uN@ix=Puf
zT+WnT6dOOoU$zFNVZr-PFf7y^-c=9b2Fm4AQcb)@+o7NLBTQ!%`FzwEALY0fRvbRw
zAbA*HrkM0~#O7DJw4`kGHr=UVNN1wvm+yE(zK{6P^hch?B|fV7ldDT%OS}DXN6aD5
zKXq9Po*Hw+w<zzzragdlWM!BHA!6VIcYCMhQgFxXF?81c-$RrO{k5m{_otX?{N#YD
zoar+*V(pu`8ugjEA6K_d#m)t%8dNR~=slj9Ii1YjdF$Tk>%Je29I3uJw9?S?9A@&5
zL5d;(O*i4=Z()=)6J6p#$37;D4%E+)oLihKF`7F2*xZRlULOCAKmg|Y0?8lUk<(g{
zZ_j@`-=T+<xfkDlwcqdHZyGZirzm>rU$ox~4@;u<si3VVlxl^#QVLZwz`85e(t<NY
zH%(wuC*NIJ)QUSI>lOvs2!;g`^^+#9h|-Vby=pvN50YqHiKx79#`hms4bAsnCyE|`
zG1!&r%Tv#I4Q+h5JkEdu5a4uvc@3r#qvoN6lm}P0c#YI{EI&*68z}ABSCEhX7!wu3
zszNJpcH$H3e)K~AmB-NEmGh#fe4FFIOXdOfS_^rDPG0IR_>ax#Zsy0&P3ZLWHLL4S
z#@^L`2dY&@c#t1fp9p9)U7DFqzto$K$V2Hgwrb|uO&i#Gh^G7lmg0*j)mR?Essq&1
z=Q&WO%9T^cUo!`H(S71)J#o@Jw;^gXKbrcX%bku5t0xDS5dj)|=O8k0?B@EZJd0%(
z*ynh+B*3h8-(C<`XpB=@{TMnEOUfOYW3_DDor~An()D-3z0q2p#wyz4li2SI0J_^8
zQ5Q#3cZGm$kaiwlT{1jId|y{jw~Jg)ykzHE+49#f&9YQ=QjNXQx8E<sc!MXD>;b1c
zeVZJlcb=T24eShppKWPUbj;nz4Sjqx1<r6^)HZ0~*=;hI!31baJ}6~{vqQwn&WLGt
z;N9#<JjN9r(Orn^0MYi{)=c4;_Dy@zOn;|G@XUORk$bG-^Xh@ru51Lb>oXoSSZbG1
z-&5}G#bVQndt#j=?kn+2&F#(WrJTm}>=|>m5@WY96db#$h3hTtnQ66N!+)px;j|!L
z=lw7qJQnwejCM%6P|vxGn*}|CkHBeE?or!a4RLzD^0Nk-<M)_RbLs-^&wjQ!rKKH8
z%74cxd)<To=^~@L0!srheMvRdWRgxho)9-<j|_VoFk8IE26{wO8rv#OQx$-vse<9J
zQN6ZY*p$|YCkL43vZsv_dSu8t6RP$BB{0#QaVvBKS)F&~q)zbilpDX0?E7*?guwM^
zSJHUAJmMPV78&_xw1}%`xaF}<m5zLg{7D-8oQ5}P#B0l!xwFSZHM|0IR2{hw`>_H%
z@e=j$A=z^j&iSxx-|W5hS69r^#P8f>c7?<3RHaW;G;1(2+~BesgDv$#?)6PdyGyCT
zIDhzrUX9BTGCSkg$H1;jXFOzD2q*N3L=s_G6oWscLU9E$Fy`oyhXqpW@+S?5XVECR
zVh_iFA?kDjIaw=z4J-;)u57PW<okrM-;|dgauF^7V7XzBQZCz0A3~Z?rK)64Y{n(o
zW4_v0SkE_-k<4l<R=>Q?KdT=odFC6WWx6Qk<WF|<6h*oymlP|(4@ib&?hi$Uw2bq3
z^1PU3F)eRHRB=Se%zPE!-P~Nq`Z5!RaBu{io7OE=Sn5k@H!zqrF=?wXNnhZNea}-a
zd^4ty{<@aPUnmJ9x!|Ufc<gK`Biqa+?oB5WNfnl>S1>1lB;fWgm2G6@S5`JOsI-aT
zo}~ueny?f-dM?Pq1|Flq@YbHuXSpUz?{pFUV3MF<BHuYe0euy|Gqpz{qyR<}b|_PN
z{0kQvUz!kIA<%$VU3o+f;|^&7%+rAs1HM7rWe;fC#OA};$fnwwRTz-Gke-ERLzMZ=
z#@il$2X!QRxxBY6@Ubfw+e5y!lEc!h4vd#wx3AV|e+)Ly=gPdo(F2|KqfJJb?uXV+
zEN0@#Yz2O$DmqW%<nfxrznA3NDd;ng)C23gCupAL9{rGd%w{3b?g`uQp3XCYQaWm0
zo!ww~3JF1*W7Evuq|#CLxpc07gU_7=aWGddET16ct-VdJlP}&Miw|Jo6P}RCScc$U
z;(c=FzAig<Gw%U?DvwxfTdqgBs05*d!Ix>$Ld9|?Cz(VVU+}wD#dZS3bnEeE#wNfx
z$?wXmH++}qEv@beWo?DIKPjRPt1g<Zo@eYCb+t0&&cO~fhJz`mUV4kqaFeEo_QAcj
zUxc-It|<9lkJb)<efvEwh<;yq9GA5UTjZRSe}c6DbT9i=fT#UQ91>Qo=U(3UDc{6`
zs;a4VdlQpmjtUbQ)S?VRuS@4O9Z-&o-L?(?9a5EUq9wMt++^fiW3oQpXWgjM1kxGN
z9;BLgaaVv7k8hNhFq$x_Cli|ymR+PY72LLr!a6VL(^u-k9H~?1i$Fi#3kA-mEELcm
zNn;YQckHS&Q|+;DcKErdg?ik+4u=}<B%$py9;A`&&_UVvw2g<z!TjdV$!K6Z0TalY
zobuqXud(w#EZ~Nu7Z0<tXSG0BLoA+%Xz+219NH)GwQ}~f1qo{vu<5ce2yTv5Pqy6&
z6E&b0+1yM@A!|N-JkjxU0g;>veUCP^b@1ywN=tVc!^(+@-!FCL)vHu&Xa&{2nbD-o
z0ZVcQy231E4=Cw)5&v|i=j}+!=?=NE9|x`JP;|qB)JNj)o{urdHER0kZ8ck(54H{K
z?P%`?+0YhtqM2Q(mMlW|itLbdEy(QK=Y`YHM}h06Q%X)LImm0h>%8~L;tMFdT|tj@
zCOPk@H`JgPmn~YWF%6!;U+f#juQC#S7}~hlts5(}xEB!-mC?*32~-3KDP4gB8@ksI
ztL=&uI6_9?rYN47S5TUR<7=*t199es$lW$}j7aY*!|FZNPR|(M7Ql>gT&_fD-&0~N
z4pP+wdlFQ6Y}Yom;Y|k+1GdO7zu&gd$KiSrMcvuAA?KBNRt=ync&q9vGe;_oLJ4e?
zYKW87CQ1BoGIIDzE+_w{WQ&RACaY$P*(Oz*x}YYBzrtX+bRtb0a++yZMVT@qL+7=p
zd0u3vz7!Q48t~cpSH*7^$%TR(k{bS-1L+DDDHlRyc->Q?MPNUO?GgiCn;}55c)L3S
z4joy>w-?Wbj%w)tRbQ-`l*ToPj9#@4n~-zM8qeI`Usyg@k*O}&n@=weL%9k_{y=yH
z($s``P)45;W0ZoiZlur?=QaEL3W&lxsnXEgC8#L5x5wsBSS#Lr1_wg>lid{2Dhiu&
zELmq$fzl70IQxp9fp%s$e!UP``LU^ahlgoA;QR)wo3IjVHCz>4-RFRz?U|1y?A9<(
zG5Jqh71H_K&Q`uvGo${&T!m!FnIsJwgEf_L0-K$hd|lPZ&*ca^4uk@(uB%D?7r-;|
z>JqoKvzMTXwscb!20;f(M$ObV??b;=Q%VA=0v+s+M><76OciSMMkP-=T}2c`l}V4l
z-m+$eb%`b`d70v60{825W!{!Flj&eilFfQ<RBL0{IA#PRQ6F7(U^I(TD!3o5iDNuB
zi3b<8W4NxZYZo(yDGBe*Vw8s?wzK;Rw>-Bjjb+2q42Nz*eNLjLSWY7#-5ad?*FbBd
z%Wpd9li$~nV4t=6+~U#3kqc7tj@7y)PbTej#w1KvP*=k$j_n|?qk@HY4FuJs$5(F8
zv^I)$JXvM_OvY*JGQ1_ruW8)L2UEw}e|4HC^-LtVJw8Qz87Ko}@a-u%S3HI6<!7fj
zx%Tb}e@+~BsxCUjs1F;GY8#2vLMyxDCe&6vJ=CerWY#x^zT2|?kPO9ByH6f`$!{=T
z>-W}Lpl62o-!}CvZMV8KrgD4=H#VBRY}h#r(pxkO=~hi951U($OWBDpJqic34m_HU
zP|G*J*+<AVEr-H$C-zwl#1}~p5wiIR=mic9G3EJHo71B15fiZ+b!6PIPf!7rPJ{ox
zLDt)+OfVHCB492uWa-gW>b8Sxm`sJ*F+O9=*uRI6{{DYFy<>PJUDq}oPCT(~+csum
z+qP{xnb@}3v2EM7?Yz0K=lH%K)m4ktKe~?IYt>%oIZSZmdLy1Fr<ZGHby{8!k>IvQ
z!ttPIQ-f%hhr_-;m<1@S@l}eHtLgGf7NODjjGTamgVad&e>=TSWb74<X;?OgRR-rt
zu78r2KCdw`-WC$+W}~U_)GW_p)!c3qdVZTsvP`TLsCw)hm%vJBoV0hW?VLM7ZS0I?
zyX8$Ht@70a07t<jCP?gkc6eFvnQ=~j8C7y?TcU5WVb$PEO!2Cyd9Ukmgj{T#Zeyx-
z2htr{`McxG&bV3kgaQ)Om%#uLZ(R4PL5d<2dOL}^B`Nq@-*)!Sw_lrs?Y22=P^Fw6
zZ@cfV*0B}a88|(>%)qi@<9{Xq!ZFTxaxr5dV;?m$<*SD4GGne2;74YEB_iAqMT73u
z<4CBv&1Sw16*uIt%Bc{g?3Iq};}hO*9$&}9$2u`G+JU4h@BD=!g-$z*YtU<WAmhB7
z#gNUdRzKlN0i0O)YC^>*Own(0!^P8Q_spSmu3MP@W|m~vF!r`W_LInCwcVQ&`hPua
zgZo~dMytAZ+}pRT8!2ctrYTy^GtsAqd%Jl%M^DkyFVVhn8#nH8zy3>jc@z)M4%xry
zeT%8VJy5N#J#43SlfEd459AXB^XQ51868Jei}1!zxwOwOlGEK6;*Q|ws;1S*mY_f{
z1Q@ALD}-+qIJR){q||@KHK5!h=)0`}(EdeKQki3qL+X{B=PXb(Xom>)vMCujNGfRC
z6b+*4Q#Z@@texdFZgRnQvH3Cz6RJrM*!>oU#De=r>}EOl=ySA0)|rjGTkPA^jg4k3
zn9x%7vdkK!a{Pck>OuMsWVZt$N}Pl6byk;dIyPya{bOf=2^z25c^E6N!A3e8sNQ?&
zEh#=3$Fulpz{Qucm~*#sq~I<fz&WX4gb}vJ{^ySloGW;)><ENj7c8Xli|RwoSN%MB
z*7tkb^qZ|oHdnp*-)PifOx!2Un4wRyxqSH^?;ZS%^B);l5Ku^d?Oo$J#-SfPqHOQS
zQ2rj@99~bA_v>!{_q%)3@23xV-Ou;q>29y5kMSSz;-0?y?QYyxc=`$0F90U<d%Yog
zxSakfu5r}p4s)thK9V3)-o2{i-`&f@6F<S!)77hKGfT8?ZVEWM)vF+KwknuG6s06T
zGdL&dqyGS#%`Cq)(jN)Fv;-6bw-Rt^gLvU%laqGSlId<9@29jFWkE}`rLgE6d+iEL
zq_r-AN%}IrNiQW}%JDT>grzhM@=_l7;(|BO7fpXqw{v&}k~rodh&!9l>fK%JvBea1
zg#!+C-K_jGm}D67EIz?zccU-mSAk9$MT#NC>q};LbO!e_HF_9IUNZ^d?S#Krb~`RQ
z^@VE1E(bZBl8@SYF3%{HNNZY?;5sI68gke!Hr_c4(P$Zv@{cc9uZfVAnH_G81d<hs
zrkH=G>FIr5_R8-ZqwPyU7JgColCyR;AVQB<w5w-2GITq{x-!!^lxqN=yqTKc#IH<*
zpL$^|5%)(Fb1W`<XEnFPv-?g-;}(Y%DZB}DhOh7xb+2?;2Wwq!%Uh5sF9IING$cEO
zIO7cSiJado>Ck3(L^(?OW&*=#Q^1W@{R^Z^g7rB0BS&%nOmSq%+Tqcb62wtBID{~B
z`3DzL)f!`d57pDbZOmh7f}7Inc^=%(kM?A>{XV3_XoCMYFd=f8xQ0@)BDVe|VK(O^
z)_Avuw#Pmfuv9_`D#xg;(CZIRqQ$aE>~5amkE*_L0C0%QPjUMbpW?Q;1K973Z|@^_
zK<;oE?}R#|uW1*oUR<qdBR3)`$6-YNQlIryJq@TiCYGB>`Ahdh@S)9qon*TlB)V*~
zZTPaL^UvfRWl4FrDk9z*vedkNUw3~ZDPjBVK{)e!#tx!q3)Pyr_+e?M7~W^}84E6X
zl51)*s=xQFWo_ajv)mSNu^2A`lc}&3zu(U9WEjC|UE9twg}qfJt@^2=8y7QTaoN;p
znxY9L(#dPlU-MT*s#sL=L~cKR$J?6pObwx9X_Z<CDuY@)sN2Bn5dEM+!}lgB+f9zZ
zWZ%Iva;Wi_$(fr;FG0_czfvNy9eN)WQe-CTJ$RqDe};FF@~>eHj&(7mL~tpGJ?CVl
z`-nQhuV9qIn}72X|6V{P-=IN)tyQYdBYqleuos>iO08h1YSo#hYUvM!QGzF=Bpwu!
z1445NnG;AL-t&z|*h|YfOev~Te~rPlH6!M4|A(Hf!&=*MPD^X<0gUUhE2vu(<#nFX
z-F298algNc&hO?KM3S$UnxbzU;=Xii#5PtbL|`qG5ij<n0`Da^cZ?boCKPrs)EhR!
z&1~eGRYlqBzU-`S?6Pyn)m-4igX3~cs2-531;-nhI2Yb8E4P&rBnYt9UF9yuy#y&P
zCR+pnDCb@z_yE<%f)!dx_4OtA^t1yyeSGPBxiQY<Tl+xmI>*RZXyxtkJIRHPFHgjP
zt~JtI!pb@V-?uaqh89f$!7DihVDoIEvFj{@@8_}06#W%JyIaulz{5bn%Fv|v%sbQc
z9Q1ECpp92qdp;dU8Toi`KqB705_Z6vXug!LjhsQHTU35!-kVY*yg;BB;CA}WBH)du
z|1y$h^D6RkLmYM$r_gXQK)$?u$D<);o;l&b8dX<M*ARY4a~v#2k92Fcx`p}UDc@o$
zXHXGOPHOmlTo)B@Bmt2YgS13agg+o>N|MBJsPjQ$XK}ATwWI=H|0y)vuc;vCoc1vK
z90w<za6i@Lf1&HGL6c=hcM3@1mTe@J2)4r1Pu=Ec!a^}AGTLXRv9x{!i;=1+NZl!)
zsA1lc@uf$qsUoa?6A%IW(LD;M0=**2yB>`|h_7dsIGgpW7qnj-C=>u06usmZ;;}<w
z_)@9G<xtqHNkKzIu><Ocz2P9nF;4@C6ksP<a|Y%^&s{XpIjB}b2BSe}$MuM$(Wun*
zhf5f*WnFt5LaPLma)0$|uBGLst{u+5W*!xmB4zCOG1d15T#48A{La<t#I3&=M(&_d
zq;z7Q9F{&N`+<LOx^VBQ7>1Tp6I?=!BU<|bK!z*0qUzSgev)b88HXAe4gQ^G=?$9k
z#FuTkhtu^zG3e)1;M0*9pY)%ys8(>Ek(|qfBzj=XzS;&;0OJ$?r<De<Z?r^n;G>4@
z!^^Q27sxgyUsjLpS=>S+-vy2Gu7#(eqI!DwqUExaG32>a%7Nj8JZ4wOdS_vEbwb$9
z9`hDXLH57ol-~dpsBU>qFTus7bU1Lrc(idkH^FP|Y5kcP^aCv}y#5c5C;dRD$SQdm
zUT!H6kmRL6_r#$tr||mr&0}Jef2jy8E51JVE-r8FG2l%BQ_ghv(1+HY;}yKDzur7Z
zOn{sNdYXgUoo!ceN3(L%(oN%+xH$9&!kSK;*(QHoq9Z&S@s4_cZJkr0H;hC|Bzew%
z;7$?D6a}KFmn<f97x^NanwE<stDw|=h>$XI&f>L^TW-10ZdSL~-750-Tt_F~6k-B<
zDo^cJ2Jla>j0r2z2xSzCiR+xshL(sucX04twQog@Smru65UJKF-D3~{lxVDQ<&d`i
z1b<GTa5vFh(daXAwScu0d*4lHxiT3a43At=2sR%BD;ACt4>LK;N|EDLF7&mKRxqPF
z>p3Yw1VsGC@_8IIF|vPtZRcgW0e}&S(?r{Mz0r*fcV9Nxh(kX9>HnaPN>(_dyrLv3
z8?gtOWykO0^X2>n^)VI*RvvbYNL%~W%N4Fj&tc`!kF`8sY=tO2Y!}#nn~T{G$Cbhz
zf*rN{%dn*v!=`o%Z@TM0LGWDiKh4b6kX<0-h8{8q(|>MNm;X9Ce}a$LLa-OsFl=Tv
z|FicrGH&E9{ajZ6=qsBUH+FhY-hQl4XBajNA=tS;Rz$O(g#PAb|M}-Geg0=~19pLB
z$LNQX!tRIrKSLcZ8Z-NUw}L>lnNe94KpiXZ&`5exLRD*S^QTPch`#%UD5>n8vQ_{6
zB&zvOdl{wor`U2!XOXH5m)7{l6zScsB%d;@X)H!R88ya*qdl*X6oTctpyZ&KT5YoJ
zH1cLs2Igp=)<D@>e5uhlhDD{zk%WJEtvAo$6|P}UJ-1~T6UMV9Eh;F*9LhHoAZ2u{
z?O?eK^{=6Q%6?2=K`^q)r)f7L_%dpsya`&;8qT{HK_-vwY-+cTBy+zNAK{_h;}C;3
zf>ef_vzKwF+#QxJG!;^c+sIIKkF?{jL?i8zu*^`$W^9p8c51`ID$i#iEe@2YdC3Bo
zujAE(34FFEGOBf2`%sL-)m!MBmJCn|7Y>rm4-TV**f(~j-79=@LB{p`dg5kD)f!6o
z_@F6nz6RCORJ$Vo0(sxlwv}{D|7H3=K3a*u0iTequC}w8O;?&cS^e4R0(S~35#LL^
zAUYG;Uin=6c5P}olPXSt8x8LORDNFwf|4_)C1Qwo!nt2gYgacZrTM)@1=nenw_bS_
zEoP{N(H&P-itHo=9DyQ1ZbuoNjVaV^&DTu*5Lw0<D7ub!hq63-`FGmk1@UI(*YQ1l
zw(sMj>h$>||M%xT{m@&^yIE}BSBYRlf7Q2pT0`vFlU3<A6#V+R@7W^dUcJuuytlQn
z&xG>sWXN025uj@6+o~G8%H>q}aTs7(+DeR5!^iR*vac+mx(ec`aJmPL=k{1<u03B2
z)hm-JgNdwlz~QM)i(kV9wlLFe#A(clTA}b<$97DcA`9+yL7!8ugB@AgW=)gNg(m+w
z5LsGoxJ_ZwSTXwM!25FSUdmhfV#Pu!MHN(G`n72(uxXC(p~$Dy?|aaZ?mz}BEis$W
ztB<~l{ma<qW_0a_z+|t}*ut$;?$8=DrIVTY#dfTknaPS7yT6*~%d_CKQ>uV(75$AF
z_`ygUa%JVxSd+u5<+<NUyy+mzNXd->>F_Y=24kW(OK`dqc>26jND=ZuPNkRG$6fBC
zUfiiZXFOI{$-zy8DSxx>g@OjdY29a+5OHL8c9^TF1p+7!xNbc}P_EJ5t*}mYM_Mhh
z?w7i34*ai~+|oS;^0q8-WPB5n+a^~tfrlF#qEJvFyw84IZ(&?v;^4r7An!f^p4+XU
zeD5w|Z}x0WsNb(I#2(OmUwBMpo_udm-mGWz!}bEm?W)jick#zx;tywTn|x%B0xZ`}
z{s?Hj*dY$>(Hon>3s=91U7Fit@oX-z&lCfdi*X~@s+pWMsV3z%rBdID6mK!}Q{9!$
z;<|3ezs%P0CTyNlFCuHJuv7EF)ipFW>J83IN*{1avUZ!O>QzKng?g;-vzs7RT)>xI
z1}0qwCw@<<Y-5nG*Rii874t}W7ab@^27bML7zdJ7x<@t{ZdGuZHO&S3?Wi_4cx0-x
z+7%R~yn{!do%N<4S0>*qP2>qb23|fAFQIKK3inwCLu!dwHC8yIt?;g1mvPRvtX;Js
z;}LQSI$jXxM<<cY(3zJQgpld!mt}9!eczvh3%dU9O`KSl<{O*^8l&L%RD&*&S$*e@
zKW4Gv68{9tUlJ|&!snna*0sMdCjVK0bnwOnT;cn;#5mSgfC?Q`fQ*+iMIF)n(W1YX
zJA1v?9?yQA9nZN=9?PT1!(s9A{oJ+Qypl7*92YI?)}&XMKjf*#f`qTt6B-n%ud}DY
zbU#EXd^}7Hgh+tky==tyz=~VD2npZVlh%XARm!89J*w$;XeoDWgwg{5DnQgf*S`ck
zG4w78QW-~oS`I80g*dF+g?Eb{<xclzhsRIgPB&oMg#ibMqXgt3cYdPyBbg3yH9euo
zT)yvTREb-&^@i|D4qMg3=$x`+tW8$4DjYoC-B$g`y;{m=k(BDqx+&<2pl95c*DhZS
zS;^>oQF<e(NV_OrT!7Buaw3c4+GV;<dhvf@MICB3!x@tgfGPgc9PGgo=$Y9;*rLjD
z8l%7uLr8IIH&JMF?!=7s@Ary8);`P0@H!_eIEhhRN1RJZIh1;)Ri7a>YB<n&vSfU=
zv7q0sTkG`D)h(z^Vh1@bMfPPnm_+ibL@7rHw8CTKsZG4Y6g9w~4UH@GLQI1B*2dP1
zv;^LzvS{e@UiGa?B{La~NXox=Nsm4>$_gNI#7p3h&CaC2@MhYFsav`dXRBVNu6GB1
zj~}f<Vqb%HWGQfR{cs1}K8<%NTfg(2<w3BYRPy5eg?+A$&Dr<B4tF$#5lRJOf+h>4
zp47P}f^jnT`}uk0#B-GU(_|qbY4($bCv{5(nnR-Gc7`iR!xS`rIlInOTU_V*AIi?)
zL8_S1;x$%y@R&8E^O(WcLRU`*_VJqX5+1hoKDf`kxvD=l@OHpKR<8&C+OG2~+YbD_
zbidT7eSOm7!AG&dyzI!Wg}&sMPeRec00m7W6Yy*4MUcDvKCq9vIoBJ6vgHbXP5Ba^
zrQ-|UgCNWrLJRa9I8S(xX8KLQtVOSRn@iBF84xhTcW{~8CTJ!O2%I^344lF9L)DRl
zgcCd5Tt*Rkub>Wc(ba^!^!gTdhVy<Lk;X1HpBWr8FQ_^BuPW<uasqIUIi!oR+_R8$
zq%71wz~q)WI7j_Su3fBe5U4ZnM$4+cF6#J$=`_#B2zMbfUX<~aYdkNFjaoNV!JQic
zr;}T4Ow}lpWDfWHK|R3S0{3J*UzsrrnGR%JHEl_IXsi(`pqF>c@#yHbDZOntGHbBb
zqQKK28Y1EqQ=dD+SXumHa30VR3Y?8=xy?pY<Xr(F;e(^?_Lwlg-Tm@MA#mH%ufjFZ
zV2s#B{7xAt^@82GgdlU5Qo2x!EY-Urw)kQUw3vG&*IwT)boTMxYO`u0@J%g8vO74B
zq3se;eWpc(-a{({TkfisPdlclbMdhJ603tY>7nY5YtExEu-fo>(p6A96lLqtG)2SU
z9!pNNfe-w-{)1!KsP^1uwQnVn0L|F)Vsz;`T4y}&xN}y+Xu8p2<F5j3=6>6ZKr62?
zeRBSb@ND-klR8K5O0jSBu-zx?ouBV|u1q$wN|mkqi6R+Ji86-NJ7k8HeQtSTWV?K~
z*0@Zy5&2(!hd`4=l7HLDl7GT`IR*k(H<SU^NtN^cs?{p)pj{5nX{Y%5uXi*r%AK_9
zZOpDfa1Wzj<{I})7kgeTu|Z~7=WpiEFd+Kq0jI9OAf#uwbO@bPg6T^di1pJM<HvMx
zG#M`~JkiaXOmmI>G`Qw#<W(;2cE<;K7d7Z~5O3yhOSvqUcDGNeqk)!mdX8)x`$al@
zMREM*E#|_99_(Q;4(rV0MUW8RTQubE$qg-GO~?S_xANQVr(;G7%cwOATf>DV48S9`
zNz_njRq-OP2Fy1GU~v%-h7_-$Df5XU6MU$YcK*j!%_e3YEw5>~ko-UCzhJC_Ca<BN
zk01Hz|EyKkQEM9bKY4$&ZSD94O&80C3o4G>R&W<TS#Jl)%ffIAny}V?gxUYHR5)h;
zWVHV8OR$Rl&?t#nvo`&I$=_6X{<~*Ra>*?Q;P7#9U%s8E#qkaU@Z-wcS4w*Wx)({u
z?cHtPUZY~Z9N=*TS>(iPQQ7Mm{Z>@#SMnt}!9HWI_D?Z344Gi-MSHl*U%DO20vay%
z#+31QI1W6V-dch0M@{_H+bwW5PmkYDA))`DlP*A8Zq`jxU_75U>8MJ;zbAJs*Fpe?
zQ#mKYiWx~^(or-*b|F1ME(NS*6S_oW0RfTk*a<#QV?s|Jp*;q-V)U<H(3d0<W`RI?
z+P$P46ch{ukc{{_=GS@z<P*nngnD*2vM<`rDY-fQa4)NiQ*f|%P_Q>pVcJkpbdZrW
zkl|DqNHYzQdfCFD5_UIJG9a$MeqCN5b7cgY=>41O?HOREF!kGM*w)L${k3-?bp;FE
zwJN$Z86wEu4kG22I|<~vn+36QLD^z5?9bZ1x{rXlPX5otFQ{`KC><`)l+SpxVEVAd
zJa>Y48Rd$H;;0wYz$Y5I|Enj3A#+u*XPhrU`wdjvD?sZ5RI4LElLti8D?p<|u6SE+
z8F^&S-xe5{h8tSv^f<9Y##x{z0^)`jMA-$ou-+Ly<f|uf6RZgASE1XS+_XR<!&}Qb
zP+}HXj$6QZ0^F)-&*)Qt^oP3N%}JAV^;gyG%~UQDJk}Pb6cfuo5x#4+FBS6zhE<Y_
zf7gs=M!LYnp(r$a-VZ#KDXM-WGJ(RshFM;Qm|>xQn8aT{e+69N=xz1lw?ltG!gz5w
z*-l(SxJSj@<y3<nBdFA)^SffS*r&F<jNaFK_hNRgEZz4p+2j?Y4rmTJ`?fUKRFBC)
zyzcjcaWA0!`b!Fd)7o6#*h(|CuBw{BbkvK6YE501HoOokn6Aq|JvjTpn9eVDFaG+Z
ze@{!;v;mY3dd=R(&rdN}hH%*9C`WoSnZ4=m+eG|r983!reTetArgo)I^Q_m7GtS!x
z$C~VkG0yt{sM`n>#~$b9`4#r#lKy`#GiyT*@aKj<3Ov)+P+Cet&BsWNKP#PZyHCAZ
z!E`JRs9{)*@j;8MiP_p3xJUc*0?A{d`{V`6;Y$L+VD~_Q8-8&0>s|^T{JNe+-3`4q
zIAz!$h0FQ80|Afb+FI{0Zr_`nQ*-g<TZvP%>vw@q4z@lbHlrjH*l8@>gx%iG0O#ku
zZxG?09No;UtgmX*;4Hg?Ozk77+Az}W$O9arsGWoaXa&leI+7twhNh??`FDr*S#yw0
zC!XXi+j<*c)4`OU-&)<R786BidsB<MX+b~al{Zj-DbPtsIj`kdqGh5B6b%7Cr{bT(
z9|$`OOZ<m#vCQ7d0w)V=^C_H@)uMCL)yO&A90EcORXj`90yb;zY%^Y&EC))(L0o(8
z#>EQ+Ke5I+Foo?thuZtNFwqP+0w{m$<Lrr3gd>NfYbm2!y0oj>)n)}5Ii*yM;!i3K
zyz#$F?qExCb(!m0g0a7JX~Z(e@rk&SOKVejs9H|}yZMu7oJR*J+7l$mVlr|p?U!j~
zg!(7hWKcgl<dn;#XQRl@Vq#~Rj+UQ-R^$hUq5YG%%hAY9x0x*rW517M53#<SBKZCV
zZR{#h6vSnsykJq!^S90HL1y`<<{edPdw?=Qzu(1V1iL;t$aF>-Znipnl6d#UWp#>l
z(_eOny6z2>*J$9iyNc{n^EMp(088IO{GiA-g14*AmfQ(mYP1D}j_}c1!ZZrp3S`{`
zTK--@?<#6hW0(wb+YY2GL6fUR!v?Z_%)I<ZG6yX4Vx$qI(h*?G0x^UesBEWiyeQvy
zL?!KFmh6h6R(3`J^1J+3ub!iBDWh%s?|X;*-mg1uCh{L3UNk5qU%l|yK&Kb7rI49n
zx1#8<Bh0Z~Ldi#7+SlKxv?Q2FIkX<FJ*Sy=gBsF{uJPy+Jq2o4Z38)(q$i|*I-y4`
zeEq44@;0bUAB{F=ihBaZ!PPxpWx&<1Qdm0uVmj@?kKJv(!@W!)>toO|_WJfW*uOhh
z5`NeBE9)tW`+*Xa<-{l3#}Z1MN1=1b@j~vi4iN#WY@$RhYz%4UFd`RLhSUlf(afVn
zu?&AGLNFp9FbLR&h*$yt=`5^&oZi&_^JEz!a&BToEAuu9Ju`88sguwPzcvJ(z<u0(
zTx8|y?wE19Y%KdBSL(`0$i{OXiNAXajrgq@rgH|6@U<{T$0IU+j>$wB;z(hfDq8wE
zeWAwM)A7k+?Q8uAy5yi-L#;SCbbJ=BhrENWD6O^}o^j-?PnYlTwqp`L((5SmYjs|}
zE>DDeAMaj0kv!&Jb5N%-p$7$-yfRY-VK*Ta6(&orx;o6~6`_z7CA`_Xo6p95b|0)V
zc36N>@TBn88dr}+$dLR@z1g7!!v}3fQun_k-6Wo(itDta*Jca(drx*;Kh(`InFHIt
zZu{Z4Stx)x{Tgcd*QQA|Kc-h-v>XdZ<_eYMB;8JL=U|q)izoPwR6;5x5qP;EWD!L=
z$e6=Ar8?eR*Q6JHnTv2ZVDt1$oa`MleHOsld*l67{M|T=)4jMm5-RS?d}KodKi9vp
zgn1fr=C@l}-w8D@#P8FGSVm2Q^siGf2)EwpFqll37!yv-{0vie0`$ZG?X=PTYY!)#
z?HVB=22tg0Ox&au&!XbbN39}3DLrPx5hK~6mDLSOITS%Z#cJpZTB7a4oaFd&wu!2N
zrX^v|K%PnJx>E%c0rZ+5c#4PmjK#yRFL}TO)<ya=B)mh$G_S6d=!J&PLCKzkEN_%?
z2HzJvs53P%(Il?|(s9<K<WBEzJ}0!b^@o+@YTw{1ph&`&0LuG|f5--ERKh3V3Y|rR
zB6t61Y`BHY7_tWcv`Rwntk4R1s(iR@R2<jtQ;PU4O}hogQCD$hu(BA7Gwz^lC#WFf
z6s~Uri=(0-n?Oed=JmtmEkjWh6IQ?Fbut=+Zzg275Sa2CFLh#GcY-RXNva$yP({X`
za(Hte&-U_?%Is+X8blgwZqEM89!Jp_qWd8qO$VmZ!!3FK9|=wY=~NHm?>9dQ(aa&L
zzm4Y)dg+cWnvzbg64l%hb47AnlZI|Wh<ULIn%q-H;SJ$$7TNoa5_TDifqgF9cYvFE
z%9pZl2W42`MXgS|MMG@3*UqV1E3pE}<e8CX9NYb7T38$O`m$;H;;!ajzMWOlVu|cD
zeWTLoIVnRYM@1k85c;R%bKv_<Jj=vZ^}tZs@pR0CSFzRUg4bn>rVWuf)|>zjzd(-K
z>KVtu2p%GQ0=aSI!*#wIFj#vxKL@wDuCcA!EI**rY6e`&bSq((_|L}hnwyEt4JMQv
z^zlmizI^}7TGb}~`{{B}PANcgE7d}SW22ILv;Xl}B5H(Wunqu`f}E&Cr2cb=7NnTC
zmV)EwQ8l~XoVJ}BR;`W=hh1SwaaTGyW%#?Z_A{+oZd+iZUR==E)Y<#wY-^6?FzT@D
z>9Q$H1yn{sJ!#1cv0F;*tbaXPJ#k*1shW1;&*e6zz+6_cS+2-gS55oC+Pp(^KApZ=
ziv({NIY5*Nybo{5T*fxOo@a|#j9)|zwCzn(Qym<Kd&(p^5?>f1j{;k_8g)QX5|=1b
zV&s2Kp}2;`%%>X8HV{xL7dJ$53{rxJhMO8%|7$wcVJLv!9<N5*KdeT<pa03VoCA-;
zC}NjTX>5_6@4fPQemn1aKAdZpgf0(8`DPaE5Ug(mWwwLE*Hvdqr6ASk5z>(o{W<1&
zHzOsXrt4)-atApIb@%J*D{&7cr{2pa<Y()h(iH^%yrGm{)V^ZPW1?Ip1$;Ed>Z2e(
z-&9Jsu&kubZeo4I;PI>?i=c07R~OGaj&bWi=ud}|oFp3=?D3%>Xh-W`tk9n{r0EhW
zr*&;pzDP2X;(){2H7~T$@9*RLV_k}ju*^NMLf!N!^1JcT;{;DCG-Qm0VV+jDSI;jc
zhaCR+Q`AVC@D;Bv-Ot@|`q0TBe(jvm$Bc?R$D7`;=UgKySvuWXqVQhL7LO-QgrO7a
zx9CjjQN<l6XRNxzRR`8^Xu1`LA6Reh(XFGgh5l0y$RgSr6KOR;ezEy-KX8@_3SLH!
z$E!1Z+o^7!&*B`pEb<8A{bF4!n}&)gk@D#u)PPcnQ+^m}O_|wPn0OFR3B$c(dun&-
zs-Zou-2}W75!&A&8U~1zE|+CEr)Bo@e>}aKl$gI3Q*_X0JdxD|O#kXnDk!v$mEBUz
z6Mpdp#OhSBuhn7<t%08bHPtGa8ypJU!52w8FM}LK#$xU-SzCbnqjws1%sYzHh}+_n
zouTAiyZa{?1usm>hwR*<q8mX`PSqL<dO|QE!KA8^5hPMxGf_IvD8<3)BRflk?13@<
zF}R{6*GVm~I#6ln?`Poz1Vl6Qv6;%j1t$cFs!@Q3f>~S(V0A~?#7Pz^5{Jjb=M}}t
zUqh945GrRrLt2y=iY0by{XL-hp<^g-QwW7PW9KMyk!5CXC5n7JxY!BEOUw%@a*WT&
zoBa>@(ae9IlY`soH6;Dln@Oa30A}#yV3D|zd7!7r<6Wfsz%)^^7zwpIwoM1I85etZ
z)~DE%3z2M`h+lS`a9_;_XiXacs9gCZh!ms;13Qz|6gQ@j|IhktdPgt{f~Icnc}fa5
zK@xh3wE=9KLb85LwpMqCmqS3d*Z1Eq@%S8aRr(tGoQHy4YFbA{x{_`{yYP;eOwjbD
z|Nl@=n%n=#!S0Zd)Dk;MZlR7-jvjXIS&%VF12+}~Pqih~rCQ2yJV)WntjEEg7rs)p
z7|b|wuBhtzybh+6KnCp51SSRSJjPbw>wN8RzOFBS_G8@r#?k<<M}8jrS-O!jQZbQ2
zRt#kQl|LGOr2xv6MB_h<A!gURD&zLL<U=mM_*)_>&e{njYn&oG?g?G^Oq`jFm@1j+
z{_p5~%-VFLiBP`0xNi&r2h-u(cdJfG_gzEdrloKt9y%Otrb^%-2V5qq#=kxOQ-`!i
z>90DH?3=Q3X*ESjS!%6Ue(ec(VZ`Oj#&EPlfX5XJy|qs_RtEAErR21!!)xEN*y100
z3vCr50i45VA2|KbEsst@>tqFh5*?lMM$ABKhT^j+dvE?yysnl^acbaJ9oyehI+fVv
z+cbPE4gUFt@7T`f%a{!|q~PxBnjU$F>cW<G)`SDH)mEM35#ngobIfQLl66;na(2)-
zGghK_J;++ttjDkC<6LMUK^JzYr^v#(aQLS%>AfO3iUm*i6ZYd^Ds!fzR-V_Sw6hk^
za_wJiFzLyv59LksD9dcE)Iqs<>Dsr}yx6vr?IqEHt~LjG>o~<#th0@(ygV`&<km2=
z^MjM8xpe5Nh5TPnw;$}`EY<2H^=|Z(-)F=uQd)C7&NnSBO!|Q)oeH-nKEPQ)q@XOW
z#fFew9)e%X-$c4!>p5RH@96X~52R1=15WmpMMA`goY0T9-(tTnSU}u{BRrjy_6{TY
z)8u``P4ca1dyO=^gAjJ3^kOsgBVlLE)-+xX#kVitlCbhuRr_(wm!bEzszABW8(V+N
zG@g^+du5uXc$=9DmDlKao7?YyI+bsK^tFup2<rH-3h}qb-W(YELD0S$x6b^YstR;G
z-`U{eX#Tm>6tGv+ZMF6i)`a)LAD*Rqo=MhU;)?MRyUI%sh6HQ%0TlQ7LCEf9v2p;a
zHT!jbTV(Za3_@AgR>H-txHTa7cVk^RfJA004HdvD9mH=yd27pK*3pE>Mq;R0vd;4u
zY{e~#rw;tJEBT9bstK^3&m5iBD9idmJZTk+9Ez&4X)o@r0YfrGzj66~IO|I;fL5A!
z$3I_1OvU>>K>GU9j!v)B@ggyFuz&6IKFt5o6ig8ewNE+ircqoo@`iAR!08RjKK?uU
z92$Qj=__SZCpoAC5&Sh-=9-cyep7+viO%61+aTdttrhYEo)Mhb$D2ARzC73cnG#Qn
zd%39>;AnS=qs0xeJk<-B{~1m<^~BcVR{j6=nrl02r#}a0i_4PEe||Fazm}&K6Mmxq
zi}}Cs<>vnqS^3?kwYp3NX?^at==W;9Dh%HQQ!HXFYQrJ!cFJ|jdbMw^6}z`TbB<S=
zdbNpZv$}cnq1Q~$ER>ny*Xqy;6D<<PSu~9IE;lay(w*;JMp@gje1o}R-6V;#D4<z%
z;8RvLDUlxW_{gjXbUkQey#NP1B}&!pdDDWV<={s_b)@CoIZD>O^dxZPi*|5#Uwgzh
zxs@GBBr#xdQ4{8wQz1F3NPH57d1TWE03T7|U!UJCZDnOw+bmNx(><nS3~oK>zDIg$
z>54L2)u<*eK9~g>Dpj>$XZAP`n!H1~^T&*cQ$MXk2lz=@Hraoo#aM>>aI?T#`smP~
zxZ=$$Rq1wLT0)yNSv^I~a_B2yX)B47W(=)YaRCWemRsxA$*pg{t><ZzoFA;bX%%J-
z)51Q!*V<k#pNr04Ze43Y)v^yUwlRV>+#jtoMi|)x8P#o0q*l7Z0$A1Uhxf)x(oM0P
zWj>qhF$S+X^bjM}n{2|SEIYrGwuX3ldqb{+k~G#V=g(!DS07q^Lbub=v+W%3@7Q)7
zTqqYH#P$cxanPm4oHH<*gwNls{JbtLt3ve91N1Uc&)<BN6Rqk)s^<9te$H6|h2SSV
zMXuT`UZjaT{bYb!o>yREAn6vOy09yC{jM_2WR<F8l+QMdy&Cjr;I$|rl0V$4>-OME
z4I95iKL)Xq-zRj7r+q!IWky&-YAa8l_ET2ITWSyQw?2+n4^_!^ho0=|NL2IH{MJ8y
zBrY^FSkV1_Rb48N=S3{Cp`^JCuUm^dQD2vUo@yIVo*rmW*3WDELzDcHZcl<m2zL>Q
zL*w|yKf-wrBToi-N5M^JKkW5+=%lJ+>?OHAixXF*8K6G{#aDw53Z)eRf0D}p4&xT`
z<U8|hI+)~*N8+jb>DwRn?3=OYPx%$Qnhu*fX39%SxjUEHicV&%)q@pJwwvDYN}}E8
z9?P28j%99Wn2*(;hsmOii8gqaZ7hq_Qrb@3t6BrZ4w_WL!^vU;ZX7om!sM;7Z$mOG
z9<XPp*9S3WJc9o+KgNPSZ!dnwR%a)s&8rz1a!n0dh}u|QXp?g<AB8NCDY`%S4A!Kh
zJ+>8ObUfVs%agJ?j{v3nG_Kx4VXqlwxKSDO;quh)t(}MtulD>r(lkWS7^T{L$zeN;
z-UzNv)A&dOy81JrE`P&eLY-uiem^F9@yrGi`yJaFW~-J?u2dKPd=8yxbEx-jU&9CU
zIpF!$WbnYNZh+5y8jiAVP2|#O@O=~dX|ws6QwW8}p=lU=65`bm>obNp{?&96_L;F>
z3x`iTpQ)!3>5Sh@pxj5CJW7|>+p(A^KRIuF980%8t}OIJ{a~IkRFicb>)uN=iL4{f
z+CHMQu4#fzrl*}F&7I&a&78>WIjh1$zhb$pt$??3g?Zz9)R*msex4rtzG%kYuUAL~
zwpVLUs!d`wh4emUk!-+COG@Y(-cmHW?hM(~NDp}CP36{w#4p2vuG$aDloy*alUKJ;
zh)eUo;IkqMbWMJP7jCJZ`x1ze)(Lux)8sM|6o+0PQvPlpE}a_t%Hn8NCjC|kvTl`C
zD2B#!UUX--U8DxCFQsYGP%8>`;tsW~8K8khIH`i7T#PcN(!x~u&Mo^a`&J{qwY(|s
zs%OoYZH`^^Sf8JRR!L2}AY(boVPds>mb7U54AjajPpS;H)+Q79d|k_FX1lJ6j=zu_
zKMJ1N(K8NH0C==!<q4A6PPW$A?elMaZr>^|lD>m=<ycy+ZnijN%$)G;T4UDZRg9R(
zlUd7Pea;PeQ6Q^Cs@>|j*y#Nt=IXg7VU1E4B$Zxu7Q0@xY`dDP)+i;%Cq#@k;l8jL
zitngs*28ba^H0)_;a+)byMD+N$*qBHn&dI54K}J?fk?c>{RR_m*5!N0MpvqnWxK&H
zKTJEur?w*MY)8|*4HNf$-7EQ_%ZiQhS+Lqg7xzu;;rDU;INr~>z}LmW$H)DAxoo$!
zsh;{Ci}ihDq@MTuI4>!{UwzdD<>u5Gc2=>DG@HZ)*WjCIF__-%yKoTD5H~*m(49N@
zOJJv8#AP5^-I&v*Z(dxbV;`IAI&-<tt0_SW&G!1vs}`#y|M!p|n0apd`VckgP7vi*
z#9IMB{0lbgS5$Gnb(B~RTkXbu2+NuvWI229W~!FS(1^H~LjiZ|QkI_5kvRQ(_-JEw
ztR#$S7d86GlwRx_-8#o_+wCCt7A$T}f>xSch(vby-CUJGH*~j-w&O*4+84UYTA{QO
zh?vk1e}vmEwSqxL^2W~q(A|@D%lP$z=BG^tn=WB~fCFXLEwkmLa+l}8T)Af@-1-nS
z74kfviMkSvo_uMA!-A>SI186bIL^DiP1XIGicTxL@M~jLqI%OMP0-M#%`lXOu@J~j
zwe0Uumrpa$;g70|G^*Y3TWZ+mfEx?T%ry=AMYM>;2tjKsH6z{`(E>@tcBGOsUV#yV
z{?>kVan;)b=8!VOgy12zvQmS2rZ}m^Ynq2g=9ANZOU(C`C+iFjbZ;`uuK2QZQdz03
zSzh7a0_Y{N93kx3rrp}JoW%}-7l5x(e<LBqY?kT`<&xs=Zt=w&_1@7M0wPbVES^%F
z^SVPfjWCo?-ltv87L|CYJb~-8m%U1cM4lONI|e_7AS5ZAGb^@ye;R7fX9TmwvG%JM
z&!!eL<arC2MtV?qTkm+_aR%dKF1|YL-<5E;F-OW@R2afgLiPygb<F60R+Ghvqv~2s
zX@3ycmu#XBO;p?oAG(5rC|oT_6%bu1tlw@`+xU64GkhOV`C1Rh3g?-2cQ~mPeq;VE
z9Oo~GS0Xo5E}}$^%MZT=>M%a@uZ!w%yWImP7>?xsx{U=xsvDx&JH3m%S^D;Qt+(v?
z=JI|<>lk++9j%gMX0HC~SOVb0eYg1ds*`qCenZ1{2a4*wI5VeV=H`$#TsxWi=*(2h
zFvih!XRJEe_0Za3Q^5Zb&B`Fdu%R59J+FH_0=xJOBl*aVEBh!$Fy?cxSq4vdGht9*
z{;jM(goUL5xIv-MYvcB=b;U}BhlVpp%a9v9hQ-Iq1F5DWCFsfLn#g*QK_74<oQ;~%
zq>NY4AI{6cLPPeZd<?=k$|Va;7}Yl;$Ed#!poLAlxY9SR{N&XvK?uUJRhn$teQkI0
z&SDaTQ}=*OJI_V$lYwBE*Q}qzZC`G(z3fv1LhiI+hJ|?Jo$0l9Gn*G46vqB-W|Iy2
z7`V`Ng00<3LhRU>f4tc7xF4FZgXH(TPIWMHU2=o~!ho#kiCy#(vS=zeHn%j8jXQIy
zw{DT}-IZP-c?>UT^#-N#Ot{ct+|mM23Q+MlaSmk)>I}@Q;i607Qyotl_Fn=VDz!!(
z$FSR-3R9Qx?4)Ug-q?ost5%`#hGi4OLdVUwqseA}<(fT78WgkOr!oF9+3U?GYP;Lh
zq!|(b)0C|ItViN=f;$fAh)7N~BOI&Fr<UUeqLV5Xqwse}?n1$A2sd7TFDv=iX&iAT
z{OE9ZH@MV3Z;WhPxT;gFV`px|=vm*CE#GVQ!6&Ivl+Wj80H*r`->^&Q1-&$i$mc=P
zVxWWcSwJaGGQTI3#+lqse49J^Ga8Hd(t!=FZ9`b!@xy_{fC3UDEXt14hd=hnLV|$=
z0dWB7$(dM)AOsL%gye)(n&LmKI{M`M$N8P8I6|7jj}+Er!pvnFFOhv0ga#FMyWGM6
zX>G8Yi4HP`5XVW&v9iu{bh|9Ro#W%@wK1$_KUxiR55{JC>fBt@N$m3FVd$r}_UM-d
zP*Nia^q#YV&9VKNpA`xEnIEb47Dnz;5o;C|F+)c<I>%6$OW3s7Z-iBCLm@F;a8AF~
zm}eijzfL_R0v~5QtNVLq^Bbac%mK0AOB41N%s-3H9^Q1?4wx3`@AVM;0{A<gyq_BE
zTtwtqZ*db9SAEeHjt-Oab2mNH-u;?oqa|DmsT?KRghIa&osV%hDio<Aub3rWFqzOu
zj!E?)UnuA)aGia#9SOYCko*^nuP8oAzw-8(a^Pya^eobe07nu#aJHrQJh@?w3L_|$
zC&heV%(55?yBiF50|KdgE~Z)Ud^J|qijCV>M5bvyO)B+#GfN`cefl7WKDV?p9xa;z
zaNgAI6#p!XY^s;&?-laL_drC>7nY<q-?a3xK&V!U`yg>G^C9w#`g}VF8lT)%!r1v$
zZ-2i_h9QB+&((L;o~7Xc9s#>8E#25k3Xxr+G+u`OD%@}udXceBfSHWsupKWBH_TwW
z5mr5Lep`&TfcGQ8I(V{<l=Wbk{G{4&(YeTe5hi#&-b2p-dwy+B_JEZSk>Q&I*!%;1
zqlL6md|(PNWnaw?0Q9_{>Zg?G?ym(&PB(jj7!iF%u!Nvl&bJc`u0{fy$;Eu;su!QX
zAi)w`MxYmUpIFqP$<CFVDAzbDoqK;rO}f4c=Sgl+ln6Gm@E}?_)>-wey9oe>Nj;Iw
zs*RzjNO!-ek(RIAV$i>5&HsK=GC6!b0#41~ojYB?4`ueyRjda=Dib!Z?ZAq^X<&*u
zOY}@8y=RSj9~>RTP(@{6CA6s}q#j9IvRPA{#~W7UMi}s@6OY4p9NIjW&4a9I9%tTX
zw$Q(;P2aI{AX1&7P&g-6!o2iY$kLfoeZS=F2FXI(+ZZ25TP`#O7JQ7*T~9G(3_26+
zwlo@BZPJ;=Y>@3GCpcFR%e&s~W<BM%y<2K6=e~blfH-J09x1O6J3LK#b(`Du?^;DN
zztGz+v>TR?#|}t9*behfbJgFoLj`;Z!33ND9W5SpWy?!9{LvtbIL>183e>^E&+BUv
zWuYwr1tu|t_0HQ@6=7cW_R!kg<xZdF-o!<)i{H!1>Qp&Cf>iEE`%IkSJcQ~z42RO>
z%T}{#ZVxF#!mz==jsm*MI@VMWO(6bUhbnE2B^OxS6&>l*tqT?$xbIK4GNgb(AJSg&
z%)2kT=F_?e0-X)2z=z21RvY#2fnNq@z5O@u#zJOv{et<8b2I<u_h4dNK7BEGy&=$n
zgPCRNJUD}pRt<;B%c_L(wrqB19hno=y$93>?o|8jajELkDzUW7c*@bvTZ}G7PqowB
zZF1Z}I~k_Nmk|OndcM4^wXA$vqs~WcTb)uSK)oSAZFD!_clRk5A0(T$R}~3egjhDx
zf+T7R>!ypP|GwCA*Ly|be#~1$g7l}4D8mW5$B=(rB-KRBl(qF6Ic#3cj<2_h`_<0J
z<LSyPeyBS=JhTpJU!nds;=}E63DZ8J%GJ+HlYpklhJT2x!i*P{8h!J+&?H^zDGng>
z^{4`wCsvqCR)ffTw!-wsE>fv?Wki)J+lvoY8IEH*z1@Qc_S#d{g;B;R5U$*#+IH6Y
zvi06k86?xHSJ9aYI{HWymozN`h>E<(Xb`O3*8~B+wWJ?}ls)(vf=wIT=DsBYfl14p
znH>3!gL)S}{pC1tZ&y^eA1U%*^jK$ndi}T`yMVmV+j-2OmL&1T?m(hE9={zcHgP1e
zEJ5SZf$B|n?(D3AE7tIkX?3EN2HD9V8F|prho_1JT|FWNhgjjkZ4Ri1&q5=UQn-_`
zLPNQ^LEU*l@q3U%%2$zAiysIUO!)Q5WhpKZRtd1jjHy^-U&}KP8+{b@vHC`rv3C=U
zX9e@+Q5vHx*Ya-*Q5Q5znJo^7g-;HTcMFzhTI~^E62r`1j@XLmb>Qu96dBBEN%jv|
zEn1hl-2-*Tm1zy)2S`tZDY5H}ii#_23K(j}vqc7L36)PAa86pYF%;@@vndH9^=E6C
z2xkh&YBQ&8066Fmvy=g0=E_zlA5HwdS|rO*WSN8G;Qco&<QTK#Ru3%nwV7qecpKS*
z&+JachGD@Dit*g<IIRO?p}ZHe=Bqbuy`YZNb8X@b{3-2%5y80orWh<cf%J98&BvYW
zpNIXcEa3E9|2O?lZ*3dGOP^^`@ac(4fTS7tcUtZ2ZSrvC9tS8-$TLoO_p;iD_p8{i
z)0uZXx|7D<pjgO)*{F?%!IpAMvremCSy<5PGjv~+Tom8Sk)+9SJqPC(e=HRVr&min
z6QT4KJCty);W|n=7SkanRVh#vW<vCNlfAGYNnUV?Kr@pi&Y_63cAZ@uiGflk%`;qN
zG_WWjCp<DK>+A#zSlAw>RrJYrmlT{_aX}*g=rx0K7EMr{1CJ}IzX5=41&xh{mDz15
zu$e!a5R3vXjDPS2PITiuckP%sSuhEq`E!IMutEgh6|SS$fO&LPr?A)GZZ3d1?NsQ@
z`?WZl9`$tp$k}8jCBP=qKIKpkH<7oT)bTDl$6C{KI$5oM!^K$FJaaVhHFGxcz1IE7
zjmBCxfiRbCb+uY2f{<;9ta7+z;a+DUkG1X`(GLR(ui{meeN?fW%6`KMT!75OLneeS
z=yGdG%Rf0y6nU3J053>LuzR-(_#7EbV70UW=3Z&FlSh!o@mB?)R@eRg!5(S$$7oNR
zqmJj%Dk9?KEN80IjO~q-sx$aY>~c}2p|L!5hbgI^r*HdK%Q(TDJ_rTfgGlXHUni@k
zS_c?jUPdROd&xwN$MK$Q92hL6ihO!0)zgN1=x}6(d$6d%<WEoqV1dC3iN0Z#+GyNp
z7};fja_WZF3-niySD=LF&wPNwN|E;dov$oCJE)#SSGJudCL6$f)##(=dS}APmR5;^
z#p6g)3eIz+>RfT7DhlJEm?+mi$AKV~*F)AG%F}?Yvh_icvu>WRB6Y)NLTsR}Jl~cl
zZ?o`bH(taz@oGKTYM5d{(Q_FiftZroc1u4z&`3qB6>f6<rhtMxl1VjqD!H<3(Fh$?
z$a6RTd}ybs;f*zm2a`a0WRZIMErhmVQY#R&kA+U_)I$&bN;+c`bmF7}q7si{32U}W
z+c1NVcxIvZu5LhZi@Ni!r-uz|rM$k;)8s1aS3U*#IOkkd?ThS@<l=U5H6avx&#7F#
z(_D1M_t%rYyeTcMK?CT<RSFB5hs_h&eW9<E2`B6J#DxHq)jsn#1Lw<)T)dh{QF2fP
zZH<?k91Kd6eHH`}!%Sr)Gb9!*8vH6K?cRLFlEkh@qTOS(Ees$w+(*V%w2aFZH6viu
zg!=tMs-S|U;IBaNBip=b(d~v=Q12R-nkIxLwRyH`We<>ozqFJp@!u@4L7Ecm+zhq$
zDXRK#8XxB0KeXyX7>xQ;9!2~%iD$D5s4tzknnStMK$y1Ru)ix1+ANdJrji$|SM%PS
z5W9(b!e(iZ-AKpdC~>)&sKRK5_OLnOZpH_SW9!=&xtXI<TOUC1qV`g+XXw+Re&1TA
zl=7z6CHC=eo2fM&q-rg;kfh%#!6LiY5haO8iL>Ib1iDMm(X4x<Glq+nS0B_rs(_9v
zPp0N0LSKnT8xpFkb+j&TK>Aq`G(NX{*v*3jZ`rO{rg)C%udt;I)n2aCbe3^?9H5*z
z<B{8~^y2WQ7K}QwiF-DmCoys?(@c3sEq1;3V3pXWq0&bIC4@5s2<=R$H#Ab5>4^Un
zI)rby(rwhh3vD!uP9Nlb^%4UfGVBb?LR34`R8`vFizOz`tn?JArWmp__rGe*U$?BL
zet7t%Bd#4rf#7nr3=I1<TH{?wb}2(e7#Zbo$Ux^%^tt<F$>nuoq}US@i}KZ?v{c`Q
zHMWo7q)2T33X{RaGOi=*9swc5D->EhGOMjJ3({U*xk$5l)Dn^{*(;?bu}Yh+W=@zB
z_SgQi8j2Y7nlg4Rdn*S=t*X)JzIz<se$<dM^sKgA?E2w!SHKLA8F<UD9EXE-C#wQ*
zQ@~}v9tzrpPB&%xEH+V8UbDkgN>8gg4=Y2B)0T7(8_uSPHYa$-;CSH6mX+N4L!Ti`
zq?>w~>d!ZId-%l~nA1UP&`4N0`9&^iiT#l3z$-?%TdwxZ1pT2oGH$zf`ZH4j-wQFq
zZtJkB`HXX)POBhP;F&mw6DI6b41nE*fEa=zGG=k)a<dCUWaLh~(#C1~nOV6!9`d{$
zadN7BU2*Lxz2G%==xIvOc~yJiU)7w9a>fD^wt4b-cCXRwa6PEiPJIke068#CD7X5H
zgy^ngz-Jo*>1JatP)dpZSN`6Y$;d|VHB;iDb{7$46j&YSh6Ll;CYPp%JUf|^vM9T3
z<jh+M*}K-+hkzYzdZ!>AFF(U;8l%<aUqzxW!n#ecsd|8jv57tj2qU;S{4j^4sz%W>
z@RXav4_<;yFsM};CjZE>!&Wx!d=q#Dn#;Y0?|7DW=aheg%kvvJ>Dg4~0vB>ygH_aX
zRsRNucXDfOfvAy!!>xup77o%ZTz<{a8^6l6v2|s$RYaHU3)~5`k!J_G#T`;Hfmc*3
zh|tNuq=?p`D_`@=J#O=h{f<DU`F#zB7LhVOLz<x#Kw-Lvya_IHH*XVOt=$<jEfZ<=
z74peCbn!EYLmDa(DN{jfCKUJ^Uiy4kg-nU3^2~|O&sst`)%?9N-w;`ShggvJuk0kW
z{MIDF4D5CU5)~s`?WVP!@wONY;h&BXvoYeI?hS$?T`R*8J4S<LYob;w2%H(RSC(9M
zJn<+7XR|4YZ>yL(1Z(@|qPZ8k*zTEw37K@!qMWA>n%&+1W9l8FbZ5F~(YCqUwz1o`
zZQHhO+qP}nwvFAkt<&#!?!DvwsMM-@Qb|Vg)JSTrIoISQ%NnjM^}-Hlu0*4Pvcqml
zj!{F6oM<d<o?WbjR&rjQh)vHxyA>pC;N<-%<b0_9I@hEj;);CB8YPjw<+;$=y|{qJ
zPTrkfdiD2j!D5ez=v!~UCt0<k-9J|p3V$vfi)t3EefFotkF2tPseU70cK})QPW`56
zb}ix0tU<{IItnub%VJTZVuAv6SJSas)qkK&Zj-(JPE{f@4K+fce43&f>eM&Sk!yBL
z&BNom2s15SJq$IuOC!bHtnKl&4iJntdvw6-s&^GRw&1f^aVF{ZBMxb$2FtKDK{YT%
zgU6tv2GjQb@eq0qlD^cfq4G?nun+C0Wm&7-JmDKc(u%OPxc&HkE!HXeeyY4n)mbjB
z<vFip%;Q@f9Z~f$3aV`XxRV%KWsf8+`S(2P2SBr}RuVBBqy>5VeL#=PP8~P>Z9}74
zCoR*BD?iMjhoeEstuif?BKX3mM&5S<!PK9YZ7h_8z<10+QD;+%p`Y6pRHO)Du|{K2
zz(QSEEV>M_mymc=uo(`L@|`JFw##<;B4H!A)~{u!iJ+7i4I{+}s17~FvO_C2QC#q1
zB~ZiMc;wl!cWeR@0ac%tl>YCEo@XeG#|9VRPb^{}7pQTOdT5uP;pFqaCSV1E;`fw5
zVZhPY{(DqG4Pk7)<ytIUsm?!{6NS^jkifBmh}yvE6eI`8OO1u-<<r&>3k)RrjQTKf
z@yKBasD20IL8vInb`!%+e||>lR*gC_BLx&=kWSHYYl3Tam0>VvB75$`{QGgRP&|E!
z)lQ~A#KrV^Gp#bj=OF=hSVE;5V|!38=PD0UD<GJ3ij|eP%3#8<aygd_?*zsXBTDn$
z!hBtYHOJ-lbwFaCF{&X*^$YQ1?YW5u=O3&52YzfIeZfg?5{A|E3x-QT5TH!rLxJL2
z=AuF#lLmiM``<q!OhVO=JSk3@Z#rtH+seBV3p_6SC5|zz|4}P;>FLm><mFHCq+sBd
zy~q4Z*`+6;iZ$$#2liAA`53?eiZyjzCy!U5B`>obLZX<OE_V-(lfJg38yV=k5yH07
z-<dMf#j1en8hGV_gp%?C>{2(P$%jd}$FQ!o)wad5n59JZxwQD|ZyKSizMJfW1mRfS
zXz`b4V?x+vk=Cj8RHtFxKD8ir9K<jsIoUBWn8a8OqQ@5NEwA?x5wL^8j5_6Pz|0I^
zm(P5w{eHg-2?V<6&~QiCItZq)G#@6VDL~dMpy%JV<A91Mt^%0Du$CUIM51)e_io|j
zPPA45JUwiW;%1vkl90-?`ZDA5H{W(tjmGl9^sTcPShVuz<9vt%adtSAkrkix!047{
z8r&yH$do+@Q5o>O0M7h9T~pe3slMSJitdNqKdz?gt$8A(dTTH$3+?4@bgaU6@jjIq
zCa2499+AB-SfB8HT`L(G2#aw&E~@Wem~@J@oeXlT6y5@5vKHGbq>VrC3>5FeIkFeD
z^FWmQatYX+>de_P=uFM-nynuQHB4=pNmtk?JIxZ%lYHUEl-80Xo^G!6R*V28@q2a4
zFaV+D08`6@4lYRxv#axNB^>N<OLdDyFKMbWls8!A^$8}(S*Tkm%aSj<m~v2cE8hI`
zug^n99WR!5!ANVR`z`KQW`5{YI2cdiJk4OP;WS4iNcKsXwt+s)E3j04eF+AbhaT>_
z3<J>OaC!u*fY9NP92)9z01V{M2iHhiAoEJn=B-s=(LY+R=m^m^8qdK-wOsNx7XDSj
zNpgd!GZxrrsFQU|v;aV531ue31Tnz&%Hjg?0RvOr!D!^ZJB&@uTQ}T6bT~}eS)-*6
zcY$aJYYh{`_aleq+Y6r6G}pOAu{nZ}#&pG|VmA)>P%gVf+S}_TLTzI_`f%kZWjD#f
z4{(j4eA*3=hBUe1dh9ERcBb6)2{`XsgdFP$miG&ed%xx(8C*^lh2M3NQph5|0k)o5
zxsU`(EZ@^uX-+=9^HFwIDD*viUpKnj3ztYG#vBd6asSw*01mcGIxg?B;|}ZT0k94X
zs9{j4hE_p3A$@MgFJo0}tHspYXdbWct?vT%sa2d1mslQtpuCMTvOqkDp#py6z<{;e
za-r&FwXl@PTLe!n;q<3fetA!<BH8lL72~*OZ-J6tx@kpTD~yYEB<j)afjQtpir(~3
zSA$hi+D-*$N__w&-B8BTfZY=_8BzuIP>X-nO8uJ|jc)h)GtPr$touF8%XZEzE*9kY
zZp^srpVrZB2-<sEF$PhpIK&xG7@v$oMq4M{5oh^DXY}Rcrw#-KoekM%x?%orX6rcL
z%-<roG0Xo=f}-qE#pr$JsNvjk+HZx$hTuSvbQcB?l2)_)R{=i{-idxZjbVMW>ijbh
z=Oa^qQCVc+ZYG}ufTcByHR6xkfifKC?WY{(L+>|^!LWEW#88kHmTle0-Xvs|K?ynh
zIKwHcC&hMEJIssES)6WG#t10-wPv?M@TZ5*nvWj;(?E;JNF>EuA0fRdXu;T9X_kqG
zkguS70pbv$gz>W9dx0}6z%22xO!xX}6QgzAuGR+IcI_SdG&IXeK@v+=fs&iGq;b(A
zMz7=WaCIc3TN`pc=XyV5TttP!3RS0&-jFZQVD;t+H$wor;KIqo8a1zeb*NANgi)lO
zafAC9gZoTB$x};VnO*~l;4SJwd|jlbV2%}pGRil~ug?<YVJwY+_^YNb=a)fA{YYGl
z(QRnR8f=fk?fk1iep!4$MmsoQcdF95KlhYA0v;$mZD{Hi++x@oj&9)w#z>kfRHQ{=
zqFuO6kBL}g5snUH51<Lk!PY2SL+&s<_L2bwu?eq5n3;o^bF4-V3iq}qM5)o;mFWy(
zlNjU;bO9-IiN^2g;TwQ~Gq4!9gs|>omB7ECnG)xlRHcT1m>{#uf~E>097GaJA2qTu
z_*_l`Y`FGDHXS5L*ceT6VIr#RGv)Kj!>s3&_q1;H_-`xhj&wx-;qkr-kNxzFRIG*A
zB`B+f4<P^C2aw|cn>m{>=hy2n<|dn|adUi>quB2kTrrb%%|H$A+-)6@z7{Zf@Mf)D
z&J|=SCSP)N{BH>7mf#sz#+p|zPI_5)?b62vGG)i?ELIynx5qS6(EL6(Tx!P6CbD#}
zx(jkZ?*sR<;wq0kUe}1|_h0tC%Py1+ppXMe`ZqX$EVcuyt*vwo+HmPW&jJ|FaLNlP
zeje<2#d!V-EA^0&sDKWC>lB-glL^j(1}2%=bGgi<R!DxcB3q^p2JT(p6ZA26PfFjA
zr4EK%`LZTdRdiWFWs9HXn!IgKdzqz8tj^j$=gWJ}`l51V2vz02<~vw8Q76}$IK>7G
zcF$@@KxpA$q7m!*gQaL#ld1ueVwzd~&30P8ulxg#{0|M;VUk$RHc8cUW<7)3_9HfK
zR4C@tF_S*}su-gxwt`gZ>r{L>W_7LmiH3{aEGl@Rj)nX`UE7Yx$jdy5GYulPn0=tw
z0N~dvy>#a7sBJHpbW^nJG?DTTj(oG=_15t`_MM7%$JHIq<fF-<L7wy&tOY+1QIaQ~
z$LS5`*cKv7@aJD;nHsBZ;N9ByzDV`sh8t2EG`E*~tyg)b0=oKH$?tYKm|DtDBo&}W
zi)3Blek0mBU*{tMSW|{ThnJNL>G&>c2Lfs1M$&|r2uub7EtaT1L=ia07Z3j$D05j7
zrt|m5CBu@#mm?u^Vx6mm2*!`N2FmrkUI^Z6-AGwz6v%f!#KYgY2u`sZoj^<HNyEsD
zRoq9^Dta~`;T8P0BN!OTjT1w!!0<hSSp;@rZ4nlrDGwC8Wsp>NO|zLziRf0)AhtG#
z&ygez`t8W{nh*zkna!pM2f|t2;}sl+Z;ix+QLyyaXUzX4*Xt9b(C1?Qv{=rHun!<Z
zlL`jp%5k`1diS?+Zp8l7o=Pr3n`Zd9SK<(;Bracl;jwgu3ry&)w`?y13j<l*H)(v&
zQrZ|u((ZZUM;S=$C<RNmgV1obmM=ff@2e*zjiARe$tY%W3wj(#_PlR7$g|uJxW5E(
zGKD1<ArAm!uRI5M$eKOw`3M?s&|m6|O8Oswb+cGYAIfcZnk%XHbnmx<64jbAO{)Dn
zs<>8owm6faz?{By$rDm+3p&$uCoLkRh&JJJbZ2MG4DM=Pq~x8VO)$G^zHZ?6>eaKa
z#&$I2rM16Nz*FuP5p)8`Bi9-rfw*yrt?R*OY8T7ak2l@HnVka9@V#Zr@zc_k8+9hd
z6{8*l2F@j(&Iy3;ZL+FqRe)fN6v{v&JeslH(vzN>hh*CqUsvy_$Z6)LVC-&GKFVRO
z4KEnRQSA7ekbFi%)v?feQ#!M?Lp8RtvMv9f>{X}BuLpPQtcW<Em_JxbqY;@5&g|i3
zTXV>8aojXOHTiGn>vqt%7s@+y+4W*>pC4KLv+v*<B~X-_eIXmiHD4w#rq$K?;5TkO
z2pszXNCD8Ax5)8Yby?Lf%Jc~lt6svCPC?8b@V5iWI?HkDANZGGe$HcxsWQj7#mD1U
zVQkIvy<`a;KYEcef`tgN?4;0qRJejmYNl@m4%7kgpJzz;g&GE2RqmB_Fo>m!hKZHe
zkea<J$_Zv3d#)hK)={4NF=EQ`#QT_5(jF+<YG}%Aol|XNPU{ND%8vJ981hAP$Cl9I
zX&8|#|4#ME?N^G;?tR0QM(Pj^Pg}|+k=IKrO)2ZP6Xk)=IhCqPZIc`UJ<<d}KC5SO
z6s5%tB}L`clcYJTdG%l>wHXgB5wdT0I*tTkP({GI>268owU`UNN^TvA+wk5Ex`K)w
z+di}O!-!c+j2r@9u;hjCP&=BmKq^ZLnhtsNrG767hWWH&JnADY1dCcHmunbLisQ{v
z4552NG9n0<5#LFa<R5$GZ3KqOYq$E?Q6)3FJ<^R9$(x;~dPDt)tQ-j?deh;o#!w`r
zbrzpJ3l<joHL||I+)t=)G$xMUm8ZScfU@)-^(iR&I|-s#{7(xZ3EUrcwaul#zc2#b
z($n<>P}TMOt}Q3h!cMz0fy*e$uRemB#<-X*iw?2c62;CN6oQ;wBYX$t7)8yBh86@0
zhT13t>Lxfwv}yXq5fUW=N=@Fe#jDMv9^a76y#6@x{4(g7&8bnn3|w|9o{EmG1h)&*
zDf0$1k{F|5PjI4u7%hSDvFY2cyV_Y#2XB=()X*?LHGyQr58SC{;D<lt-jHY(ENs*)
zUsoo}{GqqB2FWE~QIj9q<KdDxtFu?EwX@;w8feHD5{D}UKqyoG5{K21f47CJ7}kch
zc6`AwFG{FQBGcWTB2f#7;Yo?S@~T`1A5;&y5{>&QSx=7TGP*a?55bv14=Y6%ZFmVQ
z(BpU{ojqirK@~1)=$D+W%4=SJgN_luK}TejZL&bgRq>-e05t92G>QinA90Ck)3QcV
zx-ohgET^44q?F_RlY!TWHSQBg8pM$r;U5)v-ftU#{U^7>fb4%jqp;_rh^I((89~ha
z?`Q8C2VcL^r0(7DK9Qc!wQrgS=uDSUMj5?tq{m#3RT!)Q3<AL-ybs#1MCka}Ix9-@
zoz}w@f~m1ubI#zLsC))M*oM}s-9>A7>a;GS42P~UO+afNfeF}==}IExid^N><!GP_
z_Vc`ZXJ%@7vU+*C*?B#Md*}=8bf?nduzE|9(Go2wH{0B!rncwuy&aWh@}EJb$Am|e
zmG$ukFaN}2#8PcH(z|Wh8#DMG@V%REYF@-CCqt88T&mO|S%%Ztb~(;3CYQ8`H_oML
zaKm?c?5;B~x9mld*Hw{R@9rBpu=z{=*g2T7&knu4W_UJXHp%wabA-r1xZ4s{5lGq&
zX0N$JsV<w+w`=0e0zdlXMN`{;iDTUyaPqK<bGw=hm6fbO1An4moV^WhZcjtTTFzpm
zGuj*@g)<EkiZiBa%v!7WH6si71gs*9bW!EmNcYvdEH^zpz7X!W42IO*;AT!isgqn?
zH4%4H(2`lBGCFSNw7F+{vGH<yy7Gu`KC>iIHc-!i&UQ2=JQhdP7)BO9`>S5f6!AUi
zRSMDmv2RsZe!-3VK=JsBJ!|Xi(190Mn0EOqRFNL62TDrDRPGlyX$nzJreB}h7rKGO
zHq-K{t2{?*Dm+1-ab53r(|tWrvu5L3vzhK#vC&WiF7G0(QOgmdga=apwS4BGQ&&%w
z$aDl5B&-Y*E_$rV*&3l)2{?kAAgt)GS>Gg+8*`T52_@8#kt4z?a#J@YuW#k<-haZS
z?<$v>X6o87QDGVo-f=135@Wxe@+kA8Y+TVV==}B#Mi~^?I;?}T;K6`1CN$=@)$_o5
zGrNQLr7cNm?;z!)XL608Sqz0saZiU-lfh8cI{=Uef9hbm!!d7bQUFZgCt3D1oIZq)
zcM)C>U2kHW8p8}<%>l*VA+7}f?@2gZs|a%TTC^r<RVnSWBI*?H5|9F2nx%KmB}Rjr
zmbn?63S152vHZtXvP+I)=|Y5q?X`;!qwHtBA7#*(_^sv|?X=3J-RSV&`_t3#i5{`m
zsApe+3#GjfV@7U@h06$uQQp-k2(9<kaECsklVRM2kh@Lm$m7HNu52v?4KrVI`ArAW
zNQK4&^Relg+3@iu&8ns6`iVvEK)5U2J5R(s+E~A-#pw}-Y8IvZ<)Dws#TLb}M7fZK
z%ucX3a8_afTUoJ8rI~k}iaskX0}a+f7_$M7h#V2h=<##*jC?QCgk_mflGoF@<gCZ1
zva;S%N;b>Jh?o&ZqyUsh=*<f6d%XB}Y*oJRXz`D!I1-3D#M)q~D)84#eR)s4iM9>e
zd^aqF5=DI#0<8)PQ=-SkdpR{+^hqB9yMp|Vx!A5|k%58<&rgtLNB_3h1tCgjNh?_+
zCw5qNrMPsfP2?AeZolmzO)AtN@2#;ISa7~U#$Xp=0Y29cR`kI?lqF3TXTZTWpficp
zxheNJ>~dinsMhVSo`4+Uw?#Z1fXTPc-S2&2vKTJysolTBUcEPT5gK$LMu-d4zg$f?
zvjO<Fjqbs)Nlg1K=atwy?5=O{+MhULt1xphCfAzKyY~<+vPmaQ@yF#8!2;Kc==~ov
z&JjcJ=GO0PU^mTb88pPx#<w0UEwL&~6haRd_pjF0Qr+C%U>tfK=XYYPJJZ#gEzW#Q
zezy3lnYA3|sY{G@FURf0fgafhK^E)4mBfqF?gS`i=O8dbWFpwIwk}nOcvD-Hl{|r4
zZcfizo)&^AUF!E^6o`m+nyw|_cO@cgn#Zp)TM^RY;-*}p@9QB8dX~wZXQ(MvW6CX*
zd7bt4ad|UEY7f+B4SeU$d_(DL@h*tG)0WDiHnhrz2&3R>ucWwUYqV4#rzUviqKmfl
z<G^SCzxfLd6eE?bqCK%>+W_}f*I9VaMdWMM3HVWN>{A;VT+=~+)<gI+D|u=Zv#8t-
znkBKZ#HQ)IhSQDn8+!G@giNCA7}n6tz?lrhLLbz|zX!6p4s!Na-+`eoA{hr8HrLF}
z?UF$VsnkW*M2~d-MK)H?_K+_HlE0TcR`{;m?lbnLZ<eDF@{fMJ;q6<p4MYp{U&P!y
za*fNn2E6zj{YW+Z-Pb=Czq%9^*)M)+DR4$!Dts?;p=I79zDa9YPq&rcg}QSc+sBpJ
zxI{B!9!$s(FK|^c^4XV3G%fE207A`{GN-Lqkfg?K`1O1oK2}U?AYqGyj^QNCb-Che
zFEhW=WP-d#Z8?xw1~YOQN0n^P;P4~;l`fN#<yK3J3KN?jQo%C)f3SK$DCd8_Uq^ZW
zlsREGhLukK9nk#wIGVgB__=u8))XL$^Q2QHi-GYxa-|hL<gMA&RdK(%=mpAPy9F78
z%|UCZ4Jokzn+s_`S}a%f0f3e$%QMJKtBKm32FT(9W|Hb_&bS~6030M;6`XZKpWN2W
zCOR#S5gWL{NT0BUl0Q}^DF_g!`IByd$EFs{4!Cape88wTW6j%G$$rtoL6kZnxnnC9
z9AY3^>JRq1v8Gz%x<#niP*Nbvgvft((#>6q4sns$ItC1r`W0a)f==M5n55vXZDRjN
z4M?w10lGF-WDo(`Fav;D6`4Mq^VJ?m8D8n>S+uDeEQYkC5{$_O$9us{#H@S>-QsPH
zJY~H1Q&R6oPR0;~gdRJwl`Ah4(+4s7R$pT!FSfcqWoJX7fGstu#H#3wc81EXOk~Gs
z{Dwg#4;5yjmqlVcq;_933Gwl%5Hf`L@fuE|W}5kpS|Q`sSLH0jH0qad8@PtCH^=-@
zs^%)k#DWG@OJDJCf-ERYG9O>M{(9Rg#3@;?Pu$8YGpvl0AQm{4Vmf6Qgol_>#L&bd
z(&CwNR-KFBu$d=b5tsi>^GkE;p914uoG-pzTP6lkK^VpgZAQY_%~EF?J}PvD%8rBb
z+yL?ovnK*uT8W<82jqK@eLf8HS<G~EwQsggU+qN>b5m=%e3&8NVw=}Y5y>%S#(woq
zpRa%%X1@3NABL`;c5dAn;pFo0<4Ps*L?e2WTqf%kaFA;dh||{MQngxzQol9#e&pj-
z&b}ujpn`3<I>j;~WlAXsCXFxgT;>_|db%%g-xhWC6Kjc>o6=J^x%ImoZW~=lhrx*Y
zO%+rhk)u&pRX?xHKZjVT1iP{r_u6QLyA2(;$HQZ;@<1Q+&<VUc;`cN!#)}Pyo$JYD
zl+xcY5sAFk?)Nm%Nw)F@UXo7RT~co)!4s?$%02e=_tBHdwos|Ck|{R@W^bs!IUmp5
z|1BKJ>U4d&C;i<;SY~}U`yf2tmq%V}LDQr;uAW2OrnRDgCgPx#OyLFt!B|RE&5ud>
zTNQe94hF8VCO{MmpyB;XTfmA}GYXw3b9O*96zOMZMTD4P|EmM|Rp?h>tXv4XC^-Kg
z_({4d3%<v&Y%I_SbcM)z*-u-z1rs=fa6KKM0!ZEKlfN?hIi!XP+%sw=goRJDGGV(c
z<CTm`DE3>G+~(cDFig4Cf<Wg?xibGBcpTyJhzH30rm~+<EHfHVD;)K~+%Qd*SM6xs
z#+YeY#zWGww@n(H_h$4sS1?6kNr@T!`Fg9MJlY=}6J?Ay>7@ZID`Q^L*2R|&_QbtN
zG@9!hvmXEXac|8^SmEDLxs?(3H!g$-xn)66^ZJ!||F$CW#^+<6pwKp=nGkxkNd`A|
zA)*drU5X<2;)Q69Jd<r3Pug|M@W0lRB7GXh7M)loAH@*cY0A|LTp|tO9QG0w8Zau5
zx32gg)_n!p;~bhTj7$2Bh-IaAl1Fy>86x8rCb%T@D^}FgJUzsviq9@7R7PC>7`p9x
z_too?%@7_7a9c~_#VR-{EQi?BCprp9@Yj;2Hq&~;Nzy}!zgy>|?^=e>93Z&@9c9M$
zD~s$|QgG5L%|}@?{lHHuLQ6B-oEefz#b!HVw!mdS0pSJKBSNBqf`An*<sI(8$`2gO
zjq0uaKRxGp(Z#P!ecBbykXYn6{eUGZyL4me6UcLygF)-hAUjIa&q_PW(=PO&gmoN_
z9XF@PuVm}0rF^)<R~75e=ON2h-dhbBG{2h9>+g^vYc1SWJ~<}^q}muPVCXP$G>)-x
z)^;M(PeG$eI}-6pluXHw9W$SuaHQ7Do?o<WCapWtkl0W<+L@2-1p7Ne(L1WaJA$<R
zEy1+)u@j&5Nq(87%Kgtx<H~hcRKrj$qpHjsv)bi<Gp!nOr4+^G3-I5e04N4FzUktP
z+mu#xN0&c}tSY%$d!9>G(XdW|x@uJ|fd!laba-cV@$CEwd!FPMiuS5B`1CpsDxM51
zS`y1rO5Q|v=aUzOd0R_7%<W*z%WS@Jk4C;!*yBPtu@h;CnbFDc7u6b<p+9`<R%_;S
z3Id9Eq3R$rO(}eWQ@AsJVNc*w5YDeS`%IM?jwH_oN6>#&Y#i1aC#^s0DkhCBXHgep
zgEOK`sI6t!>T39h&ASa%Lu#34X7kqcg-t)d&q+%PHSD(gxr+7<Bi5}CQs|o}H!!zU
znV)k=GzfPgXv-#C-LbPQq;&xtw-!ag7LUKl;JRXuq#Cdi*;`8G9;_;MFxW+^YHH57
z{rS5Y%Upfr&v9aT>sL3yV#JH`Pwp6DF^y-zMCV5aWGWmI-h(umWo_}e6<Q6kWk^HK
z#?#oWZOcmzc%QCQjN`-dEhws5<DlB^B#`{-)}`W8Hkv<LP}4khXRHo5=R~Y~*Fi<Q
z`kUqKXKHT40IR8vjnw{8_HgY}u*Pg;*f6XshRk0<aHb2nvoqkxD5OLf&^u(G<5?D_
zvBvmE$4nIHrAwgV3VwxsHUZ1>!pB!En+q$`p&?tuFm8m+XLe*<Iw(<?KPsk7v!2__
zK(D_@#aXMLrp>l*QS$_tM80&-{^>_<#M(uF!ewzesUa9?*2j@M`YVx~`bFd))+uzg
z-%{+imA^Bk-%D!TeOZIoyyZ}VOx2)z_=EFx6q!3R>dV9NemDH8`}00LuS<FxyNmtv
z_Dc3KiZ(hbD$48gah;i2`OtfRkn1xw@re8Les(JA^1a$86BGOMc>znRnF!!kGE#tk
zz|srEIsseb0`l|xSon|GDmN4Ia6l|P)@zLw4TM$enlTQTwGoqBluB-vpN@C>H;nvg
z7Y&X5jb8EL^Zb52JMc4|<c^-Tn=|(Y`=WR2g~he&(cJ%F{c9-|23k1XdRaF8Hg6cF
z_TE_BdcLH%cI84WUVEPohog~|*?YgTymyO6YQnNb;>j7EiLTZ21SJHK>Xx9FG%J~a
z{plW_z$dkNVlw<v=vNb73=xnxQ*^0WBGt9N^vI(Z0Mg<V73#uHwutrfUb{y9{3b}-
z9|VZlBum^3=c^>%wcG}3+DWmH&K*l0k>k&REFStuh#W{Kh)F>|I*+cWplm<uy@FkO
z`MZnJAr`ViQOO(_Z)C^TO0&@X?pCS)sDJ)`{T1_5&A?DQrzMRZwPh^^jcU<kjiTc=
z^O!}JF6b9mxx~$J{RN3Ok@9#DupcnGxWTi}Av?mEm3#KvVeU+)79&V{YGsNvlerqf
zQt{m}lsi0Ds`q2y7{G&3ohbdrO9&%wdBXj96o@QG#9h?M5QJo>eR2yoDSx7A@=4qM
z&Y2QY9}Cy*xFq4aXv|dCaz~*^prb@_e+ww$qEgQF0?T=Q2;F_*GX4U|rD?!_<WTQP
z1O9Poh>_<vm><--m0~8rbCk3epy3~WYmDu`xpPQkLs;79m9X!W+b5Bl`gm&c`Z33)
zUGB2d9u0Y-6I4&@6iCWmhk4HdJzavjU-8nrH*)RdSZ`3xqZ;iAaCv7(22odbUAXR?
zj`((JCL1)44A{0WkKhJ?`l!x@Nko=FCZ<6eekcOk0RQlBuk0jQiGVK7q46_l$EzBL
zF=--VMV&-mk^q?XNm&f&$PO3ESn%5tGuzJJ3kgor-8}%6u0Zj`<?a+P9cIXI*3kD<
z?F-QfcN?oi#V2z0nrR@##lrou#N2MI((L(?(MTJKj4CO~bJhuCUp<}qC-UQ9gnXQ4
zzHwYBT4SRMKz(#wnS0LDTI~Jj3KcY0bc&(0V^_P{b4NWsvWoV_kOBW7J)m+NBb$EH
zyue(&^?iE9-h3~K0_3*rY3d5l+Phrw9m0SpV)IskA16&^Ys4Az-G4+Np_brd69c&Z
zHzVfNj<L!*S;jGBV&Vs{KioprX5v2<p8ppw+%g}0qJ>$n0*>3?@*hk;ZH1xE>L2W^
zZv2B(3TWlM3Tx=XqxCP0!%kF(TY+M@T9N^+bsG)*Jlpi2|4;xIT>_d_jj@rPOWaT;
zfqov8_&H(xaj;l>ldGC*Ht#}cz<tur6*gJEVri&9aCGcI!jQFxh%Yk|ydlX*v5_Gz
zsWK?vX%0<awZkYK!}bb@6$#%F+$?kE)BZ){jZxUb3=*?UT7(Q?%B;*3L@rjBV!S;`
zgb#BW5P;3ca3${_af1rra0>V7`*hF!bO7qPz_QS9qNSQN=y~&~b7=2v(`>@NM7n^z
zd{_HU3}#<}AfG?_-loc(gT?ov!Jc8au{Ldh@lxIdHymKwF{VhR#ToTdcMw;wBjRgh
zM~4Ox1HW-wNfbvFWG<5gkVOaGv!O)O24nBbxcnNJ%+qF8S6w%a(O~a(>c<|=fXC&`
z%%hi*kuq(r+oG3Y!Gk35Lt-}>RoS#10Jet}R%*kh>J2^-CVjM<KxOdbuMVHR4X#Iv
z30rx=FU`<$VkG;{?i=>WxBZ4sBxD&^2hZGx5Rz5b;lOSAVO%p_)G04Rez>_jdo4PO
zD-wgadPnWwSMVX$rH!fN1a!V!06P-JQFe{wG|*0S>=mK638|C4YRz8*j!c1UwoIrl
zYBi~-k;4ay@ZO<spB$1qJb&<KrV|#H@_(K*?IDt@?fjsRIpT0VU^#f%6z{{vC_X_^
zk6~RXu3M-SOJQLj{GIH3{>(UPiwG-96Ng-dt>Ue_V%fp=x$&%!-9#|oY~k%oKV++`
zw*5?+CL%_cEOQRbjjG|2G$9}su1vt@Pn~{jWjjiR=NY%uEzC)kTG`LA__#~MU<IRx
zG(@b7xZAq!D=PA*rs*$bXqod5n|e)5lWpgf5)VC%t_>vlt6&W8turJF6v9JP-~e;<
zs%XwIXiwKF&{g`q!GtI60XKE%ezqW0ODBwOCi~5e!vt_4hbm{Dm=!shc6MpDF!M8W
zRz%jYG9UvGQ7#%`+5=Fu+Zcgcps^MWEZ8m=oH4UzzLn5$`al+@EPgzkR&9A5p$I&T
z&zATW?PHT5*_PWTk1hHy^eQeUWDrN;U2|jFxiGxv4Zdns+|>B{7UnBXtAZRpU1e+9
z!u>9m2o~}U%z!7ucs@TLewK-7a-1=Oh%{l;t|gKhbb90TM$6|2b0^}U<~1*PxSgwZ
zYdrh4`#QV)B7Hl@?qc)ycVZMAxFqzWhD8T!zJFpw#k%j*AX%R?Oo--~a5EGJi^n12
zBn6SoAECRUWisj~l`y!8$OaY-tWX{9)hOt4sPBdsOFGvq6Cy_?tnVNoY2HigPq7A3
zaC@8A`8OOrB5;U{*UTv+v`O+#h2aJR#|9LnKtj^5xGbo-KKNp@fN=#E+6$&9FCUxz
zF9rP-pSl#{jU7QYB5*?&Dtq&TNb5aarQs%o(ZfFUC6KfH%#6KM&bW4US*gFS>roJ*
z5PP>5c+p>TXZm_AM?X&t;bOoY?JO&&`WsS6Hz>LM*8oo_ZKT!7yGXYPc)L4Ju}LV=
z4_orWv#JcttGTD>CQ_1%CF+^r$0m5x0>Lfq!kAy_r3D%pir3YUu;?&WxtuUr4};?R
z&K>KD^O}O~t{4t}$kmf+m+UD#=?eIJKY+0qRAC8`!;96}8dbmrBxMKqzyp_(94$uT
zW;-oz-I?7t!X|!UN`h%7i>7*yD;LdaMbxcPMP1}V`cv-T4s+m=l804%>&V=O9pz)p
zieQld(8>5rgLW!kwigL-lFf(DDbuG}kqr0>XPAEjfgdR7K%nJ0KKLR1ZQwi{+;cfX
z+p2iLlm)4)2ArmN?8{U1ja$c53fzTk+-V)B>AiL_#<buKo_i}Crynd|&9QRU4`BwR
zfB^wRXM=5V-Ao$dBP9k3hlkfqY$#u=yDN(v<>zO|SCzof!*=GQcJg;lPT$WjTz{o(
z_(YxUTNYxEHt;?jT<xD>;~sl<QhRh@Q)K)A)-?JW2A6=Ik73H;+6kivlo^GQIWpEh
z9k-<n12v`>Uwv4ip&j|kRqAnYZZNH3JX?-OXTCR;+%H61Dg_Z8u4X5Do2EpKE`b-9
zB6RBiITZ7kWqSQ}2J+YwAkHDm!xv7EPnCmYGX*`hfw9$dG7mC|h&^+fV5~tUE@1CI
zf>fo#x$Fl=;yq68MDKvI3}Gee!#HIvC`!sO1<J`o5D&<?e06HSVVUQQwPp2>eK1MP
zNaZ?cAm4wgoqU~fQ@)_+MqOv3V0LelD9eZdN(2qFimp;??~ki&tc9#?pWX%<N5rrb
zr&pvt!ielgS0Ht2?|i1pZFZkn0npode0A0h?J{_?oIyx!sZ2p?(&0~7kli(Ql5sEi
zfJk%w0+s|)d=D=*mS|w;9zM)$4~vJ^X0$b|rtI$d*HCAM+c{iI`m)_p;j*cOb*BbC
zgL)np`5IE}E}&|hRvDVBWXmGVER2$w0;%R9ES2P4?ee?cFCsw#<m^m2a4IUvpkv1P
zH?;Jj?6^sSkXazLLY4JV@ub~q$a1nb<S9^m=(^5^cBi&Dny9-j9%YUiYx!vZMBRbm
zx_x6#b(;d<2Ijkk8T{eVXLf1b=^Q^*d*V1y6ob8F3K}`Pr>5O0uC--6z|HeBRG{FD
zN_<0>v6U8ZXrI3J0b&ZA19J>6NC2Wi7G+4TtR>U=Dip@r+Gm{G1Q8~Km@G5!zUTjK
zEo37p+y-QuWkxDwIs`C`6U08<F4m{2Ym~MpQ)sK)KMNNlZdy6(h6bHxVLxG=KvLv^
zFnYb~uSAOyPlBxJt@mkDau{|iPKE^&Olr>bP?E$zv#~&Y7dfIiBovSqK<$mJHaks>
ziOcS=A=I3_$wVk6oOnPROXFRfDj`|o@ze@Ekc`5;T!nCiGcbleBdu4k?SOD;j_qnG
z4UbR;P8(1uWqqyfrzL@6#5_{gQ=rFymVS-q%U-+k<O|fK(J@Knu4R4q>;AihTMS6Q
zY~V3zvVGLqB9>(wSkR*3dVG`<t|xTX1GEw-W~Yt7O5ee!a-V14h#xT-Sk4b}WJP_u
z3(88UaxyBk21>U($c%X`Dk^*5$Uh=--O25~!Yd7vQCpK|Y^V|wl_uaFTdIo+hd4)I
z6yNQ7mBxmj?%7iF7$6~*s0r*VW%vIAVyyjTj1uR!QbRric{VZlO-Dbgm^=LCK%Ns?
zcLNeX0RX?QJ>3$v)-$bD*dr|`($QF%6n70J3L;C}sY1}WVK8HsyO2a?LG^C5n&5_R
z)WJa#c;Ev3?l6TcfQ7zWo8B<^>W*aazE$3Pv9c$RzQ`Oqj5;~Js5FM62AqQitn-#d
z!tHF%zq%yEikHlP{F&jkFLzI1>_04)yFCf=Dntn0eXc5LCOEV=j)i<#gn3fHtQk3&
z@k29gP7h4uc|uD!!9g_O26x!`T!1ml9%hJ--p|lsC$x#gUEWR0hVAj$v&{>e(PX~o
zx%RZG%r|kGsrXz7S;tEE1F-B~Q1FRIlS)sTPfz~%DB#E-*LSL!mCu=jm^1@mtYpog
zbQvW|X!r-m)GI$5VAMTnm|#uG@%*=}S)9GzXLxAj>u)n`MEH|7yB&vZpY{PeJ^P5i
zk)8vlwVs0(R$7+-xcVj-scB?CIH~Dx&&OwaRt~V0s?i^3h3;h|-n^B%vrnL{bb2_j
z{*oH}#i@zrc5Pd}I}-s#sElp;dxy{a;Yb9S8!W<AGCo>lqR|}Gh6m-XU|LTJa-E?3
zO%B7p?<<)QInF}C>9YC}w!_cAiX~$jmd(~Zs2QbJhh7X_dakDX5#e?F_n3g42v&vb
zqEQm6@fD04;gp2J6H-SUf_G1k>DzD)L!_=qe^N(&l9Sw}P&h}D!AQ2nnS15h=3JHe
z{8*B_$n%X5((G{#^VWb>8307~yF4EHUZT@~^z7UkRB9AERuMAt)4km==&rs(<JSJ|
zeK;aL&!njc=|^!*UTElR@jsZrk^oC;RbU7%uACjIn`t%UUWgnLBDzBRVo7%=GqsBF
zN*K9YqWeb6rAB+>SrJ-W%b~%X2kfzwL3jNYm1cfzx-w`mXTX+OU2VEGq2K$e=Mb>b
zcL*aj^WR2B^Y@0Ij2&`SNE16*=ws3AtT=#~-2kU_tP=uv%nEnei@}2M)I^s7Ry$7?
z5Yo#C9Xdo`%tV2TEg&yH5Z%kh)5FNj4GBf8SP`Zjlc3$jbJ^U{;~6-IsAUtVoWvVA
zn<x>M5T@4gIE@ksW!U(T#&cqt!)oyF83$vxEv%`{s(UHx>YfY-{b8mK9H9>!d!Q#Q
z#8<SrpIT8}T`%`n8};lSusxqVx5j^{_Gtbn!iYi|vS5>PtJ1?ph`sXejTa~ht#h;}
zy892e#&=&Rk<~;jipdK_D=tK`^Jib`ZWuYRr-4CSWK9y-b{i5*&Q#zBm#dFdB1&4?
z(}-Q7X9tne?+>kDyPB1Og^Paixz#%9X5~W;i@Ft-7`<l1CJn-xK=n#WhMx9jutl_0
zl@3v6*_xQ-u~(_}#Ws=p%B*#jJ<+CEd#1(C*vfwZHCe$HG-Yf^<xxO|6()z+cC1XZ
zgE5)sfzt{$a(`S=UeO#4(NzvWMz=Zx%fNb8mEd^kWql*g$1N!u5f+8$_?>h5hV+Oi
zs}fQoECFD)%+@`VC2(|&p24X%RjeJK{~wSnIEnSAnjMPG`3HEppa_*bs$}D5x-6~B
z#se-_(4*8h$x8-l`X*1Zq#A{wMAGYcOet<*l?!TBD<ROcg$*6FQ)crRsVeXnNJhz~
z@E?#Yz^eoNcC#PKwLf}oI{K-%n`d37Qqm&ro<`Hkg!;xm^Twi3omMTqNfX78tllB+
zcrHo;q?w58jJD8XlZGf_rx8ZdSC}x7i>0~5K2aaLyS+t8o^Z%Jy)%J3Sj;mYca|_-
zqu1!sbg9j<Zez)8@Pv+fOMp~r??6*m=v%Ce7|;J;dJNIa?UR1%agQ(boICM)qImKF
zSsJdwdJYPAt)%?{&_0agf+&N+=kgI13FyPt;mafx%GC5M<_dr7`UYP|eN7H9T2ot+
z0lo+_Eo$%EwyI}aj6hL->z>U7gDq^cT+qJ^EFw^NeRuPgUlxf%Wcr&hL*3N7WEO1l
zd>e_DnJv(g4AD}M3C1j8wybp9>8UDBdQ>fUR`}SQXDmrx85JgC=z4t8IB>Fww^5F$
z5;D~SxZ_uUDsko557_yts3u(w*dNwnHoT9P;Qg7&rF_zV$_LkIMH$CU-~z}3X<oBQ
zev~gAp&~jdisc*14y-4(`m1iLZLA7*8Vh+`VUY=ks{kcYXr!pR)sj4f72*-22PSO2
zqN!SaE9zf`2UzK5(!5jx@Wu5W+A-UyeVsKaAM5>pa)tIZAG*x9dg&O{jDf}_qFB_7
zRGWI~>Wg5LQf|MEKw}f{->L>SCB2{Ffw5&u>EC#dv4*bSBb4zkL@u^MOiUFQkxHH?
z-0uRqcr(1Ur>v_;_>^M1CfPW<sgr3yW@ziAbV;7{WxRD?VYo!i)9`@cP%23rW*FbP
zPDm=Iiu6(KMut@BOSE?`;sg`+TqCoA3cE(-zPu@rRA?|5N+~RVoPx^2@n~UXmP{$3
zU@C8^VN5EB@0Kf0rVwfc8wYtz&l@3I!#eiFNM_$la9j@Y;y^!X^&RpVi3`-V0w7_l
zn)H(|dyxO0Y=Yzx4_ObE?1?+R8=jTrxfJczr}n~d@X^s9{3M@KQrmNgKaKBBovi!<
zC4kPT0*hgJS>r~^ImdcMR(%zegxamMH_18ZQ*Xi$4F<NtxWG*(m`QRg9b_3!5lLT_
z4A+B}>AV7Nk<FeC6GTk1O_J^ptkQE@%*;6vU0iKr&$SLEY<7RJc59uaL($Efk^bcZ
zbA^T>0!OE)_HLHC&uh%Ax{5ub=>6*&!=5y4S>ug$TanHEZfd8w9ZmLE?Vd%?W6eQr
z$6Lk>!L8WFt+1^pl}`zDp(i=92e_zp3Wt3zzq}_*m`4J3=!LZPjMqvc(KS<}c>$Wu
z)@9*?+Ypn$>_F9X`!S-1vB>67Q5zD{hG~+_DWbGVtUm3B)dD29zx$;+8R|x=y4Bd`
zLGvuH?X1Xg&6Sik*5z4A(LUs~rmWe9hee}`Y?1fUlKfZq9&3O1C=|7aQtQhJg4`o<
z&$aBqNslbvizqz4N77zC*@M|l|Hfn2=ezc?rbnGEGI0~4yI0p<-fWJ54FWO~!ni0|
zLMIfEM-@Pxzmkn8B`eh9dVGl&9w1LF)>h*~U(V=nM9H0RR!?1R9&A!T5{nu-&{)5Y
zI;g3?p)Ro>d=d!bzaGF1J#}<y=%<yxd?rX;o)LX%qc9Qc&U{mepo3iSB%-r>snT@!
z?jYS<p?;}ka4ze#bH-@=wA={nT(1ONb;hNLu>K@&48yHdg9o{O#Tr~Rm3*<@9B5pm
z?&VV6aef|LG~O8!+=ARWxKC~tAFRkn>f1Tu@;T0)%u2`g)@4(SO2_4``3$pi>7$l{
z->uBnV?QfqzlMqJ@5Ybi(Dwq{eeCDAhJJM$`#JXgwKP{lKL7jmchqd2%a9x!VHtPn
z0HUCAPQKBQT>434Ud^vP7oUsdk3;zYW3<xpzvG)4V^Ka-ng34Bx~W&|x+$jL3Hv*J
zjq0XgQqp<w;8QSu8v7X<|L>gry{up5)MJd_@yYHX6I{*zUn9rcI7ee^`b0ga^yg0q
zCbwX8PBF{Usrusowev+}mqVmH1WCJ{t;dSMf6GZTLE_Fki_yZx!+xB&?Qe&)-B=N;
z(Zc5G(|>#Od_W-!zJ)hmwI}7GTRb|ooWv*Em(4d8ct0aMl+7=$<Uq$`TReU?h#kol
znwHHoE}fP)_czd~p|1Q^0M>QXZoj3<HqbbKHuQhb*bNE$e^0w`H58M3()xcx)OT}4
zUnd<QyfJ<cmGFC-E`SM*q*0aHdicym$hEq_i|O)_I&}7u5<b3};NRR)mN|Z6m<Q>V
zx>}495@;&o-ktcDi3Y+VNCiP+a|wl=Oco}}b}XhrsI6KkO=@vT6qt&_{)%d?oGbyr
z$OVrq{X3NJzy<d7s}DK#QALEui=bJiYc%WxH$xh*$g?H?P|_)qdpX$4)BGXP$m+um
z#VOS3d#K!}WVqaFcyP1DnnJeQsLWJIolwYT8{S@;)B-8=&Gb6zs58DZ(FlP@exofl
z1eDTFkh9-0Lc<wBk7!kDmC|#5PkiL6gL3lje`V`#>UXZ`Z&48Y?m-~$)-qStWGpXD
z>O6p|TWw%DP5^>3aE+OX!`$_0iuc|Ve#M|_>1Z;0@;4w1tN~M*swWt$(_VtQ7#TRN
zNkVFWT<l$Z+#T<Z|9uK##lsU`^Kk^E&h_hi*}4Ki9oI=UTKDq2e?JcH(#q~;;{jvn
z<vL^x<2;#2m<#IM2TZq<8#makepy_yZUqXqqI!f%>#k&+-kLqR<oSfDm?@_}FiA@v
zQ`@L6;6E|@mBAFdms5YWtjsb*nlN=5{w}G)6=I(*bb;%jP*df>tK{s%2F`0mQ;_Dl
z{Du@X84B7#OM9^#;wj$GlwHSb0(Cuean=^h1!Q5_S+t~qQ0o3T?DcN%JhbOvMS6Sn
z({Zzyf|~s%FpCoFzcxc8lM={V8;s&t=SVWJ57ZDfkeN&ghs!>}$jJ52!)>C){|xG;
z5VE`~*`Vkgf!@SCQ6)IZua|79J!~FSyG`6%oG7Zvb<J27goTYCEBU;}neH`?gtywD
zl7U<IEkp)y(MUA8tceW1GK7F+@}*YB6Qt<7J?A_w@BAB=ya<)_@cA)<UB_qbi!O^0
zPHoVhKxR-gPVUL(jxfwUdp(lzhK;py1ya<OsN4TDaJcwldZQb^$i`AkCOKYWYyj0F
z4Ke-pQWdB5OGub)bo&oB>%NLb<Y4sVX*<IlRvU>K>;O@H1`j_KRfafAc{ja`)-|R{
z@JFQ6%Wpuq!=~8<zIyu@latTC2ZVI5Nr?&Ksp@#{kkCiiDE*{BuHlap6KU+ZZ$OHH
z5Kl+w>CWT9e(G+{&#G#u@7L+iF(knbbarCWFHbT(Y@H+u-WT)xh$%uSo#G*|pdu+T
zJ?{M9#8-M`+nZ{se?7c=wT$r%l3~w-q;CoG_nXMg2#WIdeoKeFI4)ETa@$}!oh?0%
zx+_E1?8)E2q+d<T;U$^ImxU)$m+df*WGsA!DE$cHQU=cM4t&R;lf*OM693L;a^k@X
z-kr;ACpO{8by>3TE`i7h=y*~{+4lOOOpfMl)&WExrto_QBaUCE9Ln&(*Z6OC1ZHra
z6ba<Vm}sq+*Ypo)-YRLmH%sKzf`&OS!G^k^I?ejEP%AckZJPlI91a3p42saAKF(QT
zg%YU{^@S_%SVBdX)vOk-E#~5|x2#DzaO4b{9ajS?{$R^kE0%Axey}JM7&ulQsRAX9
zykQV7@1)&JMOxx8A6iGgXt`c4h*Q#1iF!g$;qTpf-JVx-ug{ahLOk85pQl<~>@Q=W
zpV#T%e0jbNzFziTUQUk(tv5aG?HoT;yx(V|RZ=&1wYf1qMkl_omxr&fv%S}r>4)i<
zkp@xtzQRiKE`j3#B|q(T%D%eFO5@tpoFeD9o&<GHFNIpr|G~dI5moE|R_*~V8n$h}
zrHi%E%0p5Y8wivHi;;mKC-RrRr}&Rh@7G^l<bb+g!z(=CGqV;QTMFSLrw4LZg2lJ*
zB4|@#4w_psJGyLWtzy_DqOvxU)wPgL=IGOes675DO;@a?<QK9RW&D<9vK3LP=aj$o
ztqI(Tj}o$x%IC9*&F*HLQd>2@8A9RCC}%{wV~(5%s0==yS}$c@Cm(D%uqbC`KoW=P
zp*jef?oY?_B~vO7*iDJZSNo+ip`@F_BuG)@Y*&L`Hj71r#K74w#Sd&CK27VW(;ItB
zAO&bZT}ZaFe5`HY;s?maqST{P3nTnxs&?%FLa$6+n5L6DVhtvLctWQBT;UR)2A1Yy
z6Ot9lNc)v(#!EiI6k1g}He(t%E>O-0(&nd!n^P{(hPDZ{ozzUhuMHSsL>9$$I$_K?
zK#@s)>xvc$Sl9A3D=3h=d-?mba6c{i7>NwO=kz!|td0`HZg@D&%-44GvHR~Op_~&p
zQ4<c4Jb}U?sUDo+2r`kF68*`b3I_d>&8Eks?jU8}C$#XWN{qcN<s1=lcGs7UsfTcQ
zu+0rUcJyE+SXW9sUA#o3ncJ?MdEUOT9_gJ=#ZdBsBN*CZ^II}MEj546Xh93E0z|ni
zE-xIE27lJzZmwYGabfs-|HX0_3bArp-vbuijpPq*^X=X~xTSDwNPhg`|GdrugNSr^
zpGGTun+^@xrF$vTPumWYPPQs6CkV1t=CP3YeKdYoVA&}=JJ1C}lB3NBkt61X;tiF=
ztxE96DRxVIX$LIW?R0Cbg^nT&{A*4XN2u|LrE?Xs{3-KMa&Hr3WJHEtQsz4&rWX|c
z?M%njK2_*}2cH!f>~6W<2m<SSd%&k>dra<m(Cz@ZV3?WNK(2>Ai(ysk5oGN6fKtBl
zCZ(O7;!NHPMoN&|_4J;V2L2d!nV8DnlfqIhm~=gfFxZqRvXx;DHe;%rp*N>MwZ6do
zIq}ES&`xuoVEKpAJjL5DMsKuu%Ga+s48HD0dniSt)J^koBE$zCvSjz}a~geZl7J`X
zXl$<W!(0sgX(O9G19S*P%#;d{xWnsh2m)tF>rlTOzp`f)t=K%|d?<F1oCQviG6#qX
z5dCy&=tl4^Y5XWq!5>)0?i<>fF=&UP6IYl+V+r>FpUft+nn+nl)j8o&hP^DaeNPFb
zagmG`pfje6IoHS|VF#5{ZJSc%+~xZ7f~czrAikv=V$1o5m%^yst0ac^Z)wcji#-0N
zrV$H4`YUMOOxSOddFk<;`>M}J9@{%>vTpnPcWe((a=;+{gKo3Jj;>W{Yf99znE4bT
zpyv7e+>-U6gaDIzvD9P0=gw!ZyXBGR;SClr4_F>s|7L3eOW@pG=#`LlDn9qc!j>UT
zxo5jG7OZAo^vZ(^j1H!nf*8#!k1xJySAqmMLm_J#JfQ)(VKcNsPB&6Z|J8w2hsH51
z%Xu8G#O9=GwA%%ZM{jLi=&k5keHuUwukix0qBmuNk}g=Bk9oJnO8N`6kbaBt^9e32
z*SD<km@qR2Bn9Vya=bE?C+W6C+Oiy6u0}+dypJF<LdRj#F1s??_T03u`Y(;l)E;=g
zOnFqfjgoUs$b0;Vj~W?m0H~^*bPgG%X%Wd~p=<dz_M{=K1;VIobgdP@9y1rMHsew;
z;WlD$TN)*JDZ8no53G+J<OC6#sP_K@wLnV0Q-AUlB(M`Pa4ilQPy=?)Gw?EP!pllj
zhK=e1o6Y!wr;`?}U2CnIgD4sA2{At)zh<NiGG4>ZS(S{PLcc-2%K+>2oX1);UG60a
zgh4pbZSzHks;%g^XFma@+D`cNQ<q-=OfpN!0H(Z<%8HC2Uh)i>=W4&8o{P1`wp&qZ
z`+TUmQ=ZadLB6>-Lyp(#dyn|E;(L!V9R=EqQkLGL61eS}^{};}+yL3t#?6#GUN0Xv
zg^rftGT|Ac9V82;pBhmoTlhjnb<I8Us$f=9X(EDpa6V^kD`Rt(0ll5Eg^SVUS(KEq
zmkT24$P%@;TfH+QLzs*lTJEnq$XqUDq}uZ0gdfdo><TQ}UiLoc7Z%&W(6_+uzGkqX
z?hzX8%FKD?wv1(aI%+a*mKYzC6pA}q#bH9rtUaI8)9rcPZ3tH8Ok<SXvm#>&$!S4T
zrZit*CHs~xL!InG+|E`;{8BrF2_*}w`554H)fv6JG^OutvWq><Da1jl)ujkufQ5CQ
z=nmhh?gMSmamT8$AFx+@$3@QjWOwQ@%kya}08E>I@iw(kF3h-tvFcXNK8}ukbMlgC
z!F^jX@h+A0b)hGzI8Cl|7VT0V_~za9X}x!#i;&(%LsI`vXl(8G5A1d(#C=DnN7mu=
zj;mRDJBdW<d4`Q8zmq2h*T;H!$Ao7IkW70YKthEe_kEaP<W>NC00-K+&nzzy2w^~K
z;6Ng?yhGjLBeh*xGeeW$G^<>IH-QCeNp`YOqfpSi-7azP->Ys(tgp!waDh*KLgL9%
z&JKF0za-|<!%!s`A*V@#cg__g=JGU0pt=C(4P`U8JJz)}&#oImw<C0<@{%Cw&4Au1
zN%<!|2ft5m9*|f}WaHI8x4NJZuq8VgVWi>cccZbYC}Dva{BX(CgDCEC?Y{9r3sFT^
zP=Bbqva>?=JR6<Z0~SfsuO{^Ny4#(Fk~FN8AouLfQb|@@D_6K!ZfCC~k7bl5JJTe0
zypR`Mz!VcI<$AoT;nUJLULHiu@PfaSNWY*Zoi)?91*nfWI1sKmlPS;Mvg}UHUXhn8
zU#Mcnex&1nz8L@OUyptqn}7YrK3W&y)dA(a5Vv745x1<$xaq=wF=LBVG>d5wg98a(
z;cGxrFdA#pEl(0YXZjyi*PxSa(Y|&wL$=Rd@WpO^PFpOUj|?u+%-nfu1D!$F-Zr%f
zIwQ_mQScZq5mz$Bsu%-+5e5+5w2WL9>}FOlsfG7lQr2eQmLW-b#?vx|0xwVie$MQ>
zvQiBI_)y-pm0%b;19g+b*CLxHCCe1KN~oHOLJyYaA_KlK5@3I~8RbA%Py?z>DT`jr
z0DN-~yNKM%PdgRTT?>l0y8zd8Jiq&G00rz0gXJ05%-R`C=;E41B8zv*T&?KdF_vX|
z%L=3Thac!vnP{i#f}Bx_u3HRiyBOD8*k5T1+v_0$La~2I+nRSKU|3GQV9(CK-`rdw
zfOo;Q=d9px?e7}3Y8`vm=uA8iF;!UP$av#bG+{sz4}zj-@f{^g3OsjUk@+YvZFdBG
zy=W-vcQQd)Lg#zAUYdQkT`%U{?)$~OI4u)H%w}}1aUks8St|DhwDRN2k5w|nk1s#M
z92^G$@p76zmN_yBcK$B8ng0Hf5lbVpDAgVgeZA+ds|4-K-hT0vNg~S580KFN6$lE7
zHGK6hSYOv!DDOM4z60w^2G)0AeFxTeb;kqi>$QRP9a!Ii^&ME>ov^+gFSulF0Xps~
z-yuFW$q_VUOXbz2s8t@_P*WWxl()GJg`?eT=n4F>Dq}EM#_Ngdtg9Y)AlRSq<2H{w
z3?#6H%WV-}&yL#WzuT++bGz~SY?0BFM<2|@PZR5@-KY)SIUQG+jHhX-u#CY4=EZ>w
z0iLsVh__2W_pc8=-2Ei-A~QBfYuD4eRC~MC{<t@Xuz(z7U?Bs`FeD79IV9AUm5X??
z0{hlypsAYf^Gd|d>%`wja1zp6n1cBc5VoozGp9W1%(YKI6oAwbG~7qvF&)fy<UY2l
zB6&*l@jY9#U{1&E))hHV>AH+EnE!SCfPL#TcBUQ;PdOT#YV=uV^4vIsXZWFii@AX9
z6=}Fq`U$u?nu-!#D4MsX45{+fGa+G(sX0k$M(^0z4OkWOktf@!)-d7lfUch-x_&Ub
z*F;z&hO{B9CEOhzsBQ!<iAcFp#`~StVp3EsS+F@o+@$>ClCV#C!XplOt3zTuAc*XN
zOJ>Tl^3;aoXrPQO!-q9jsyP~$RQ4%iEH=~l%uZy-3vze){8lIPb1D34i^Yv>gu`K}
zqfUmRnaj^h<JZHlc|yn!Glrk683>|nnD5Xf*ZFaEx^Z>0oIvoe3O?rvyJP1vqF6nC
zCxK#X`UYSZB9SgJD|N9(n#I4PJR|A)(tNlw(=9NQ86<PfX`y$-1!I9IaVtbZVqUOF
zA6qvvZ{ue%M)7YMd-$6kN0MnmtGZf{!KN8b72tok797@<lR}Oz^g(X~YqefgFORJ+
zt?Rwbf$+D-pb>w4diA&K|GNI$>DjxB%a+&ooDQtr<usx>z2ymSzpeWPQuuws;g92!
zxDYum!`6Hai=t@ylUmgq;K;N-)LlU{Rr#|o#Y;Wo7<U@?(VLz^1f#$9)^CGKB-aLb
zZM$Ang&WD$`|FGU8$K#A7`PkxF|-`B#<M<YJy<H{11#6S(<&6WJE8@7doZb`pZb?)
zUiTywaqIClPWyP1d*At?0tF-b6$trA7LA(zkS5MtIy2E8IqTCTNVE2Y$sXIOyS_Bv
zY2JPp`{OzzG0TK9G6W<_5L5V-pd4ZHjaV~G7@_y=DqLC^U%4^SOi)TM_-SQkf;Lxl
zV%$1F#hFtzL(@!3<vok>LHiWBtW>t3jkD8(lsZ-i3(O3foj|YqjI)6<8o$qy#RnnO
z8=f$^kczcbybMQ{A6!KMUr`Qx5rtvLSY1gUyQv#F;MD1*Kkq~LOG>f2QUH4{*#bZF
z1b{>0RI|dLOXAee^so%MQ`fbh&mMmk1o4S7q6X&$d}awz2UKjfA<b#mT81>IkF=H{
z&1u(?w@Pzb^Ugw|SAUsy7(c|E$1K(?E6_<B#QwiLf)2;LN##xdZ8l3k@<aD&K6%a*
zamc{h(dm$Zb;!UvWMFNy$H>6?*{6b=79zEtokIq=HEqZMH)MbtGQbTP;D!uv^)_UH
z8#2HJy&zdJ=Mg)NB2i{4Fa=zTOK7vV6%^QxNhrSNs%;~#wU-?U^SD)1-dFCnY@Ca@
z@~-uso0*KwOjZxtu@6XWK`8sCpb@+34w<e2v-NumzB~Pk37TF5853J?l?Pm31PNOk
zS>LUF@6x<0kudb`4O!+|obkFbr^gj-22vrT8H-C0pbX*AB9uv(4lz{_9!Ghm<cO4V
z{b>QOl!E68BOkxKXNwUW*%97OUwt%TpRDRs^OjVJf_(ha{`0Ff;kd2tU!m0a#_Sy&
zf*S`H(C;ZlH6Va^;xAAeeSs@S)*2?>qU!Siu)KZ*-5LN?>tA;;LpX69DL5Rk<K8;Q
z(!kuaUNZv?Q#Du#T*`!;r@2~?l+jF@I6N(+`7d`|Uq4vk#7JtE8}Uj5Uy5sksv~j*
z!Hd-sz^zMh{)t7UYNh)@RR5l}l%?(m#c$cd5*Y-?JzG?M0M+62O24;*^PVj_V0nSp
zz&(x(Wtc}5s#(?B`6n)w{6AJ_o8B5CX@<3X3nSZI$YS`jYYIUywiDVFpx@gCI%iKT
zaIiR(MinSBsQ7KD9LA=!c4@U$*fC-uf(<}%{*RI-lN#TJkJ^tFcA$5r<_P(~lQ^OU
zM(-fyAW|3`1CXt#m3wuRo>j;qP2~bwC?1swEr>qJccNHqy?qtt1|%}*vyV5;j{OZ)
zGkZ$|vjZM2^<#8|`bvZ4ts{x4C1j3rjQq%^dc5{sCJGiGd$)r-(-ZRb!m0<`qNemU
zX2mTCgfVk92hQwXMJhDIF=quiiUoYb<~&lz6Y~GDLUeM{8M{OEw>i94r=<!;AzzRr
zFUS#eNqCyFm{Y})#j({%bUOy_wwz37ZH_)j^u5jRQ2`U>hX%Ho8(kCK5R&SMD3|6O
z*JKkX{#%;saOv+LxRQe1!70SEwdENM6iwDSn=6rvMBFW|^McX%waBC@fM#sRY_93F
zN@_6^4}_XZPhyH}s3`AdKm;XxM`%<CDP3<Q7AfVKoDh587l6*|te%!BfWB|3tV~N$
zHKPgWSk_Ni6Z_N4vvvG^I751~W{5^sCb#;vSmD@4SQkx&VJGkS9P&BgFxxPYVAj57
z35#}kF~9XYwJ8(8g`a~DxVNbGLkM-8Dn{H?+X73xwB74n16dP?aJsriCLBFjJD~=A
z;RT6AQ81Ycv@A9-au-Q4U@hmL^c5%DO)1!Fpl^PRt_rp~Rvk7S{gQfS84#BICtU}k
zYC)ko{WE<)eZKl`d-KDUyI=g;&PEj~N5~Ii{vn!G)Lg$DFg$RP=HA!LweALc?t(}-
zHel<JKdM%P;e91)Ae?HVMlc#+^Td&$FM>m$u!V5{RqKx`{um(=0kwgRp&N>Am4tAS
zjmV`?`hT9Va3+|%6bhc~1)@0deZsTKx<)f(E5IWFCiwre_xH_l<Ho)?e*Vs@KzUEC
z<g8{S+u2Rx-)2)<d3_>3>Zg(8d+(l{42HzaV8tOAf|NXabKm>7&;Uq~LlVF|Y3wCZ
zsg*e-9vY2Cqw(o(O}8dZ=`uzvRU~n2%J2}E4e3*B%;EuPSB)(xdb6}b?u{E&4T2kz
z{001xk_ZwHhB*)b3rdL76%8EQTaa`{Py!Ydr%xOOs~U|T`?&gf%Hk4LNS1+Ea1L+j
zX|%rT6pP4w)jlHFML|umQr9=wirEpTx$s?@M&IQYxWJ%S|KGv@`TtOYX)5$x#A!T>
zNaZ(`KGmqkp~+;`e1T&`WC#$^dR;FOM_tC{wpkphAKjAWqZ5ZqV^mq>k1pd!CxtP&
zvS5o1AAH;%!EcW?QDq#N&GEHLz?lV3RHQ1Lu|<c_D5vIiXPhiQ-g#T8RclX~QjSXn
zLf#R8?oeJEusa<;va=0&o)N-P8y^B31$hMVh+$Tsfg-+N#!$rAZJy{^)fgR%svfX~
zIzh;O!>L@c+d!Vp<@0jl<@HA8ykoJgnM5c~uSEdy8d*Ar-r10L-Ze)hX$4pPO2?bB
zbV9>WhVg|?6gRH5i52UlasumS`P$bF2%`FNE<OTdR(G{f8K|Nm6CV^^t`AjDRLAjN
zmI=`&IU(5MJc`7&4?DFy|46GE2m)ouo(a*ARVTeWWTO#75=}_f7(r5uph~sN_=<(q
zQ-38)WYt9(9qT_Pg%Pn6J>j4Q_#j8E`(s;xJ*(LIG`c1C+mlyNT`iDSNM<RKU}0Ex
zunZR%;%MeExg%owLn<gS$*ob);Sy>rxco!RaYp%+ikbP#3-*p>+VnI&QC3_t@?1hv
z6?-eBQx#Uz!oJx(QPFTpvqaUxqn1a8(-}Zrl<7h5e6xs6aHM02b&u?3<^6g@=Z;Rm
z)=p=15)ozh=r*gT=vR_5l_=e)xK;_QtB7zF=jbhsUnnzQXZ0_|GXI1ZNkn9_ee`Vb
zD~kyVqMT<WJt<g41{fC1@kHtiNs$O#L#H}hstAh0G|AD^)2F9Tx)<Q3LRtivD<9oe
z>Obio=f9B{)f4sKr|Q4Y(7!ETp(}J%`LFno<*R|1EQ4%MPO3t=5}sDA1K6%*mq4CD
z+-E_Wr~kihr9gfUVV^SzI)H&5!!RGCdoZFe@U67jod;QtBhj(rXM-n?5sNFYcQ$oL
znb>gk$c~>_P-%5CJZ&IDg#yrf9510u>&X@^R?g$)Jzf^VMe9Q|dPmTl&gOsv)4(R1
zs-k2C)h_3<!6l-WZTd1hl3^lL9Bv6fEh0b^QPZEmayqL)2OaN<IwNzt-4!hgS+TY4
zrKqvu2eT?2>q5+7)-6)72DH&){#L2wrGzX;-EGmhVqtOVfRz3Lw|*Qws*0gUa0^%*
zrqmsYQdB96MSt~TaB{v!=sXU~IB#o?n*1xr5twmia9Nr9jUObh<kdMA9ICH*S!_rj
z%P{0R;CTeswD$3=HB-F2&H}Z#xVc(LsF|oriK8n8*OCVtC+54HmMb=<rN^AUf0~dv
zz7uQ?KxT6Vs40N0(*+`7pmfyI<<+S>b66&2Us)#m`>`%93yWMuBeUu7>u3y5Pih2F
z&%fQaBJs3ak=U9RApdJs5=#zmWbAK`OR78ue9DSM0q}MSF|e?x(vvvNa+Mq+Cik$}
zR>)f;p>ZtLdvW(dn~(tKyvU{yA}*#|AI+Z~KSKj__E;=~Sgtjga#Pa*$32yYVlK`c
zVje8Zo9d7(RXt=&XU<|Gc6{F4?$#Z%kepAaG^W||ibXWo8q)6FO3lVrK4<snUb!m*
zdn(5Yvpc8aA5PXF*bs_+QfY_99;Oz!V6h>3Z~8iR)j2?aV=+sgOGR5^aEtx1wVO)j
z22mbLOnhwzw`>subO}b3=e8CKQ%e-7zS$e@=5n~cDK=_zi-LWLN@H);$Si&ZDxm}>
z*mmeO*U>;mhtLZ{dvh9#LDVjo=u(V|Qx;1u>RMjY2yY7GkxSwRKquQ@5N5rd%RxF_
zOXy3Ty*pdkChM2TbCzcX<{U>1?5JWt5RXWxUYs&Bi;;O$>ugTO!Yff=Cly}ySumPl
z4ohTL%RzSMi&_twn_h1Zg?&?2sSRJZ1U7V-Mrm{&!f4fzS^2=pdl03IP;R}<6x%cf
z=f(g>re191L6h6D5}Bag*sxo&d@O5$2u0G#KsNG&bT@o7$%9*x>HD#C32FZF3{7x^
z<3Ow&Q1H49cvEfq%b09P)@tpYbjn9q>5j5X2Kbo9JQKZ;sARW6pGTaX2w9~oUol3?
zX4K#Eno;eZgvjff%H5wO-_NRkqC6d|vb4L?WH<wSLXGVnRb8p(jAt=kkVhwy%7Xjk
z`c#8qDnWxIrQ#4gDeH|EUsqcf`m1gkPDAUr+-x@5R1B=x%C;p8R*#j{jS+BzSgm>q
zy)UB~!ZBT%(=0{^qIbjc$ZgwOD#u!MthIBLktmW<tF#!11CZ&yWwY%KP}S7fSgBcI
z;prB`;YUYCv7u=ud4^^b5<9NgEt_nU(%w5KQG!wu<^gd41b}|gy%<bGhYU)j#qXoa
z+&@xbS=`kJIt7UUYC4@Fa!1l7N*L!LlVCr=oYPqhV2G&(Bf^;$#;T5kosB$FXT?Wg
zv|`SC#KYf?JUe}2yB%5AsBs1VE3P!0t~M^GP3yfFdu7GB+<Mqd?=T{`oOt%wxEOhM
z`t<b4v7pV<$AU`6wZ>E9TBG<<_0|$s%(&P9lpO>Xx@T#q{1Vip!$^3htQ~Zrm4Opj
zti|f@KJtQr60T)vhJL?bDfzuo)&4gK8w72jO{cBD8+vBzJ1d(|%bOcHV|09+k|d%5
zZn)>L?|AxKt?`D01NBQApMIlhD$aEZRyb%F$y(vim@;v4ELm)|hHkS_m$4`VAX%0+
zX#X|OZuOqwNg=va=BF*+NJ+xdtdYkpIsdzn+tT{EiOY<#pTZp)M<L}pA!*TfO9y4S
zoT7`Duccdh60xO*I2F~L)EwG`WNWEQUp~stkg|^9Y8GZlqMW5U8MkL1Du+UOalllt
zbTxc9jCREbXba!bv39a1IA@iEB3|R2n>V8>z00iDukrL2UlRyZ@~Me*txKVsg>as+
z{~|Fs|AiMM-OK}PwYJI#b^LMBovFU&ObL88nCb5dr>V9H6|3wVj?f9FX%V(@oe4xL
zhZRegS2&wr#uqw}#3p2DtFt!U#cL2VurOm5Z$p%+mL|rxWXUs@lHo76e0&0{fM@0t
zp;e84x#d@wbFnKAvrpN$#5^vfpHkb3uGgop#*FBNq5%a;Q0Axdu5v7&+=xm>qLK^v
zZd^(Lr2@&-+uVx<jo*-Xmd&4|CmnO!x=~MQvJp3n?`u<5&3nhD=;h_r2rhOaisKCZ
z$nrQ?q6^HkNM%WRh3_yx5Cs{^1sx=1-twb1MN0?-9fWQO{~D1XC0RWX6U=JC5tCqg
zD|E1O2GtWWV>OOwY}oEEq~xe$<UK8QOIqp-b&wH2iupMKVs_|dRpLXIYJ-Ry<?ra$
z=LUKN9bDL|eKoIyP5838#!A%8g1Yiu6&ytKLzR+k+^-n5RA>rPuP12@&T|;O@wS;P
zTso79HJ}A$cmDKOuSY1+{Jti$%l58GN8Va@3s6y6eN@#TN)01)7>g_oVU$7^@L`~5
za!A>!c4{~c@-!uJb{eojEF+x_NF1a~7|d{<Euyc=m`XV(=|FF|gDm0$b2D%4(*l3e
zlKk0O`&%}7k1EN0f5wAf&jx?~$MMet_1Ew9qpsAu*3+F$78EnMjx@0Fk{chj@=!D1
zm{a5tdg}ps#?CKRUfGCGI(ejZhMO5@AS2)X&Y=pP;ViF-p$bRH7u0QpoN_kdB)t=x
zYlgEzfK-nQ&4+__!H3fc%~G5$U*HT|PBE2tOJsUd1e`8jKoIv2bIt<V;)zmTbvf-i
z73To(vQ6*EAdhcjb{`L9R^i5M+BnbVETzA~{&&+D!n!)h`ulpIl^>+OC-+U-#Mn-Q
z>fk*!jm?4lDjhc7Yzop>cH}C;*_5S=vPV8=OSiuA1P2}+hS$wr%Lir5-J<smU0oed
zVTYt#XQA~Q2#clHrR_XlzE}x$2X6Zr!grWPpy|pLi`y~==m?xr#L8v8+Tm6|oN5+Q
z-6bOl={kLK?Uh}diZIBe3Av%|VNNS!sC<F=9AcNk7<g6&VJe8<y6@j(j>sL3a@=w3
z)po-WXJjBM@3gpfC=sG}Hz|%ebjoY6)z3B@aaL4DLg~@SVxspEKo)}Ce&_U95YF+;
zjR@*pHFAvR`2xp-l;BXpaMjPSS%f6Rw8L!}PXNpV#~)3Jw!u1RhM2eKaIcI(zG_UK
zdZ15LaxRN5wf4V^#~W_e_a@z<rSFP6%D$@y^}d_{FLgi~#y4qB#wTd}5=UJ8!BRB-
zAh+ihn~%dtx>8P54Xk22E=N)HyEFTREg)={df$G{qU7ea+l5N)?P4!1u1?eo(Xz;^
z-hP>~{#A&0n#MR%Hm7xNfofG0Abs&nomMysBx1Ya^T`tK6|_p_ra-lBjSgCU)7<I)
z-mrv1;CUM*RzHAo%jj<j4U~gbk+8m9@e%_s$kiC7e%ph+6$b~)_~0GQlyK5OK}10<
zpkW~`_Hc7Cmr%EMC4Qyrs~^>TdaEy>1<B^Eh>Xez+lPVdQf0ze#<LVBKgA)$VRsnH
z$~QGrwd_^#79#4k_2OW+1t(d#(OR`a-n<!^S8o-nwTkhC#36~>pl)m5$}LEi(%>p3
zQ~Jrm<>srJ*%SFMJ%m?p|Cf5LJ^w_N{k={e`e?6i)M%6HQR(vP2gQM$@eHLT5Q}tH
z{;EG{5k2lQw>uhV*CwNFN`EIQcNk&yZ9Tj~M&7CC3@)U-sGZC)x1CZO_c-{lCPpg8
zn6A^d3hWf%7!eA~WkS%=)%E+oUyd%{zq@?*Uq?-6#1tJ}e|XpSbM<>2;?>d<0IC&w
z#Z2KXiu-(tL(L$I`w}gi0l7t|T-%&ujwXb}i045-IG^TGv@9C+n!j{{8#4b?mGTJ=
z$}l~mbJstfUkqeuy-;slaEU2?Fr=36=A<@*%NGt(vv{{Az-d@$+#75ydTCs<h)gI1
zl5`Q}O`p~Krx#snyt78UQa6Qv9rO|omyQ~D<=sww8`ysr+O{Lus*bC2!BcJ0DW0`m
zSk}6wU(_AD{%LfB&aW<4@61=VLT}wKyc0ii68`i_GND$2TzI?VYlFolp0Rwlg?mZy
zsZi=q5P=%75MyEsg>mkCQEX2+E>F)j#keDbp8*k3N1TZAjI`#RvJ91|IXZ_8!f`08
z9~nc@KOzjjc8vuNYK6^a8^iF>@avz{<Zm$y&4O*L#Ke@uDrZK^mHt-t7>}{lKWW=r
z9(-)>Cm+dRwNsC=7<|}hjiU{3jht;)VT;JcGm@Dxe2eE=5t-8{Y|G$u1OBlo{Z%Mf
z5%{s6=NaPxj!1g^x2yBV61@u#jD$4aO|{NgBXw49We31)zia(Uo{5Z$L!Pk|&xrXX
zpQMDdJPpbX3dU8oQgKnZ!rA;e8cGdwxDpLn^hawS`qhL4L%pS!FG2<NS7oiWmzBX6
z{onuhyZ_j3DKG(pDNBtj*wY{l`DvoG{0em7pI|fM!zErsPHmi>ot=I6hd;o7&(6*&
z|9$%Hvu~fB{oy~J{NcMlK7I1-*^_V2{^RWFvv2?ShyOrlTOMm;$$5s;|2W&Yt@_|T
zlQI|#euopPPwWUMRP04D1X~^6{s}z%?w<Vamd4?8bdmFnEw0sSc|pLtk+S%AIu)Q;
zG7wV3OgAP@X(@{$k`87h2JgX1PNR^dP`PgU?riwv+u_;o5L^^1(<C1@^5E~d$_)zv
zG@qm9mt;-47cyZ@p@j|*R*@kGs9XiQqWTZ;Z%KsG*d?U@>+;zf%H?}Wl&3h-BalL7
z&eF^<I1l8H>hDR)Zk4_+L}?!3^m*|D510^Y#dW&SUKP=xvOy)5FzmJ$EXo&g(bO-T
z#hvm+68yUQa78pXS7aQvYPI2T=~EThUMf|L;0LEVGy@Ld0z%!l@(eGMN{#0Qct=(j
zYWKOO4*km5Eg^{@C#WTrn*NXeQ9Vsk%2JvwOAOOWhvkQNPbMV8@+BV3$)YgPvxLOw
zSC@Z(HmW?XZThcGi@mI%X1zYYx-2)^=EIk<<SV;ww|XHur;KtYY)LUA33Ydv3PDf+
z6^i2`j@9N|*91mlpH8_>eG{-)oYhcD0yc~3uSMNOQc?wbD6NGu(bZ})qXiace9<P#
zW23(2`1}pnxf#v0APm@Ikwah;kZE+1XDsEXA-N;bDW|gmPJ=nkNRZ_zImHPbz(8Ud
z$7B(HRVW$_y3UFc1mebHdW0xa@t2KI`sFNWB@IsVx+ij`<fIt+4cg{MP?N?}q72GK
z?sKi%D;t-*LCPl!nsLzD2+x{QKwK2@m+~ZR0&`r(=mIZDbb(iI%yv9iVpjM-OoG#F
znOk7}<yCaxN^0}!t$jj*$`aEacdNiaZ#<xha`S=8)lPNQ-!^i6<9R~T51gbMd3cny
zR3KaM7*ZJXA`B+<KU~mQNbNfskr~l>og_^!x(=Bt{t3i}mWhJJhte*GFh^t2iRa$~
zR91-mAI5t(8MVVI8bB2t(+c1UI1Jw5h_;!{SQ(xNjnfGZWQNu;r;8+Na|j}FzGy>b
zi#l3<l6CqY{@a1zgJzpi$LU-$`};eRrZlu72x@OPIw1jTGWAN!<s+PA(-ZXS?{81g
z8#epHFUGQRy}#~Wh`-#mOo`hH{N-*@O&j&<?{8}sW1c7AK3kX*JMYuFmLHfO)HNFp
zL&Q?Gg(!QP3a9Vj^191~7>Rk>gr-nIm8xRyU;W1EDi_0Meix#KDrMEP{gd`E$l4+D
zgktk|ai}C0IKhE9=d65=<K_DXSD1k%p5vgq)0Np=?M6+UCgLc<Gch@L@E!`(iw)Fp
zm6?V2$?<=G^Y6jqzaAg|d^Y&=KfXEs?;-s0`^SHM{BQk_ZyrBBKK}Xj+yA<``sp9^
z@xOnL^Tn<F*T0W{CO`edv69D4{wx(I2^wbumJTG{8eJm_=uM-%uTs`{wW2>s;+Q|5
zAf5+vgqwi6#i>|&6q7hhaRkS$w=YJ%+tKYco@N(?@o1CPUaP9^yj?()8vIg$2(`~U
zFCh^6-z?XWWs5rlnN#K03VrImGO4_-gQM!2yN6@>L5(V=lL-(2m0fMEx&s2}J_e+X
zB^|%lMgg5|?|+w@iCNlRPP*gLIOa)-+dXJHM<%^yR)<&frm+mJ6TRc&S>ruodv>=0
zjHC5uhkRJ2b@`3DjN685?`o~9io0I6`VtTs8N(sqZb$uXRj6ZV;R_nBEWK?luqp_^
zgCT3^fz|V4`J;s)n}u!novPm;Mfn9|-sPy@I#8#4mSycVO1#2&<Q8$qENlDj8iXg{
zwQFt6FO#f;<GfkcOAPAi3|)i)3sM51QgP&*aCMJ_M$TUIl`mX8=*_aRH@#WBl79Lm
z@$B}vU+scZe$H|cUSZB}<|)f(^WCm?qakDAD;GQjVKJEwXY{4X0>3y*D_^fA8nzjS
zsZnsaL{h4keG3s^k>HuS_j8f)G9E!i(>T-_`;x`Jhk#~+d?OY8Y8QgJ(m+inyg$#g
zc^P}lp*Aqr#e~RANeSkh7<ptG;In899cXogEsLL|#d%1@3Rz=8>Q7e`boDrhFkLvV
z8YM<weY`;lUPcT%O2}OcEb=KKK}Nz$&hxdlpK1jwpj`Q*E0JU!he|6zO7ROZ>&-z&
zno5OOwHg}i5ss8%Q^|cmD|Sod*-vIWm@c*Cm(96X$#V%}IMfOF<^Gmyi1de)?sAW<
zHC3CbJf)@E<LLc6^pQ-^YqCTmlA+^QA776w=`G80S<Nv?GM)Mxq8Qe;@+6-`G>|{(
zPwq%cr%MPfBqj{jP;t|88D1T6bY8iVmOzxln9+#MXsp0tH*`T*p1pMv>$Q1((^QY3
zB-e;|$LYxA$8xK>d~qe#!oqC{xhCf_8gok1RTiMuHNoM=q^eXR=_GSg%4d$mI%Fbc
z>GDS$+_LHPE&j9#p=uRLVlD6|l!~7mDK(Kbd@dB*4!H`(%F?B#z~{_a5=OksgPmvq
z0)i(JjBKVFRB0~2A9u-ez1wF?Z6isGq$qQI=c-8HB80eXoTajIsXAySgQJMXw<`Oh
zeDg5&51vmp(Z|fsjV)f^dwDAOV*AaQ*q96DKxtHmK`c-d_oP2TTR&n>+LfpY=7uH(
zN^Eyjj@6>msFm3)SgH=IMX(s<8h{j<RUJ9YM0So%Nkr~th`v^T${;>4@0jZg43--I
zy26}i(!hBD^Y3A6NKzUHG{MnZoFp`!UFVU@VY?Govths6U`#7-?!YqA0P>WW4wjm5
zja8e53meO<%@qJ>5@8yTPtZ7|Gr}|R*CLA`u6-2ZWQ@LcH<q-6M9nfl(5AzCvP%vx
ziXJ<>CI;m28VuKwRUG)r?YgA}*SgxGby2mt&FbQt3PW!&7LsiHB6$643;$KOhqMu9
z*>wtuN?QkzPQol+8;^(Zw&q39#gZSPnipYZF*s1%JAD7@h`SOdl*K2%K`RBE*2jMG
z9++isM6~8cFw5F`5?pqEk30jid`^&%?d4c7%VEXNua__SI`P3#Bp&?i&&xZ=^I(?4
z<y$|V_2Sp9@#@x9@2(s})kZCx>6i|(^@Up<o67+`U%abraz^kk<<jeuZ0PNakz@Ql
z<h1p;0#@C@s`4D{3|TE=fR*vkSlaB^;65r*CIqLpV~C%`ku{o`Eh>R<gE@{VUziZJ
z!fIj_H}B(UX?R6ZHNi5_<HA9my4LnC;EpCVg>eXwBe5O>ZpxID_bNSYNRpHY85N$O
zBqEp-!y5yR<eEw`&xq}o_)9)!Iy6*f>?m<qVw#-Kjk`Lf?P=3)cP&x-H)O=D#3L;U
zwO_F3SCXv<UQqlmY@c@2`dnQDs;9Iz#J?FneZXmGGu-&1g55>XA!)Mfg7o)@)cm4Y
z-&I9*J3@IcBxeAA%bK#{>TTC3rApJdCU>~%KEI8Bi*WdTF4xanmDo4zy%(gFvTYs0
z1KRG#HQR%<?+DKBE*afn>^p(5uY(BQ*{zZ%WPK-a^$novyP}IXJlzwT-j&;|EY7fW
z191MCF`zdLeGM<keZbET7ka*{nOhTX?g=&bKv8?*T>UVvKKRykpyj)Ol^+^GykX=!
zfsn5WAKxc+HYd%RaPfnoi6cCGjf2mAVc|Q3gzxO!=>-Gd1q6IU`1h^|;}7{>10K6`
zsP~>=-aCeP?`DpD&e+?(C9PZne*Rab#&EWFa{v5nn*C*_t@8ddv;OuMVTiOlkofUT
ztK*2m0<GaP(&a8<O0Saw_o2N<B!1n+Drxr_aq$-!n45#;O{bTv9wjbrB3lc(*y$SL
zz;BL8u8|khb!EYB%Ya=dt1_Oy24)SFc_?NX7{2um>I6lT<#Jl{YB&+?#KrMK<sng-
zbYKY-Q5@~+p_9ldM9uJ<=Q1v^WzIS|gZNDqY0l;sKnf@T_X*MdZ|<ZEzk_VUN|%v|
z{uB^PoO_uJzbzBmkQk?wb*NT;r28M(fd2aY^mO?9O{mxD1Z8o6GOwR~{6AJRB39vt
zo8k`FQ||nBkv%#>?aK-3kQ|_#RToEX!^!Dsrw&hR`{}s)=&a-9<j3>-b#B@@!JHkM
zcIC|E=gf2HFuCnJF7?hIUoNuFkw^XbbBE4IhslfXeCW)BTj9U09q4QhN1OT)Ekc*%
zY>Tk2`r1-!v~)O0=>n(AcIO(qkYD$>W2W8H-Kb=U5j!RvLOa!{?H&NPb&3HOFGq^N
zyN=V@L5k9A>cA2gm=o<~UUbYG<UcaBNw$Kmxh0@AToe4ph#uT|yw4|KFTY_=@NMK1
zaCB*Kxvr`v6WESh1L~vx_fh|$d@ho>kNR(vKI;EU1AWy0KI(sK>7)MlQU4oDAN9YF
z`rk+W@1y>Als@YJ=RmPO>VH$|qyG0%|65BR^?$XkKI;GH8TH@UMFg#HY4COxNj-c;
z&^G)<emgc@*G+j-R}b{%SzveW{(%m`1qAhm*y^i0kcvBS5kY=#BDEwV?rtJz2kAvz
zT}IGOl97DoSw=iuN>H6yyF5oqrYzpF5XnuW^9PFAy*QBj1cj6b?2e>M4>A?s)cq51
zf+sW*=dz3yZ`owZt`IP>zZ*R4VRUsrD<RQW5zfSE+d=vi=xMisAwRh-y2lgj9Sh4z
z9v77hVw9@SDjAGHilay#$26X~-I0;v^nHh;yh3)_v~2g{<!i61_uwU4YCsLFqEw%p
zJKg*k%fw1y2Y2G%B1+nNbF{PUR3`AR?wY0Ui^Wm=q2%A^=W^etsp`{I^=Yd5G*x|?
zsy<B>`qIrV4-QT~q%hTenySxQ2j5?ss?7o@v}Tai9$FnE*g}4$K2Aa(C!tpQI0^O<
z_i++jsMN<v=;I{(HnopFPQt<QVjm~LL6K#*Bz{enSD1EafK`pw_@t)LNf6mB5egkm
zEq3Qjrd9o{^;y&Uz8S`+yx@BKVpJ!jv!1$r%@Ecl32)S-Z<DG&)hpL(iN1`Js*?~%
zh3=%8>@`^m${Z&ty~7!i&KN=|;&diN*kc(OQ8j>aE^5KB!6x$*b23DiQ=xp36BJBu
zEj`tuOQvIu7`v7Jn`lZSxwnUC5%Qa2WfZMspDKb?%%~ik=)I-Y#v1?feL037hUl6^
z<POJ~#3qYQLD&-MVS+BzF@#Rxcp>}Tl>K-+I^#OqmWRe<RT%3)uho@gSv{ZghG7-<
z-8;&lK#H{d3=vdXelxd(##bzz<H4LP@HLrHp0$BMs$5g~V6(U``Y1JmI#E$+=S}EC
zWcaTAXy0AEM&vds1imz!20nl$@qQhpvtj^)w=7HC$6?;%j+#tz-wQYRMk!zgnw|!J
zv3H8bQN(64B)~e6FMKY_4&pu@M-jU({L&5T8L(!B+eg@@SM585yXdHQ1os_Xm#0L$
z7Gxy6W|7MUqW>h;no!GlsRCQ*-%tuavRG}`Lj6F1LlJt3%M@MAaXcfuNO%wWOiHE^
z_^*pu7yOg52wjla3CE_qQ>v1N^1?Q&I;+$n=&a|$qZwH^-P(HH$t`Gn2^Bl@3QkjN
zD&cfz46@1=oAScvIdATBu_qIxKAbB1PN82{1n<LVG+$Gseo00~pUgoXiWj_ZRlLAm
z??Du=N?$zJLUkO?(Q;Bd@EgI3aSf}}N51JQedL=y@=YK4#wdN{n?CYQANi(_eB;tq
zANi(_eA8a~$TxlDo7U1tzFBRnk9_laM!wn7{e<JygA3<+UQRex>2ZB=X!&`a42%wB
z*w6&|MHv8HQHJgi;oaofZHSRlzp@VI#A-{>dz8-osN~wPDOd_DzVV5rMinMSg8d<S
z%I1l6?Kje2S|(gSw-!g&^N!3&qU;Ey(7U<xZZ5UbySdm$+`GBBP^ouw>D^p@n+j;}
z=5lbn_*tWt_vGf1r;(##o2OAtefx0zrc9`*WSdl4JBIJB&OSu$OdAwDPn&Z?St$K0
zW4DAPZA!M=IxZ^lNxu4j^ha%U{@*MYN^3=xMH80IjrN3MdwY$inL-*y;NYWLrETKj
zA&}rE_RSeLRizr6mPFfrT2t4=pSwx==?kJhbggQ;2|o9jKdx7iEX`U~q&1Rvu9LVE
z-CIGcTTj~g<p&YmN|MffF4qIQY1o(4Tr(MGFGwq8CunE4gqwa`v%N%{J4&+YE*ae+
z#yf!*uY=ayS?EwtIPp%P#2dhfcSRR(=&&bj7%>-Ql`~}600Vz!4CoCJ_TTIF0u4S~
zSn#f9ZcQk#Ck)sF;p&M&^ur(eU=P=U{q6$tduRmlhWPFT-n%BWcc0YRoHT1fc@Ksr
zj?mpT4nF&Z?Cub*yR&nr7esd#@Z1fdxw|5aKOA?BbXq%y;qD27yJPt6ZsyqMjO~(W
za*Y%AP7_RSm|XHpwmrIRj+-Wu{LC$dJ5L(<;0Ystiv~kaEVGqoc90NqAITtHpw0Fq
zknRZ}osvI(X-H{@jD@?&RwzCyFYdQ=U2o4)xSI@xp4kZ<1%_i*LO)@!+iZk8$wcT#
zuFax$Zj^m+dzlBnco1A?gboLRMXZTvYsmM;+_R<Ru^-g@fNl1CvJRx&Zdw)-BGoa;
zTL(||t}DIkO0D#+EA|oht}8B7>RnfQ*Of2JI?%hW^sXyqIV`PxW7n0=7dn2N(xgGo
z+SyTj*BLRCP0`ECs}XEw5yf$aeq?zZEYSt#nb0kk2|=&$9Y(K}+Q*Bnu%aa&HL-@_
zI?jjiFL~L*(IV&asuF4f-LTLrC&BcVpBNjpej@a}nqIlmX!pL<sd!lwE<>F#6fZ?R
zx4Z;FQfdt?YrI=sXlK%P=ImgrIl*B>I3JPpjy4%sDkQ1BZR0Cok$ghZm^2FxT_1#Y
zr9p$WwR<wb{|B0D(Lrz+QhAqtWz|-!GQv&v8+{UI42%{y0Sp{e42eqw7nez6T1EY3
z{jhFUoiTCf!C@$`=0P!i`Faqf1ZO04psXx6bHb|?!vT$?GZXkqW5GJ-=38-yGJH!=
zl9GUgVrT2(<_>}QX>ePx$Y6n!f&5~Y;y90R(>XoD6VhfEcz_9)-P!hBt6H}@&8p7!
z8GfT)c)-a8{2`yeW7##q;qp8TQ^I-MB)ZK|Tb(tMx4s4jgErE>)YhUCl+7tulMTDu
z1kRdd*kTP9KdrF?bP!!*g09s4`#K6ky^b1@R$)h04<U&^RrwzbWJjq%Gy?0R5GRdR
znUC7S^Y+C^W(9+7PtjlP7)v9=0O$=36^T0Dyg0wArzVKeSPXio78M^ZLO#^v9Tyob
za^7Ua>fW)$pd46PyjBUv1Km{paq-D=aAKA0?drWM-)`;`N%imTrxphdd@Z-yHz7{W
zyIgCbm+Se|Zff`Cbdf|pmsauvV*u(wZGEg`wGw3bq98Qe%hZTk05qPSeTN32aWRZJ
z+t)e)G{3dreme}sXL9ul!Y-S$(2^xi6j<s_$P_6}wi{DV)@gak3KcmR7)V95x^9lu
zk5>1{>hB$d5W>2=Ubz18{9@BB2*BKL$znp%^DIm0B+q<!vgz}t{T1G`u;l`(L0H$b
z-wU^<kz6Usu^By7Emg8uXpxecIR7B>DG_RuSl&vERW@wdo}!$k%7>)uJG>xkvsdNg
zb(stHw1*_Ydypy@5$;l{n+afiy6*6$OhbXF;{gUgA~+4^KVt4Z`Q?{QL+9|TW$fT|
zpjQo4IuMUS_4R|1<0XwUFO0{^w`-GRDnCC!qKxd$Q*AVXPuC`i^l@63BJSQ~uAXE$
zC#l>>-cL8!kh-eb$&Mr%Jm?Kcba37MXyw}`b`vi-q}O`D;jgzB)xK;Sx?9-)2iS>3
z=hoVYsvmA=AA&pdhm*MFki2)H`ls94gbs!xzFSc3%Ps9dp5)l}2DJ6q@iy$On;o*p
z)Ao4UYU%N`y7YKjPlEM$+8$5a<7s<5ZI7ol%NK^HwM9Nxz=XD6?YMw}%k_<=n;m)n
z8}j>`_eW*s`>g>#wtdAVyI6f;Qw`rO45ohwOnW{*ujqqY*J3?FUiyc-RKYB5N}y*1
z#+?|8UBg@YhqiQz^yC-TQjyG3=YtW{D~zSze!TPWm4_L+a@#YsM!3q|gsSw2vA6vj
z5#P|1-eD<S;)6Z#;Jw07`iG!&47Yd)Y~UVpa*c44hs+5M;Uzr}P5TQgxucMh+m^TP
zVI;jnNU8vlHYIb7@R8dlf?vo;&p=x{4HdbEFp)b95xL!Ye6V{Qpm#_AFJJW6Jk`=)
z^K_K{nn#!Zn#Yr1{WVX2&C_4=^w&K7HIG?-W7j-exTB$Au!)m7I3G(LX^uIX5E3Jv
zCnV)0)SmX7Gx<tO9ik7_yOqlq7hAslf#b|Y>AUB80aX7^^-~&BUtH-U(~A~g>uUS*
zIQ3Z{5Vq%kx}ops)~zEOg^#sr6INwvZ9mh`T8ch^Zz2en{@%8;R<|XC)fEz{*}S~S
z&|F1>*~~%-ZB#32bTq8>7r6(1k!z5}7sGDd=IV8u8KsMmO3JDq6VPb%!Cn$LV_Irg
zt^LQK?^rK--w+uIuF#>#BFUEMn58Jrqv$cBQ$$167LM+5dHt(1=wrIzdX6ax5$38V
z`<*4~i`}r>YnnhExN>VPqp%!t^x^uAllfdmA>wnEM<H6^EKp&fWK(MD9#PI8Jr=7%
zlb#zl=uP+Lf88sodt}3*BO6jOO$ndh2;T9S9`mz?_={{hjc82%iG!dG+E*4SvlORK
zWWI31RgS6EmGt5Iayw>8F1;w<;!g^a;H6I2zOC`!0)L{5e1XWPggO~vGrEx1jTjt{
zj<{}O-)^s}S(w?MMDIKDt+bKF__#)wI~>uFX0}wDLU~~9mJ(yt6z1u@Q>4F)ZoV+~
z37zA9-|TW*;c*+iT|&5+(%KFR9iLcmpM&~t*YTz)nLA!<nvhM7zSes`g*$l;Q5D@z
z#+^DqNATY{L8H-oBk*7shiE)ZXS_$`w5?c8pmht~&P=78GY3m4=d5CG5Jc-unQa~H
zO_{wZ(;!4|%7oIJGJ8{IZ_0$yn=*S-W^c-@mfn=vn=;!<Z_4aVnMUbNnR}o}Z_4aV
znX2@r%-)pw8JIHLWAs-DeA58#3`vrb0ManwI7Bqls^~q9q88#94mWfv)TFKiKrJh*
zEC0^|&ulr|nv?#B59?}ql0=2$TpUWJI;I&4S#V2I^^M)=a*l#Ij%P&Xuaf>l83jMQ
zC_*WVB6aF%$+c}s0ax~N6ZEb*Sd{_)g*i;q_-DL3L?fVC+crJ^Ue+>5$&B(WU80x&
z{}=CmIQ>4<j}yje#?s|LwD7~}_l0xJ02-E$pMRg>*$*wgR%XWaVRN>1i^LYQx(V@s
zD-_kl--FUIPIQ0!M5;EjM@l7m6kV~11}(atYd$hvi>6v4|0T9;@uOHBFeu)b$KxD~
z2ICVnen;*|syzoUr|(#Hl@d<ktko~CF%_B1r|ro=21s_O<wxja%Wr18>(0lh+sN-e
zC8KV)6RuBLT*v~!Z9KsNQ7QW1EZZ=DE$v-`R1xnMwTr0@DbHveWN4bQMe)mo1X$>`
z>fdcPb?MNlE?RVF6BeGJNuDV=w$dWF|I5>-JUxtW^9hMaI|ntm(3DC3hLnLr&1t~m
zfFv3GA(tsXl_WX+O71gD8qeg?6`fLj8nAeP2MKGwccU3ute?(NzJSvduS%k>w5o=@
zZ}?TnBCkEVo=bDJN!KKnog;SG^jEWbs>{1d4pVrmOg{<k^)Zf6N;u0?xkhk?E?&My
zDlKIb=iHc|*7J=fLIR|BrDt-?AbTRaBWX&*kTf3dUy9YnLbJ9LIRA|k7T%CW65)&t
zjb9sBx>G&$%U)@w(0t%IeN!g-%*tG%yO>EMrRZjpC@X51Kl#IMr|$Mo{6eaqFW3Up
z22IjV`Fb6G$&t1Ci$eIgjqc_dY);TvE6ouLa5QfHxPz%88j!dtTz)klrF^TNqgFj_
zju26pp&G_=72#~k(nXgqc(>l~2bgeE0`?FL!X(=*0sT)SBaDr;<zqjORn?4iQ_YhQ
zXJk;GE+TSABK=OYN?|n!S$5o6#3nd;)5c&c^HO=g#avNF5zs8urVZ(lB0k4yu?QCn
z7ORHzJgk$0*9t9hV>p|mGl*m5Qe0hft5FqPmXs`O`#^8bQC3)smFG5sv8-!Xi73yA
zP+_fNQoX0Rcd6z~KeZW4x<y`)^Nh8e!Ky$Rc(DSI5q%K54&+<DfZyM!ZZ)$>r>b3P
zt)a?F(=x@g>QmI&s2euNHBWE@ETuI|uycZ7)Uw;z2Ie|AQGUUgyM%r5kNZ*9TpRx@
zj7P4?k9ApFju^z2!o<>)d&m^8pegHwP4Ny+Q3NUTN|%fFNnYd~3B@xO$`+%ccx6s@
zi-_VL6U8|yin-9PFy}WiF5K=`v(bnNcZwM(PWN~z&U{Ld_;S|z`gzFLTl(8PA2bRE
zzl7sx??S?F(R-}a&qHn(SkzKeIK)}{5=FVQ;Dr<lBYDGU6(PQSRH?kS>UE|D`J<gL
z;7U0rB!q~B2?qN+L<w5eM`dpKF*I+9xacQA-9YZL_(R>D)`oAs0a<n_ihQy#$l{-i
z!HqPshQp(f7am>~PgJ}UeN1qe12*1mo2cOD4~ghr5Mf!?*(Y}n7nbEPLBq1_au(Of
z^&pF9#s{ZKFcTv<2E3QW9XqNTazv2I;+qLV7VmrzP9!=^(s<>Gki|b+gcE(tj0y)$
zr)?0aDVN0O$VCo0CS+ObptZkz6SC|m>x3*jJ@Y!_<z?|k&ATe#Vgp?VJ1@&FN#vKM
zLY8%ycDETTWZ6UB3R!lTy+W4V&A9V9KS^mE&;&<sagxw@cAZD|18?W0)&~7;#+0qR
zw`FSt7zL_4D(~7@ivAB{w}d35Zm)um?CjbAI!z)><M9a^hjd1GCjMGv5ui|`5GP~w
zwX1=m9Z6c20fP3dZ^_PBUlTpGz9fcWeF=u>#1sx5h4$--0aVuUg42Q_pCnxC9B`h_
zH>TCkDwn$YC*<I`*nDBCu7%rB|7CHtXNfcVk2u0{U^m)SZ|#i_yHHyWo0Y=NnZPbl
zJDL>L%K$i5`=FN*FT4}4auQy#)Z&}jFnq@yvf4`B?pOSX67j2;WI4e#MsYL_Oluiy
zP7uwczsQ7?7;MZdSMSiYV*{~NuwiqZh$C>*C={YvsQZ-M3Dr?uu|W?qoaG#yUs;@N
zW!bGhkGs&s4X-<5QQNxZsJqoo#wMtkBa9X}fru4Q8@eTK2TpOAkd6xprYRqyOOqLm
zg=e(qRIwCH;GYC*)MZ+o)fHL%P^qhB!dS+$6em|HnbJ?YTI#iCYHK}_536##_{3a9
zT0Mq2)2kPUp^RuTt~E21=vAxwAWNek%gVkY{f{2_3?o(g9Z#9jhSPk>V}{3M84YY<
zrpA-;3F3J$mz95|t5lcc<FCd-z@{0Oo-pIHu|}<@1iUdg3Rv!T^4jIxhAnvUhBwVw
zm7i&rRsS-53=3GL<AKkrMd`BJi!-^`-=ugtr9qdYT(vZ6ot0XuJncl3Li5OEMW&OT
zy!V%4ULJPbE}YB*(Hn`m2iH4={C8RrF2^4Psz0>g^rmWm>z5TR&Md3tVN?q3*wUy?
zl$wH5KP=jWYDy~!ZkEu4RV2(K&j@^fu5mnbo3hrklUb1ofOex5e2h}~+J$0{wjAWo
zVy-qFRFu7AbYxA#E*u*Zt7F^l*vU+iiJeSrTQhMovCWBXb7I@JZGU~=&w0M{p0&=O
zv)9_atE+0)>L1;`t1gv%4G;P=#^hVGKW<e%`t1)+o+f}(5x)j1gqo)SotN$a<DY%M
zkrK&3m11W681f4T$6H?9QUCZoIukrZjlGv)Preie?uIG&Fv~Weelx1tBF*`L{cU7W
zc{-v1vh_eX1sNjxsgvr!mvniV-%9vnGQX*eqb_OW3e0LxKvIIy1LLq89tzq?`?FAP
z4o`~SA73>wYrLXzP%?t)*)Xn6GPV^2=jBexLv33Y(bL9dUf$fgZj1LGkHmm6tyMge
zr<!10HlZJR8CcLJOp}|L$>dX3GM%0gys{aMYPyyBdPtpK4`<p-zc@B7KR$e=9U?*)
zGBXV)jv26T2NYDTzH|yR=yb6r%@Il8>V*Dg6^p!JV5SF_zBo>1!$_I``fzn}a(Tg|
zEZHhpO<9+s$dFl-#}tPu!h24D-$*z$C3~M7uPK@}5Ef0V!K8_ihrIq267snD+KLf2
zfg-$LbZt%22>=qV%~}iolJrqC=w-Qhj#Z2oj2jMxZlYLiKiquZUbW*s#}LvwpB+!1
zZtb|<&3FVuW;XFhpig#Eil<|YC;*xHBbkzRGy-<_Sq#Ew`yEL#{b5=$F4+D$N#Rhs
zwi_p!us`c(?IkpawDA)Pie~c*|7LPT(VM~TaOZwGOur@mSu5GWG3tRS0;$vV>;3~M
zD@|gRz02=^lk!2Y&Sn!TI3dHpWhXDTBO;a$)M%&>Ce3q+r*`a~GRF(Om9F>5pABgX
zEZ_|9jPAHu<Jh#i0?(8k0uPswaLIiUCC4lct=d+YHbmw!CUxMP9j(Qqhj^^PMFWiG
zI)I)(yg|dXgGj91f|L<BC0og0J6GoCnfQ2yw4O!)#9%m|E#9a+%D7iO_}N{#tl0i9
zy7FjD)?!58PU5xP{mp^D>H;EyFxZ>VVScFT0pOrdp!^iZ1or#lF(?J~i=7oWF=x#+
zbX0K#dOZ8-F|;sQ@hBtY*Q29qX?*9ogLGJGtY_hvzsgaxrtvoiq8AyoOKQh)i%Rk!
zF;L|lE{B!Y^LdJ)s`TEQUu99X_HM}`5i+&LvSPAh*0@V5t;0Ki4X(>YqK288x+t6W
z1eY`HDZramiyx(z8Y^YUy0*KE%$^|mwwvnf`jUv-BU~=q!#3e_)$uj1|58>a$=F9m
z6^@w4`e;7KI0CjsM5UZO<59YRGb)*GV0XNKK8wqLw5;(D4gP-E94XPdj*bAINVH)4
zmrpeRyXm8ygOk|F8~5+QG%YR7E5~|i+s=|~UF(>GqmS}}rnN{5hM_n7RoB*R{g*fW
zf%%4)oK<M(l*fDfZ7R+rRJiJW><@;U_p0?Jsu~5Gf4L&ELQT6~A6CsaQP6}j5hb{T
zcOQhLes(<_w%s-fJ#!Ru3$i@P&ZxzJqZu_(h<lKYQ~0Bw&~0j8ChUo*GXQsjFR9Ao
zbC+XRE~*T<`SCMNzQ?;z&<WAGxl}&_cANW#nCy2NRM%DNp$I)x%6&WNWsDtjxc_#6
zd|pbqzgcz#AvLGIR%3F+kls`Qq+T{A0PA8lO*vPy?p)oF_hT*OSmFGUb>MQaagdCD
zp5r?wF-)UiyjIXzi?F`fwxKG%f>`;ZZ&kM$>rV9JD&(OFR1)|2e@{9{&urYv?E4YJ
z{5q6yoc*f?#cpdN+{@W*LyL}XELnOCrz`4fdnB5ymrEeH)tJ|k6_ByJ{#YdKnhRt2
zz9gP}bQir|G{vO_$}@*g+r6sQ4$#@gDovemN{TTiii1+*F6Z-ABz#$Z!rXK$E7Dxj
ztD6*(!fx!VGTufAWVtH;Q0~VR9bPkru5jv5cCU$)?%tUi-RkIURkdpfZrMJu5J?>c
zIf2xixABl|lNG}zO+)LON9BS}LfG%_7mr@M-j3UZGBOFn$KT-*uF-FhN@kr&RX=ZV
z?xfv@<jR=uUqovKcwgf!FY(gqfG%w=b0!_L%btgI4X#o}i|gcL(h<@7oQFxe6`@!#
zi^MLHg<~m+qGh;d)%5;Z9opWvA*bAJA>2QkeP?AzSv-=PThM)w1_SJib<%r|#`cG`
zXxHuZBVrIP(0FD0Mrq?}=2iWJF~p6s&;SV2aZYd?6-G6dW$nPg(1Em8T0V#Y18DF&
z);0J7K_m0G4n+mYfA|#CNd<+jZ1$}8t2eK4gUcf2>jQ3oKr-nIjKK4@IK=C~RX*A(
zw_0~6V$vWUeh&4-m8b^_q-PO@K{#}nn1!uwtqyEn{|^l%OXrWMQ>WqabTkC0#KJEo
zK{)L5nQsjYSZ<*>my$sS^6+NUggV;}_;E?0Rc(sM<-C%mChIneX4tt7#pddPC&qE=
zd`~P2<Q`89=ISJhRtzVd6>rFhnt?;kvJm_8dOV_;G^1QsZSrl@lz4i&eR}-i0s(58
z=w`SqD+Z=<R3z0}S1?3R=i$>O+q8`cFs{@-b)%9K@CH8niH#~GrRS@P-7LB!Os)Ar
zW!1uLH&D)}N9qDMf08Z|^I6G1H;v3}7BH;C-^OzUv4i~ds#oXzJRjpXf4>g9UadzN
zj)B8mAYHp!R`(p<bAw%Dm!>~r{*I=@=5trP*5^Tr4kYUS2!dEDlZw<G&ROv*G~NAf
zAknv1_4_uwj)geMZHsj+!GXg_G_e~<;sBRjNDAnwZQ)_0m~cp6a0y~l<imeb-r_4v
zK~O7?6xDZ7WqKSjs%QmrJe|FrDDB%nG^G*Dhx(Eo6<fzSa`?J}4lYSZ4&R5n=uH6^
z^!`rQLg>h2GJT*FQ!cx}p9||9`YrFsnJpzn2WpK$RpCO5*sK7F(2>6x6vg&R-_DCB
zcfkUaS=~;2^N4B-9#xKLI*R-oq&kX3<&FigJQbje1n;vDKyNQgrgS|Of;N<M8}9z8
z@b?P%x7L91KbM3J<(>^wP%kgKVn0xiOweHVHie)O1+Z3RFH1<YF9fiR|1)NY9npgF
zj|l+8iFzzr(qd*?YAx_qE*?x@1Avb?wkWHhn!Lbm5wSr{K{S3mXE}NAXm&Im*9Bj1
zOkCbZ<5PXH!1ZFVKJVDv(+Zj|(6hF!?_Fo)AZA{-L|m;KnP|&JCrW59g<e=-!tfxw
zg)de$LL`Sh0)SU+h1L{s^n{2^S`e;MN=$lCiL>3%Lk*nPqI=OdVc3Gf4aUThsBU#)
z(}S?J{J;cdHXH<<tGI%nM!?tafXXV(tm!4o>noF{g<u3_O~%tNX$;?o`VhB@!C-$D
z?f&{ItV8t<N;eV*m%j>>lrQv;MrWYEQ@KhK5W!*AmrIb^rX8GT+T5ZT=9KKll=rko
zStx>FAyp7ovud1VJ*dVkaK#FPgb%t}3ih3gO+^UFb#>`0^|IpQ{&3|eqIIf^aHouz
zHA#kY2qI7!iY<rHpIXd9xZM>;a`9R|Sc?`|D|AauvL0QHnI(+>)N|>dc|TLV4{m*+
z+d^pgd@JNmweg}BT$5dGU|Fdk*D-YQXJ1=uf7<}q{psPheebwt*~^GG5m;_j_0ew$
z8E><r#UzOdv4fZjR?bc}G57W#czF<cL#CF!mMY69lmq9s72vX_HL6*bJ4D1h4QCNN
z)vgF|`>d76qJH4dp%~<9f+xm~E|a;h`&|SjGDDERgw(ohR^E#OPc>gAa!aunOAMKe
z<Es}>X}#6>BnBQ8&DN2LCoI#_;YuWr^Ax`kk>&E-!e^@mKham5_2=^$57k$I;O&`s
zPzZHSziTm?=<{Bvg57$XDt+dhy|-H6n>k=)IdhsH9cRUT79eM4+>tABmIdd(iyQgr
z{cvc;6147?K7V|kMzpwIdZmgjP>sIWm~OH@u!-PMR~$wDi$&{OSSNqjPOZPreSb_L
z#gIm8J4hGK);T3TWMk)Jb3PZ{^1@jIJkUyHxK1^IuIA$Eq?F65NkID95~TC0nRYwo
z4Pm&KtnC}b+hu0KGbU(aL?H-SQu~E2PM21Sp3|z&+~VX{p^Ch9<WvF?kCXqv&2VI~
zF$G;LOF_-{ORoQ*iG^)bvuE+>L}{&&O1&kU64uUGigqCpS6xTq#ERj(J%%y)Z?F2A
zgW;tIS##S0UO<L7j-(#j3TfPghOFKlTc;TGRZX`>K|Y+wmSY}<eut-kXqeudHc)wV
zLkEL;)Bhf<w$zW0@GF*O5Y>iJQUQ1ve(f(*$Z>M95%~f!fSiKr-T3S;i@Ez>eIl)a
z;IfYwq8rF`KiFY3`(RBoq?6gZ{-mk4Uz(9G`L7g=%G)L*2ri{fPb4~ZL^|65R>umc
z2$ovz6nW=D_yu^J<aAo*cMAkAav@Py((r$ITfNuxdfM2uuOf<O)28z;q-b~8wt}zP
zUmG>4*=}0dXN}8blr*!QD=SL?)C5aisvrK8t>j?Ayt4M%K)yp8UF69=4`<gdtQ712
z(3xejnK8A|H2RYAE8$oW$X`Z4G!ooZ3i{)}hmaJJ?N&gRl209Y6j#}+V0Ax6)Sku8
zaDnFj)}yLmKZicjPf>qO5VpQFZpn$yg3S~~Y7N;sDCcnTz3n!+I%$!!y1cHw$->w|
z=gD^<_8kE{+vGgAg}9X=$*nXo^JB{NKn{H}3L+7nEz(#=Djj+u+=>osapC^;7MOl&
z9=GrfKV#5HRJ3}6GDXaqgs`Z#kpJ)aJ}!Qf1}VskG$BUEv*GmPcv3Av_dklzaxlsV
zz5gmgrR#O!@&2m_b-Jv`eYuvcwtN1AD6;n$BA%={aucW@isy5Pxmh8ava&d?9*+_T
z9tF`_txZ;CZafrxtR!c;jG1%lq#pP}iuRKHs$D5o<0E~{^w6q>(Xc$EtOWq-M{ab9
z5f4LkP|0zS;qm$2U*8W6zpI#{`M0e{<l+s-Ah02;^EaGx3{#^a?<u^*^T*8`qi?&z
zV?bKvh35XN3Z=*gQCd|>Y*BzeT$h#yWL$qlXTxP;)}^!en@}FkM&3FsO2rgWq_H7G
zr3GD6AeKa#^mX7r^p-%IeUOk7hoUJSq;1)g*Q(IPaLB-;2pRbs{|`|p(|5~6>AwvB
z5rr1B#p)BYfplx%dRR1D=g2=Yc!FWaqWrZ_x5(*&e;x8gQAhROctf)2G*jx=0vRDG
zXxoGlt`T?1@m}Y0d3ByxhJ!Wf=+#ymSGIV6n|sqgf-`J-^R!Id4!3$nKbO>upM;B}
zLTg(4;RW!dOSs~eYyts4gyC0fDj{s%LU}FJHK<Yuv=C{61)sZ|ryl+HB{*-uU|&o!
zVpU!bp{#3$jC?SA(ZbCtX$-Jnsl@fmgrsJwNe-}`Y=q59uB+(BT5dKxb9h~WM%1*C
zkZD^-jPmICla;qau1C%zVOz@z+9{0uF-y@x>B4>X7^=e^3--QEH71aOJYg)6gVg4L
z8NBUZ06k+g;nKW+5v26*-6+sRB<7<xQD?#Xl+$9P^m(^Q>INDpvv%7UZM>WQyDl0?
zF9<h)>YXU=kojo3EMk{U{LOGNscd#`x!5q&M-9mXGu>F*^7L<FJ9^)_(=ZeHDKGC?
z!m)hWZDSSQ-I^>BUHG+*8zH+lEMj{HR;hDmubo6k_F_`hnKClji*=GTExu$`1FZml
z5c&v|8FBo%8+e_=z+O$1=j1cw3;D^1-?sI(B=AC;s$I>JQ64|tzRV8^6~?NQgpL1|
zc9&wm(H{#T9yTv?h;Vf&y>c4UH%dd{^qhtqWLlZ`ZhhI{_Sl#$G?0*WQ5>=;`jh-;
z^8JD-aX}WiT1?rx7w@v{-^xBwNhAU|(P7^#*EYsq)Tz5jHTC)W8dX#9Q1!){ximrl
zYe~S`-uRz^(0vQxe{hvl{{@V2&2O<WGmOTpAqpl5zOaPrymI+Cb<MCOk8+oqoK9RO
z=YehF7+dF}Y@2IY6XLhB<zWCPtCynryU5mdN!f81F-AN7%!6FY*)<EgaYl+6?_!R$
zSJ}Lleatj{aftC=xoi*VVRm8?mxD%hGtWbc8=170u)t0Azhgc{qia^RWA{oX7o^_{
zg;qVNhSvh`9}-ENE{|CsQvgnvC9IFhxK5K6tdAL(PV}^_#C)U&d?n&<v!PG<f1MQq
z!>DX&iE}2cLN^4a2VPl@GCv$K(7Lkcl20i+?=}eD<MliX+I5(>_qC3h7Bgqwi(1#5
z@<uxfTGsUAMhOd=*X;a9&x@LXp?gW%(l*EOOEbI`1<7F>gL!AEQ;vj9<CDPD{a{T(
zBBt1a(~3+dbh$wlbUl<_tAeV#uX@MXqYmeDiM~y+z83UuiS>?FwDj*7YL)4gj_<~a
zsBxt?e(0*UoZt36W$50qjyPTUlG~%BVnqSy&^(RDrcGrmwI9ax%T$paSPUL)oP85l
zO~jR(XV|{4+b`d!b-Q!czDNpzQwjp;+|*f49X)1LPp(&S$n*WV#O32I9O>jq5>AWt
zsY3^V<UE-E<cAztq=d08)$XGK{^q5O3qrWMSPA3nDuqT_zRU^XXvStw+t0_xk4^)1
z#92S}$Mb%7qUARuO>-X&qf(>ia0OFG;x^Pk6zf(4C#Jvz9H54WozNBeD8aQEqye(M
z2XXr}U}JO?b+pACd_M>8kHI0b@I?-O^Ew8Ms|i0dZ$u)*rlU{f@i)Wma!|NH&*AwW
zG>!5G2PT?y*nE?Uv5EMN@HXA!;ekJF^h2Z$f?v}}cCli|PD2_XUZ{*d)K)e#e;~db
zWy1I8h=|!m2{lkXxqQ%f8{JJcsgE~%uJtyS16+OnFV|HWXrU*MOq{QJRZ8EJP6+EL
z-#md`5Y0TlusBAj8joNr3O?)(IaTsU|Gqd{i%&gHLf>l#TI6x*JL-Le<B5g4v(RQ+
zU=RoYR{q`H1*(4GYcJQAA$hV9*g|VaQhtubE!yXP|CseSnU=!18J?Grfq}=VlSv3I
zUDbOxQeMlDuq2@F*N@WXCLS-xs(f8O(qzQf^7PuW=F`RMB#17SewAuf8>p9?BFBAI
zBFg!ov>r~7Crhy@{la=BHBwfb*~AognPlJm?F@8SN5Fsz$HZM;CnUi4a&Czg94|Q0
zDmdEH-9^GGe0<>xtY2+H-h{cyLCSV$S5+)?q0`ysv0%AS;qlC14JO_Rt<<@7cSkk1
z^aX<xZg)k46IBUB{F_FH{9bcLhhAsi(V5(G(V3Sux01&-w*sykYM%ep>Dz#MJ}x~I
z@pr8l{@X0z+F5e9^jt~xZ#(mU?g3ST2K2sGTzclM3nr){gX7b8J<}Vx8KX7^ws&Fu
z>L`^t4dIZy#6XWeaJH;T^XxwLD&NEjyFV2pe9VnfKfM$qOy2(@M!1L$StSm1%{d90
zz}1$Ny133voZ01H9TAB93s$s!5wksyy`^=Y6)>qbkZ=zEqu{ZdQoQ>@dZa%*=MArE
z+tGysszh@4yWq58Z?)*zO3IdJ4zp*|BgXrOu1bqyk$*D7JHhU9^v;#%_)WwBHoZTw
zQ3IC}Zu$wWGnE`B+ckvn_O{}A&hJt20+ZUf={7mcEhq)^J$txMn%qpo;{eos_*VC4
ztsPv1F1pHxEf{XTO1r*qxjVS0>tHZLP9gmlr@r1ifc*kpn{8npQe3V@O+L1xEta_n
zdkq)cZ;wsP`st}`I935tH*~tL5-?5l_Xucls@z^a*F`K0Lq8CO?*Xz{A+~2{JZ)vh
zGTLiO09$Quw@mt^3*W^O?wN*DFxcXbJ?@qt){8$YbmUMFW!8i2I+I*!ja?755;fLK
zkp^j*73hkz)vp?~+}ym(kM|AS<QpxWHl&i2Ze7)x+~5YclGUoW?@UbP@v?Jj8i&HW
zwvDMj%oDSWXd4GAWZ$tJ)6)c;+vTg<VRmcVXZeg5FHaKe4eBAKL(*LEeCc#DB<=}>
z;O1)40|vj!w^#_y{vXr-p*$O=&PJ{igj!!@N}lx7^U^-Po|c}Oxu+xsj{zmNw|(pz
z2s4Wb_FH&{N`2dBtb@0#f^C-9gvi(@B(+OXIOA2<Xtk61p|TqTDC82IZ2WVI>7)NK
z{jdI210JF#5>m_2w5*rWWHeZ@M4Khg$(W81Z8S!$jGDf@B&s{UhupYktJEx6YC-kM
z<<Z#^bO0uLql@b>tQI1{V$|cVIQ)cw^(7BtG$!t^#{%j2M@G)SSp=i5axcwigPab+
z>y?m9%883oc6mS4X|{RQH1X|qND-e{rU0z@XDWO@tM63$4f&B%2B=Z~4I;>JR$`!7
z&e_=z7$Os7F$!5$KzxeFR+v1SxX?2ThcXk@^osg8Gy^`}TVEai1bhM&f4=JpdA==v
zu604Tq&!yu4%gl1Zl5*=(#PM-<y#_&QR8vepQln`oBsaPR#vfztu9|P^$-a`x4sYy
zdi`A-po(1OzE;t(Qoub?#~a3uWzqe;qtaJpl3o9O+U0h=k?#X>!25MXTGPsAu8O77
z!jxZo6~+&~{AAJ-(hfV$Gck{Za*NWBJS3yYi=6Jn&B&{6VZB-Bt7ub4>|<`5W`!i=
zz~6q>=8rtDcFZE!1_EDrD-Qu9C@m`syIGp)<}05uc=Jh711Xp{vE=@ntUtB0#4BUo
zGCRxPbJ#=*V<XN@(9nE!luMc$D>t(bmvy8t>uhJX+Ho<^{Y~UDMrAYx=*o_x>=#*r
z2N;w1QBypLlzOhS5aoV0=AD%eiUc12eLuOHA0$ZFGU=-h5MND<A<afd2dRnofR7va
zrNmW%#)(3$U&MWXN;{_(Fep3)rA)iY*ZiUjEb-C(6H%+q`vryv;pnezSbJp*O7Cnz
z(pW96aN2=w@kFm-xBi7)3(D3lX+hi4spYphQ*s3hhbwPR&rcK|3XHonhUrk_qo?`7
zMRMvv+SCg0Up#nX>~W-6Dj*%B<*G%T0vY~L_8qkwMZqlP-)nR#m<93emY@Ilzy9}3
zpWNjFDR|se#oUt>zLwzF;&Fld>p^-UAJqOYV^*D;(LoetFzuoJaQdE2#5P(Nbrvv*
zR4f19$RVW?;TZ}_p0^12xPnn)2m8^&*`}x2R`C*5GWfdgY(+X>$D9#yU!S3W6s*v_
z#>Yz0Pfk0yL@WfR&=qc1Xjo!X+Jv9TgFiev!G!^949uEYN!z>$x+Fo;8rQKANrzJa
zCLow`FGC_$nT@v16+nWcGw~HH$xbjs=kVEBw`1^aZpri>Iy1zdp|Lwcq`Z+VxNFXi
zD2gQ~@LWUPkIT0&qn@4tV+^?h8dEGAiGlBnea}rEzQ-@fceV-X((6mml;B2#xZl2S
zCzW1Op`QV6dhuj3mV+U*rC*0&O4IV~6v3$yNJeBHML4-6BfI+xBsvI>4;-jF1=bRR
z0&<MJ9%ixcOo*$6x)Igcwm3327k|A|q7`00K}Cx3kprfD!x<pHDE-Iv#g5Pn_LRdo
z%3n*6lq`<QSOwY|QP1zk`C(k0)UIah`k!l04!!6BC(B%^-Fx$PqR7SPhadVZ{}$Dg
zHnH&)T4EY@H%nPtMw$pF#SSh7c&ZBSwt&QzxszaDX8s6uR*$#99^P-Y6J;!Fpy*;h
z{#y#T^|aSRoe%@{*7~<(MGq?0+-<c7&jj3R$^EAZ_K-6XbepQDeb#wDsGz5hI&tcL
z%nds+TZ1!6dY895{^S0SY|fk~m=<WkF}O8qn?%NblsCx6CUh!WYP@c(La{0<4-+iL
zK})CZk<@64O%E~NTF`yJxn9aRcW!Qyp&hzQN2MxXY!<38NBHPXR%56`L;26T!{op)
z`NXK?<!>X;503>Nh#-ATSsqF^(GGV1>sur<UMbL|0~JTUQK4wQXjZ8}p~!^Rhp$2~
zbD<JLajFrhMM<)Je01MEOnv9;6Tfqu0ApohW?62u|9hC07wk??EdX6p;fJzfp4UCx
zj^g1HGNOIH5|^%Yo*nBs`rO4;mZe8o;k)4b@?p%!7|=38BMW8^e~>+y)?A<_WuE3Q
z10lw<!xLt~RYj(}JT}_iD1%_j$q&(fk-lVugCeR}MQDA{sv>bvI0HLMx0ae8qatah
z{m3qLGaX+F_tc_(W}W=PTmI(TcI5x!YUSo;=4)*)Y;%3L^2NVXm##Ywx1lI4QlFRF
zXCv}99Eh4hq@R$54f*%IP{gzL6)MN&CBQhv<-w=!@{bs6;jE)F-NKtX)rxxn;u6ew
zT>p0By~m<BC{xX1iz4$NtM37JMtOR(*XWa1DMPg^s>wOh<L{m?eGhf|FQ-G?NjMc9
z^cLoDWKpFc6VQ8XMu0vZ9~bRs9eSKM^G0LecT$ja5>AtG0xq)zUa`3lBZb?#x`>qk
zyQFevMJY~v;r-s%%JU0gE1tkRe0`aHKMu#BVqE6A!;ziZ)<2GAxJs^kKk)&%;4iD=
z<MYSL3Hkm%Z9(}lvG$T*+Q?}U$oyv`yhosfMqJqZ81xby{!7_PX8&)>HafHt#d#vr
z@5%AX*<PXU84Uk^IH`**)XSGbB_-OJ&9H}YnCtS<?dQ|O>bPfLw3?Umt!cfjzBkW-
zfN-oFeD@(kv}iMQ*+>j_@C-HeAr+3CLv{DHBW`v7u^}&<V^&SSuv?ERnfv*4UY~q&
zc&#<r_9%M-`Vk+omBcHoX3LNV47K*%&iYZd-Netg<H$B)U^H3r#?WJ_>-u+52+c>p
zCR)PaoqkK4uGpP}e78XGYz)sV3T?;)n|}UR*g||@Y(Nkd4i92}%e8d9d%i%vkyNHU
zwhxZSegkReBF>pJUDdqiSGrQT`GL<bHA~8)YARQz{E37X#O1JS1BT-EEFr=DLKlY|
zDe41sL&E<MwnP_lU^F~U_wteOHJBZ&D$k^%#O_gl%)|Dg)cy`X#hDqif;>Heh^ygF
z0Wa;CStR(V!kddFuUo!2eX17LI0)155X|9TBVjm)GJs~q$(%;o!s%+33xfA<PaFDO
z70eniGg0}`g3Gm>9R(k+0qEHg>^i0FJjxHvaXg**P-U72TNy|3p-?2hFBsFOXX2`w
zge|$VCAoauZVDLd%RqQlvv7H1q<$m`hOAf>H*muEZR^l~q=R5OXRQq7IMowa8L6x`
z1<mb_qRJzn#23Z&axv_y*<bzOGP1gnR#F=HlXrEqRpOVhhFDrouJ{30t*){Chc^<~
zO)3?&Dtq5ajkj`gJoHE7!Vt0L?>&&G+o)IEiD7!O-T)xN_FSY-U$23XV46lDU-0Va
zVCQ5S-t%rd=qdV3e6%DEw|ewiau1>jMUf7Ym6?|jDC=?9+f@p{yvgrQJ<O(I^fFon
z9H{w7=nNRkH6-TzcF6}{`<J3xLjbvjEVZWUr6M;^qQaA|1G7=(PMqUqy=hbM)io4M
zQJtok6%hK#`|{c^w3*rUKHS0E5$X4=5?AlYOvLIcCz?P#^NX}Nr?OUnQ&I-kx&JS@
z?bBn=Z``!?;`3d@yGj@x%{dCfu+r#}cf4|zK^`Ww48#m~YXR=Wbv-E(bSs@pHgtM|
zBb#&POO5h55*N$crHo~NQ~$`E7o^yq`#dv`S_eZ!rl(Mpx*6}+!U9fblKrjUcCEW-
z{PtQ8Y2-4gmd9x|u|vGqYTZ+hd>BSDl(DlFpj+5B5t*f$#$_?Eu2d+6nA(G@Jrzu)
zI<<qAb)^#y5?lMwfk2|PXctTS=77Ne#ou~>_}hnqD(l5<C+<cj9W4c9*UtaJ-@bHr
zoK`lura7Zj{r+xuyHGg*V2Wj)I#Cr7Bit|OLHIqsZ>%bAd1HdpwF();)9I)zP4{OZ
z+m=U>a|y9Se(L44@ACx80+cBZuL1DHO<q(@K4Dy#tuHHrmSC#F4AhtoFym;}6{Wl&
zAehNxV8+TLo|szH|8x0yQ*`-Z@9N6HbxcjuH#)d;S0&#Z)b}>3KSjPyh)UQ#_ZP9`
ze(y}7w86}L;%09DLq6F>Ug0z&dtvDqpywKiN#?+i$;|s-L?a(DKs(Qxv5)mZt$NQ-
zzMcQ={2%HzXw&x}>K2EECK;|8ofuKpn@8oM(qLi#CckWM7nI^44Q&&eL9xECk|9j9
z2;MCJCDKFEo(4*4!U9M?t7sYC1f&TqOyi?%1(#HZHgV!kJg&~&MBF#T92<uCyn4I4
zd*$6-MxE?hWVrX`!?N=wmv+F*vzv-1mZuQ5K~lhHwKRfOY%}o4$OZS@fs2bjq{snL
zsf`*jJPE<$l%wClQd9$btMg}$-Ut_qU_%Kl``qadhLE|m!S}n|x#`4hWqHCcw#Xu8
zW9G0F&EV2DnGP|vRg>=<ISC^gSm$W2q+k#CEhwUcpvMu;j3a4vn|^owAa(eXDlbEF
zSt+ZYj$y(N^D!_jpyznb{_9_C;|HpFsoV~nwuIHB)C`o4D&lH)Ri_UtAE$SWT2EOe
zl$|SJh!@<tv>htxw{U|Cfh86de4l8tiaiE`^Z>yxdBXQnDWAESmN<r&6%1y$*1;&x
zVjOAAXMCdd$;St{$axeVT7iz&-sIztYGkO|_|O|a+Ew8plyOdXS>GBG<6LJC`P8R;
zLyQ1eEWo>%(XN;Iy%~5#W$8;>44|P`eB3o}%QbXZAL|j@OhJ&r?x#_+*pB%?A564|
z@Xi;(Z(=-e#!k5v)V8^~3(keCiZu8ON?SM}*0!-UQds{(rLukGPkyT+d-K8D3HpgE
zD3Oi7?t9n~rN8Y646W3z**}L7hw!eM!spYvGVJ!TS%>CS3e!!$lQF8u5f-V5&s*!R
zsu<)@2Za4&NEP{At^Elj#0OR|KI;nxBRWZffx``SPGdy0(j$d)5|MzbZvhCui24A%
zB+mQ`eV9f6i)DbY57Yl(A2k2s8LP7Y0v=`Opq~FiCF<H||3D)ksDnEZR5369Z@bCA
z_kb!vFi9da5dy!E*@FG9DwN3KXw<r#X4Z3HM95<kM727n#e2-a5oo`Y=?r;BHDy$H
zpXmEnvKn8X;$6YHYs+`gwH9DlysKrnl^8mRqS7&iXEb^=B+yx><mqju-BR=&cZ*|<
zkga_MLZ@uq>1uf-rB;BX{EnzO5N?T3ro|mCL1>ptr!p#-WZoP&Lak+us}`zDfT4qW
zCvo}Uo445&PKR@%^8a(RdjE2?h7wms<qMJsM#=&~6UJepRC-`EKtL&>ibHB~{Z}<M
zPq#3Lj4k*`0LnHoWxX<k&s8q)Uy2qWwyoYjPqelrId~u0OsfJg>LBO_^SG#9@>!2Y
z1$lz&%NPN0)KI+#d~#ASgn-}`Je0DDisO%meJgh514ElDX}yBc%AqaS0zFdE+7r_%
z<`2wZXkKgZ;w-U}ovFx7LNm8S28(d*-@P{Bmz7TaGwYXp_mZuygj-+@$!}EL5$7*e
ziB`iuNK4wT#usOpg2pa%%FxTS6SsNx_ht5-PZ2uRPA_ax89M-H6T@mY6R$%`mKzr%
z`zYJEZ!-v78J%Nev>-+M0=CCBcg9&Cam9=iL;pgvYRRUkt#VyR)FOP+qJd75n^wr#
zi*6=5N`x!ev0@!luR>6GU9s;jte=*e;Z@2oE%&$?{!9WC-haa&@iptm`xh4^bww7c
za-qzeI&>2?sCl?G((pIqC?_>!gS*y5^|lzsJxm4t`tL^>yZ&Zu)^Pw#vujz=vwKc-
z;ry&uFQ#QX@I6$CB63I*PnG{<QsDc5#NUD~Xo(Txl<3$jTw7CgM~X=YT&v-?u4m0y
z{Qa{fg(k||4iV4BCqLK;w2RA9+k28$zacD2bB^zAQcZF<O#y_ZI}yp5mQSkTOc`)d
z>G1S(Aw*RS@RXEzCi(K0vq3RJ_i&V+%eFGa$?wfnD8;KT-6o|sFGt@v&JZYpgLHC`
zQS`>(#4u^(!3mkNhp0(er5e^n;ImJC;9&vI@B#7izk?_URMy&H{~<unSY9o_f6nY2
zr>-xrpIXOmeWkIQoc?@^fbGgc{&<Vt&4xXx+B}tt{(Q-PZ6d*8?@HWlCy4eW+FW(7
zOC=tsZMxq5ag)bS%y+w`_GD-EyOa?<DRGrg|LDm<q&5L&aSLuPpLYdMd7;|{D|3sK
zl53xOhXOf!2-5337fl$w61X?6hViN=kM=J-Lf9c(Y`2x4fgV;uP1l`&Vzmq>u0y}W
zVA=l`+BDz1;``{TT2Yt^S(=k;+16lG#YUryZUz}Tqv6vL<U{8)#Q=7ee!-0ElwPW;
zO7a`E{EvIkb+J(<@7<;i(vdJ!Z4w-fG`zd<mbsh%vH=<d*>e-4#d%v>?}Xk><5aBO
zUPtL;D@!M55?oXdKkoW2<%kCC_c^tdn!?65M?r2Uv0b)XR?IW2VVh+b`(kwY4HXrx
za<NpuNzEhPP<pB%);P3g9pto3!1t2sMy`M1l)=}NwT12q7Agv;^mrcD`05BUwb{Te
zYy%`@x23r?3cP=q(<LLnBL&L<Mj}|WLd4eso)lQYjT|Uu@?b`E^V5MI1$cNibUnu`
zudwrz5c(d){pirYRa~oDZ`B+r|3OqL+!l)YvB>5+%fE|g2mL|?n0JHllrJ$%Eg(E4
zqZY5*@u0eJy*-jRBByI@(~%JUP)xR|<#4XF@;gw$;s?La{{>MgLyQ~q0JBd5ai@Oq
zc_aclv~!L1|3{)u;4bA?u<~DjKi}Ef`F5nG#gb<93or?I``XqXkR+@ngQ&3LN!nrs
zE$tW^=SP4Y7B6~=2-29n^UdDYq}-toqd4mRe{j}eh#%#g77?9t{(@|oD-^}v41?L|
zfRmoKZg?X1E6vt7G*B`#pHH|@h1f4G=r}mUH~4}bYL3`09~f%`Bx80q%m{;s&lp}m
zSnIYUq+*a$@dVC{2Sx6km_*;+t<~5=3noV~WD(O)pkIoOD5HQ@XKU5u4?|*NDWh_U
z!M~`=4c;jCBfXu6pr%w8ix7Kb>u*C+jRO#>l^!=ta-xA2sds|*N(n*3!#{(Vb3x2X
zeLm6y<s>EsW-`iY7mA{*4NAKfC9)LO4`+|F>~rnL4hJ$t^nu7zrf_|arH~`5`$K7>
zy#6!8%8Eh;&JUL$UiGJUfr&q-%Z{S<D=v9gK+Tbp`d*`Rl4g<~z+eLN)>Lu7G>Ejw
z3G0t}=}g=BJ#h3gc#DV`M`1WBaTxiUY)W2dGh-kUz>I(xmGXspcG=8y+EQ>BZ-8-s
z+(fdMCbU)vV?o_f6Di}u+xU3~SsS#ok(;l%e+oYKJ(ae~VmmjOTs+*YyLTRgh9gzK
z&_8g^RzWz!&dA}U>Hf(;7|Iuph3mHIkf<i(MLxYR0*wuZsp}}%N1bEG-L6_sg;&Fi
zD*?R~XCvH^V@i^6M+=+`VwZhan$=z~Y~Ox7Y5W!);moKq;XA>(AzZf|Os6$yKU$Gv
za3u;sEB98$8K8sPuK%^(6d`P5XGwx5XFdf)c#R!#O|XQ9)&}b-b91I&8gXGhe4j^g
zTW+R?x)Pk~3h{q)S+OR3kfvX8Gn3wI5H4f-rK;~-#ZP<*G77Tq@Q`}A`R%w!H4u@(
znYD$k6OleY@3;b<CNd9Q1OEyDKOA=%sXJFvins*1oJno?d5b%C9%L)JS7B&1e+VOM
z%pb2{dhOGWCqWP7E!pp_B8yomSa&HrS)NNJpV#x%Cb<}GIswn1kPE>C;OT>htT!@)
z+lb6?$!@xNf4<lG9Ol0Epv=pRK=DdnIC9YGU%-TK#&Q(=C^MjA`rQ1e>QU9Ce4cX&
zZMYqw_}gP6-lp?j5e6%8rmb63KMOpW`BT1LtoY6sElr8(CsLP<IiAz+f2CV~eo_!r
z$KVr!V~n}0?daFSIhpA7_XQ00mQjtH`nzG-cyI6UGUG5~=bGpAJ`jS(J<xKMLNQ&g
zv`$x1lb#55s$PKTukA_@i9PCqeKLGCgS?FLTU>!Vr3|go-V%&HUFG2C`*;^@^rxry
zTiuju*Z*_kn=9-P@{BAGqsJ?gi%=0BZy@q4Tb9dt<GCMzYfjdy%*L+4CZlb`(yFAT
zY2`s}b;EL1!}Fiopc!o&Mj^U+F+*mX;H85p*hG91?_WK#faxckWBmD}K}2~52k9BO
zjGyko>}=!Y^0oLhU}vGf1rQ54yWNpp=q2QL3q)E7vYB?yRPN93yq;nAZa#m2%xj+U
z=o2>_=6lSk0m%|*ZQSZ8P^eimp-ZgDS@6$v_a$f<zKKrwlQ5P*$T8SF8^M%9Yu4_7
z{ACU=Cgmq|yz%dJKfeg0!z9+yC@rsR`9Cyf8S79?t<rTBb21K5Wp-fol0+DTQgMF{
zS&q$UwDkyoBX2stZZh^*cKKR{q}YYT*FM1orbFe_(sUfQe%LLGVdtPkbr8q}Hia6A
z>34Ujk>Ext?4WFI8%Fs<*yjvCt=uy)e=MrntzMQvqgnM6>3jB3rM&Q`j$rCkxw8=l
z88zv#zbGA>9z_lg;z+4RqKAfN%(nDCQA*5NRtzpEq%#xT3AFl+{we;Yl#2pfx4aY1
z&gXS6tfJ@B=i>nx>gg+66cs~ynQQ-HV(D|(9U?<*vieWxpst*tc~yJL(bklo!@gQ$
zomh#fVH=q`$k@(Yi_f+q+BtrAl<}H7h`6-BVy>MLKsE%3_+6GqYMQ(zsBh0dK@Xrk
z4;{}VryBNR<vQ!qy$EbPrKEE&s<5DrZv)9N$dxbz+YuXR&x(X}24y3-`SP?lb%~qT
z=sY5|z$|<0{nYZMd*uR9sFKn&DSB)Wk3A7`h*V|b(9~;CQ#*S61Ab%S%4XaHW;G=4
zA{AfP_=1@LhKf(w8fvP|oYVIr!h~aFRg2LxmvQaKA7dh6wrNNOejkK;TU31YrMYvt
zi7?JZSpj$9VQW=XLF<Y`SPKx=whI+*xtOk2c#d#6uPwMa+R*8m3eaC5IE<7#2pIPW
zR<fX5midj~G>VPBuhM0HdM!)c_d?xiA7O~=Ws{X}C~4`GC3F`Mw%UAeEq0r_OEhu1
zUe>BaLaw)D9K>tQo;9#Nfsy#Q{X56#QaC|1rn__GQ6%mbcNhmlD|b~6IlQaz+p~j)
zB6W(~=<jsKx|JGcNT7I!glH<WB(>PlMtO>iZb3`Jc8&eW%~GC;Peyz*62w#E!nPX&
z6(5Yao4`Ea2_x=DO>q`dc7_d*zmflXBtkm#JIy*`2CbS`kt=IQE!V|&S^Fo!C_V)V
zLGL`2PQ^<woxjJJw$uuHe_j(zEe$VesgK-$lcRukX4ffROR^`Tqhwu+?ml#-TQVR8
zW}hk9)4+p|<|Yt8_Yz;b;_ZA5lZu|IDc=wMlTcG0|66`6xA<nZDF4=TGlWgZN7fz?
zSMAukNg3u#;p8pFv*Rp6o*`);K|Ji2E0aZvzB!%HpOdt?o$%KuJs0?Kc)dAU_4$19
zcCHXD(vBtoQ4I>gm?^eZcM5U-?C<+kJ-6%UwE!G-z+^;wrkKO^Y$}PVCPahTA6R_}
z{^FhayOMLuW)*z9@*Al{)`?njVL`o;OJJo{evW&?9C9jOQ@L|)0tM|h6qgQ(O)(B^
z$_P5P=udtoq$K;&pfy^y2(+l=0hsdW^79;Z93Q03+ibEicKkQonk{TwmnKT7w3Esy
zO36cFsUzt9rl25gd9r;tGdz?7I(um|_NM1RaSHw&w#-=wSSRTZTC4<IlH!qiQ_>WM
ztOHO^J?7+4$<E)ZD*<Z9ISf|I=7$TmdL9V4qPGF?mIDG!{e@Cwc7s~|n+OJqD=or)
ztj)h;44NSCIFi~`koHIcK^jm>s2`}HO8D(tn2{bDylBvw|8YW-v%PiT;`#ae9XxYf
z=+)s7+H=DD_CE-p#Yq3p9qSQd<mr8~Fmqw{+^0U}xWay3HD8iBQnA^Zre^)9?<zi@
zJMT`4r((euq+$D+OGGkhwJOA{-`IL939BXIYM~h$B^tCqD;_ZZ*@%@14s&ElM!JP|
zOJHbIPeHPBA2!EmJuB$5f7eqXds1rHNjmD->q};s&&~?oyGRIm8iseCU7H$V{SieZ
z;9+d{BcHSIH*|Zs*~m<u2y23r8R)wcF$cwOB7T+GcSOTmFK!%bEN4|Mm<_ZP)SNq`
zCai~fJo21p4B<IF@=|U&jJd(GvB|5k5USCW0S02)hs=&jGU;2VSGVf%G=Pw2UXf(x
zyUy5{1Tmyfq@YBBtdYpiCvU%>Caf>VgR!MUBd(}YCS_MnGUjYFaHgt{jKT(QR$1t|
zyu9>Q{WvaIUx8B0_Q3^IFnN{n6bwvFX1OLH!7Uy9aiLMm2@u>`zOHFOZfQj^Is*0H
z_nLcp74dm(TT49w^b@2$O56G(s#+o>RLDWz`^V-y#n5EQXm);<tStI&YXc95IyXf|
z!wyBpkCaclk4m~C-X`j#_rBmUM^H!qgf&cPxt<LWGSp^H-Midy^Ilts+*ZceAN2WK
zvO~bdvzc0A#e>h*!g`oM6$fr7oQ<o|AF!2>GYvpYjl}jynC|losale|BFA}6H|21U
zhXoJS`w|v}l1-j#{5rR!v#kx-O)W-&;?WxVsb$5uI9|hXJ@BF&c*zn8(s7U2JYOqX
zwLJig@x%bqjhx`kPMLQ7n2}Nac0~pUzCfrF6lT$w4kbos^sGgK(#T4>jC9xBN9a>I
z;!5VGJU_Ue{UX0mW_->sPd_Mhch47fUX?{%C$hJbyR-2jcPd5_vX3LXe)-{E6IB>7
z?uf{m;?vT4R_4>pF)!`8z{(E*Y67+(c#nki-c`{QvG|apV@=LIohQHPCG=hTetYy#
zPDP6`7Iblo!>Q^5sD3-fp-2VE<Wy;=WVovldRUq{I*A=Hr)h`H4|8-(`uzJjj7sKV
z*VHACJfW*}PVpq{B8zaL8GcL0lmz+;6TL6<g;?ZStM#r5^*Cq|W+?2>W$Jx8f9#wq
z^h!L<XRM>LJ$%+YUY<LwO6ReBeEK2))1KcM#$B7vj3=^mvpv|O4SDfwtfdAW;~uSD
zCvd;zwXu?cqkzj^oSnJ-Bvt_@S;9d-3#Tv(^>H=il+i&55?!~_q2)TzJ*;Ej!PLG4
zdu|lguwM6#C@asqRVmkX{;3#jQM)YF$oI^xO<O<|8)wL|=C9>qooLc5(Q0gsNryKn
zL>ycSo<TjXD*y<7?4WMLrLOITnHS)0Ix4(wdvuyd&#>-McA=6BI55GWOqB<tJ4`g(
zhidz2_$9if$OuvS66W&Jx)FZu;gC;s$g!Y|H#KH(8Sdv)pAaEtG&3|&vPR&U3Va4f
zf-ZJD+Hdq3eK&^72#&uOlb0qQqy66AllO)Z3{iX`Q)#!G-9PgrrNY-G(zLQ$WNS1N
zb8*tszGz($YnC))k}KLrNcYbQN#4EXSeO(iJrCrYy0G`{Oi7L3;U#hU$t^EZ&{)u6
zbs9DPaR@a}lR6T~#-0AXyFtFx&QqBYUhgydVvX~#V7zi}w*WlW<uArq&gF=7+B1J~
zxO<q_Sa0$!`ACX%fY~Lh;JyI!{xsq-0Wz*%Vc0kD^aaOL_ZtXVL{34Ti2w<FtSc)!
z?Q;Bo)tZ#YScui)AJEX4%QzKkYDzh+<ax9HzQ07IvgP<@+tz5X)dwTb5RAd!x)>tn
zsLsXdEV}bo?^WSf4v_T_c`WA&#NIYrTZ*pZ(0eC-F4OUtBsPfU$4Df8A7`mW!EpwY
zqzP>i<fskWUPJy3z~aqLK>Cw`1Z&((xT=eKahxl9OiZ8BiFa`Irtkat8p>>4$XD#B
z3>%8c)GZ>7LwM;v#uvr@*XU^|_DL$TUnt4WI02>Oa@${CJ>?4R2Zv^ib|ZkC3Mb*!
z9`XvKx4Z42KU<upU*E%V|AuWzhww*EFb2BMN7`$U3KthZB5%S$2LZD;l{Gh$0=g_U
zrfk`ACp3bd9a=iT+-!k&AUO3^ZyP|<S1en89|ey{CJDxeic!ckDI)*_W3YS{{-E0=
zM>O?^CbnC`hE;dD0-V{A-K`LF8>}ZIsfpqK&J6<Gnd^zwkW=s&67HSAkr|l&HETKI
zi%E(CDHXC<zE6ppWI9|{75!nPm5=*FD1e6`x!#Bgu;^J`MM1|sF(4y3f;~8yxVu8G
zbGJlv+B)c(0N|@6{Dc{Fo$~@{XRm_Jw<U@h$w-@~0O$NQ{>t;%0JDbh4#(?q*G4OO
zqD9ZxUR-c=ZLi9#mx_f9fpK2R5;Q{rDnm?3pKE(=iRoS1u&7*;-;&hK+Yif7`j?yi
z@y}n!Ncopq>^0HF0DkHX8JQJIjx^&o6ayE9cd{y07O#b}5)O`9W`=G=0qUZ4j*=Lz
z*u`2}ixa=0M>Q=B>|X6z#}Mgekf65$6NQ(TsK;eR>K2If*L7m+_uR@=_U^1qDVQW(
zR2v7SBu*`J4g<<8a@5_%15?{i=1B~`(9z8ayUhBlD|OqT?0M6cp(D2mRw<E<&Rn6g
zu&Cx6JCVC4YN&T|>Z{ZVM5cVP+p~i2IyxJ5bZ63JWpm$BG2~URBr$R$Bv43<gNF^$
z?6At*&7nZB&YR?!3(Z9ykB*zl8{%8n%4-rCO3+oGjVS9MulXvPJ|KKJ%K4aOQ<w`^
z7q1B5VRzcaOTw^Bms=uT^m0$2fO0bX%KljVieI_-qfP}^Z~5&dfCj&dnq!oVBFq$@
z$_<tj@q$f*<gY_OI11kuPS6{=Ik%xR9|3robQC8{#2FRfPAbrJS?jlH`V+#H4@)&N
zOk?Z0tpR^4wXm*PAk1+q*J4*#hb%wP71cC%@L9)P_r{{2EqZ1;y!71kpd1J6jZirW
zBKmxT0=%KR6iLAhqLpx1_#3bY@+->6)7MxPs>Im9Q^qPEcSS_ZCWlN|GPbGmaQ0Aq
z#>B^+tfb?97pr`GcG>0+s`{YT?6Budd6NQuJFH~?VH5h-x37QFIsRzjTdrEZlyheB
zN3v*W!&;ph*ie=oV$rkwQrSYE<qTD#7O5FMhB;zds2okRCJXPv4<V2yWQ|CvH|tm+
zu1Yvzox^(SfYctynS{f$gG9=jCw1m#V9#K*SgAF-KW6ih`GxjJRJuKGekdu5P!lUq
zy5>nzg#3-ICiTym-Ted-xhqr0FW5is2mBA=^H3pA4GMEv3>xy=*_*f;je99;bIoMI
z*K<f19yM(0;uDg{#7psQDLNXJ_Z&v(Au77VCg~O6ai_to{Un%c(J+ICwbf8gcFkyD
z%fjZw4$s$xh!E|Y<%>*@F}>C2Op!nM8#O)Eo$iL{=hA`ld({EFo-9)FMb=R$wu@F)
z_O==suefDmw|?yM3aJ>(<zVE-01;CAgA7frq;FM!%;JaH@A%W4)gjECHIJ8{^x-kW
zzK&-IcI(I$_z9IYxW21rug-I}=NM!;07WJVx(oJSP2DEw(%cuklNDgh!S^u;v=>H_
z+sW}Jc`1I&`0cP@#TLS?()#kr{I)c1OWk8g-gn$<V?!nIS><MlZDvGHWrQ3!llD%9
z75*w4+sZj<U^5BTP~WwRynNIXyrePs-A0XzBQuQOQA!RgB*>UsjbYzS$0fP6N?T?6
zrS+a(zw1M{s=wTN^4p&k&^-UUh1^uwnqGoShac%=VZ#HgNsyVZ1N!=QJY$i5lK{eL
z$T+yw;;rhYgUesX!DHfUjXRU+^}Q^zkc~m*69?~{JU*zp14<!{rTWt<ysbZ)dP8wZ
za&cOOTeY0Y)8E-wdoh(aw76KfexS>FBoYI4(eLm@uZV8OS9KmH1O__~ekV-rVHa?q
z?%-xxkc&MHhq?F<;bG~)qDHZ>nM@}9#0j}5K#_WFxz__W5N6^DJ}|P-NhzcPYR>c3
z1+hO6y^K<7<O2-G#y2hnFI~bPqX4dmPI`)3{%_XGiR02#@!fI^d*ffg_4)C?Sd9cJ
z&As6Sk1^6@vj-7z0sY8$Nx~ts#CJDfX%Mf%4prspOibw{>Y_dK9xEqM_Xc(#1TBw9
zTZbS0V+l}Ow4R}B&gI?Ju%uO7vDL_8*zNDGBI<4mR6U6edg>0~U0vva2J}DPNwP;g
zylTI$5|wMMji0_TqPpID!cGjV6JRHp^EoLUem$D3<=kjOx$QZvI}6HWz(|h^=N_5e
ziV3y-;={@HxqGKKF~DcSe&_SoPFOu>Ww%2yKA9DH+h`2ui)cu>&IaDuN6`Y4ui}E>
z1V0VCfE82#eZmQ}5$!;w$^G1@tn*iI&jX;r_8cNPn@Q&d#?h**=>vpgY9br8?35^D
zK8z14qxoN#qS+263r8zYuyneydLOOf|Bs|=j_&05+FN()Zf$LCo1faYZQHhO+qUg?
zYumQ*_WOJP$lT;kW+o>&nUmc6<UVOpRFHAG7)2#$MU_X;kW2$D@sSjfu$C@ZD=RIF
z0%Y+tU{h{;l-`MV(Ude*udu@x>NLd5-FzTxpgKm0#|Mh^!rC2-elpgwOZ-#TE>7vQ
zL2_^Hnf=9Oj+ke?Gr-c`$ALoaZsR8OsvT~1^`ImCDyN}gic8ttRbJYfI(g+Ca^90m
zoxTuh$oF*b1-$oFpXnM>2sHBEBlF?Lt~pLM*Namq(c{O^+}$R*m%`BnB(~Poo>R;j
zl&x<}|LQ-<7%VR7D!NJ}MhPu8y|8%1tFeKcw~KtnH?z$C75{8p_}KqY_|Ah{1o0E#
z!=F!Fa#->g{rUdA^&O6Ra1mRnUzFW}dCODVIa<ooDlseL=k&LB4(kpe#8I5q_jHb@
zv$`Yu7qe>vg140u@PZi|?6fILiyyX|Sj2aKIjMhfai?87r#Jf;QzINGvoiR3*kS*3
z2-5+^*{)A}lLvw!Ye!x{0kHBs!ka3TUZNBAjiBiDc2>~FK?LRKrTIz`8F|C(!mB;;
zP^>#PsJ!uoj+kqNiPWwsJ=z3%&6~X!HvqhPQ8R51wtld9{(DjK*ZHjcX`MAoJ$5@p
zzW@+VN$&6A3o4@gB2b29F+Zsegg~!7sCa3DQoWYas5RTjWQ;|8Um0oTQESpas&ChU
z3qAKMc!?XqwE>)CTKuvA7SL2<!g|ydt4tcP>7?QoO95+`1{C-9og*k<p&(Upiaa-u
zNcg(^m>dY-zq*6?GW<#COL=6gD|KEk%7GMv$-EA;rF!glt=+k$6=d=!m`?=*WhpQ7
zZK!X$JNQEK_fEB|<^o$l9Y3~U<{v<e`mk^!R5D$WY1_|FRkd16)z68X)zXrcuC&*_
zf>@$Zw!QMt3b%N1QKwOUH0+u1p7AK)G65EjcP_d5+3c^Vv;tq&b*Jb8EZ8Y)=yYUk
zAM?e+!j0rKC?>r^Nd@jAxDbeJHV(rZfk}F?;=F+nUuRMGQJGUMuqZ^dN-~n&TpX2a
zYQp~8h>G04FB@oYP@?OaZWZ&K!2&QO7}LZ-mz3tIu%P>de7y3%w~ut=5mh7)@)Ou=
z_sXdkSr1a;sg;1JN#?b|wAoHWewyUcybB&>V0c9b5xa?F$%?gobeo0It)|0n+u+{)
zHmzpy!YJtQGpt)du^-M$Z35$jcg)B-x*LtOVU1K5##Pqfa*!IjZW%vdB%NP2sEeXx
z0fnCY>*pG*>(Ofs=|On!>OOQ;^pX}Ig!aI3(@oWvy2#P6gDz9C%Ng3r6I!h8xMN$k
zOKM{sEvqZ`!?1dh5Odd<l{rZWo&MlNZ_-)A#`-P`Mqd`)-p%{Dz3tY@xPs5FMic5B
zbz`AFU`kU<S=P*Gd1DMpAV+15hP}n#No}({>si@j%q71b?lN_svl)w^kjOZBF=cf*
zo;RfShjWH=GShDas1Qw4fZ}tdqbH{lBP&Tym>6M1d_}!^C|Mhm`!udssc?~VhhTW4
zus~{FhC`69^DYmfannMz8dU$Cl%Ec@GMJ}=TJB34j9gtCfNpK?q@aHfT^$7GCc_Ln
z>|JAj*;)p;<fk$?h@LCj-|mpMg6*<leTbeb+~6$yZa7j(!R*y!M_X25>+m-40r{(I
z<|fp&W5hvYT9#58gUM`sRFM7t@^-Q3jI2OFZy7}mj=+vo+?4fvM`mZ`q!QD0wjyh}
zj9CF^Vb5MPYf^jWUCkfs9qM8V7)U8l6k2hAN4&f~mq|~2+<hSe3@goNz^|gm0xGo?
zg9(bV$-${3PR#^gCN&S_Bl`}pxTDsJjWKS*oNPs=AY}`5S^5x|<A_QKDQ2Ou5JWHT
zVGQ7!RTYYFSHZ=mv;r}cd~G?Of+H3($y!<Xm-Ea2>P?=rP)CIyuVSJ3gDFWn)$4|n
z{cfvBDpnhox6v7hO6<K=Ti1AS1sXtyPv@I4Tx=H-uCljM4g>wPZ_^HT%E6lCJP|`a
zLD*lN#8{ID&I%F1Z52y#b-|3QZjM<QEI*>ioI7~RPByEIVDY0OQFNdZ;S`{uHY^@&
zn57Ji&{`d~)hYq1U0NAqoDrrtiU=!r<q)j|fvIYoEIayLiu+1M$8^-)nec4O{{_^F
z27R49V#)~84$%vYzN%&FKS0g6Q{q1T4)XTmiv}1&-)%!oDV_a$$e7bSloql6R2f6{
zhQx*k+Liak@-xE--?ZIPRIKD0!(@f0_&qc)nq2_tQ(xc@j)v1G+!GA<+brdnIATq9
zQJyq(E?_FsVP*wQ()04DLCnSnCLJ}1nkM6%#l4ghLg8su>5P5i<$VYi3eW?KEgWg8
zhxpAnhE35^A{MVlQ_j~bCEQ12U{@WSIovFN;(M~<@Q|%zdJsJiv=R-YmGLPvpV2=E
zDN*}Q@*>X*iZkfUC(o70liZJa*!z(oUYDEszqG6ZKCtG!Vee?m%H{xBr!E8~i-i$D
zlTUsi1lNVlxQM+7^Hpy`P@oUlG^GA!8C_Fl)7u?&J=CxYM#Nb=*c`w+_7h+~pi5Tm
z%UqxyUWKI(n`}TOn;EiSYAn_{Y%{})J8(s!*|<Ud52{{E9Ish3Sfs~sls7Yd7y=zv
zqf0*I1KfK>PnZ9*zgu{?0>f?QkK2g2VBB&J6h&m{7wlmgKSBsulM={T1k2_x;Dl7(
zN9Th3>Bc_2d$WDXo+X1uvQ?avB>P?Dq+tsUGs-NQmkl&D7n<pvUHRfKLy;LivvSJC
z%8Phk#BW5H7Vn&xQAm9lv7Da>+8=>YxNkue3EcfjV^;(d2jmbbOzVF6{$trNeOQqq
z{WQhNTx|&D93PZ%ZgOU*vGfw6Z(4rbGipR?CvMVUSq*hL{jJg29M@hTPjin*IeL0*
zjv4E=CvTGbT|>o-1}1Jn%?2$I=;m(VoFpoON17H#ngyTqn26O_VdzwLzcj!&*cxQI
z$?T^_pVOfr*Pk^BGH4)Yps5mpLp&{sP_neQW;lRa#QJ&s9zjW;;Q2k=ef%+S_U2=m
z5LUe`6Zq%ICq}m^lxe~u#Y(QzV<`Oz`@>7nh4(M?Mi%1z=r0~g2Lb_v4OztJi_vEv
zsh>Aq#(gLJSoNzXLv2X=Qk4ToLmd;|2e~B~_^Syki1z=0fdb2YfE|Z9&E18#+KeXR
z9<!U9wk{{QOZ<VLowC^HjWprTjMu>!>x5E9px2w_-5{4!^Ci!xM#4OH02kbuYu>&1
z9pyc>ZJ!%RR9*iVuseQeL?)7F5~qAfg4A#NQDj0i+|UC1o`_zQI{4)Xd;SpJNt@s2
zEF(Api@K4gxsx(~+~s!oMR-JZ)e3XN6|>yX4^NUJU|8v0X`+61+X+>J#ub6>N+0{S
z<=M%a=#^HjW(YTV5Kjy%<2V94+s>lxA<g>uGX_Ph_A=xuHn_ppM7JMSW&&8Q{<iOE
zZ92D#)?WH$e|pVoomUJGqN?0gzXkykv~w>1CSQTW?pSW|3C<0SH*j9P^Ar-RQr2U#
zQ^Tme(hkV=mc84M{iz~3@F$}=!m!|KP!7(`$Q}r|oz30CnL;0Cmfwv4jIUzmu-7XU
zOfg?;{R9tKy)#^ppcd~xpK`P#mOe|YhV|dapt&Jq^D`kmuROKBI0B4vh1iZXif^i5
z2vJVfNr6}FTb1*=AayEebX#&=6r8paz=}F5%3lL|)H{y)oDI)=`FE;klB}F}Mx^jS
z=_fQFHwzzuulchh=)#4QS)Sacc+tXl7lVBE#C4ado+`-FDE_|HSZkIZN}|eMZMk)s
z$txNWBvn~9haYt12U|j>Ko<;#>c_kub-q-Nqfw3>&E6pY9sFZ|Pndtak4-5jddD7P
zOM$-q3G=A}jFf>$?s)Q9XylNM;25peo<DDjG?*a1kWC+5ZsXh^fUK*a_B%qJ#%)FK
zm%j1|;lt+*DnURl0}tbQqury|(yA>Buz^=tZx#(}j%vJkFegw!6v9^qzX2MeOyj?p
z#CVHfQh-_cD&&OobbW3lEK!@}>*QO@CMe4|VzFv1#-IMcxqtH~(8B}&ygzKDbmFzy
z8qQK$RuT0X)i$@k^+qztia(Mp-nF=8|Mn8gSR8y;?vp$n0DFV>lbIZ3wAYfW<OUtn
zG^Mk1X#Q0*in<luhiPJGD0JyQIG@2mJ0zs-bdl)<1Z;?k6L9q!Skaa~2MWVqu__ni
z3|u*NBC}gBSTrmN!bNpu5KA4dvwEsC+?n$S>8iz6v`eg76mnLX)%ULZ{Q>MU7+W6(
zDW)GVsoCz{+e4)UbvDg&@J<rMo8mNG)eC*p>e>}xJDBkD*j=mRIdut3IR45d)9fdP
zympSM?ZRhj8}HJKi`a=ac>)>W1;v&Ttfnp9Z;yTcn{<%vCljwH(-)${&cdon4w^~K
zKr5c+aLsC6M{;%|n0ZrqMy0hlxt6Wee_^TBcATLiIB!4Qcp4E(kyBq!>Gf`RHi^^a
zZ)vcJQ=~KI@r(j`^h<{|fu0M6!?QiVN!4vOcO>RXyjqa81Vu*;_4%qKXX~+I_PO%Q
z8jE9Nf<fZiZLLfHCX~3OxS@e&A#CCHsoHv@s;;x=*o+rnXb07C4Kybq3-%?{4{w+J
zhk_<eK2G5!pYz|aMYP&St`FHlf=pZKyx7vZ$rYZ1V^*>bebn!M{3`zi=zLdgqjV?|
z%0(^fuR3S4X!y|;QZCVuaaYaf6+<k1*@|h3^&PBs|AsTN<%f-X1fEUY_rX6IrG=yA
z>^4%KC|c@hiX2_D9n;S3<s_BoXDSr=k|h(XxG5}*n0DY-#*{8d#g_2FGHQK-P)$$W
zW&bdD9cr!Wns&35f8U!_>uc>ZKqCV~rwM`TH^{UX1}_~2m%s6t1cn=#pv;-FpX*^{
zJuLT~kR>NdiVU(o(<tq7So>Gq-mCk|c%Jo#p1JoR7W^J!?y)d*4gNq^B&WsgZ_<UY
zHZN>E5!RE1xW_=WH%iv4O?2Tm?VMX}W4$;`waI}BJs6P|M!1OlR>q?E-Y;(_FjU$6
zAw!8NThZ;+YP7oc_n04w9wN7Qr;t0up}c16;BASs+V`kNGr$V)g5!F5wb|j7D=6Ud
zh%08%TqKDbszgZ0Wx9jxuMsZXJH;z#lHz{pCtFxw#KtO^#nkXN@!3)&X}RQ5Rgeq1
zt}(5+h)KS5+%QOyH_LDypNsaTr*k!jFuPnxR}W=SRSB_G&JUOrVyskD7;=mZZ@#XB
zX=f3n<;r_PTtUP*2((l47<-|d0ErmR2=0jTOEIgCM7`G@XA?GeW(ymw#qn~zxbS}2
zJ*&r?(eXJ})qQb6;-XKxZWG|d|JFbeZ<TH6GpM_~rmKkN2)qwmOn;K7wuUDrt#;br
zYT52~m%6Bt;;$<cw8kNn@53$=-0FCl<I-#Dqd7c#Vw_d28P~5)6_f2TC8xBvVeA(f
zcgJ(RjqgM)r%<~*>f}h&tAQhV<(C3_yz6URhYzJdEtHYZ(w>zMSa3ImdHjj8iuHjH
z=a;X-h!(W?Ft#)9BG1XzE3^y&+jHCGHR?8gHLWDB6RDd{bJEd9Qa(Bsk#L1*?K;h<
zZag6z_TG-?@Y)X4cYO2un>~p*GE<hH;V8aF4Y*P8_4r~;@54@#M93ZH>$eAN^|P>E
z>cm_4e*cCC(p^AT5*3#3imvb8maBOOq7*`Ob-9{cJGNk%z*3Zkj3Y!l3a=e7w*JLd
zC(-h?8Ug$;y}k>jF<A8!yu2Nmt|W7w=yg0rfiSAz0ROwUR(H4e_uJx7$Z`tpSc@|<
zZa4<g9YLiT%HYA;IEyzfkq4`z>9%K*LMb;tSlb`XWt1oSNt%Rycg?iysy>71rm2r8
zkhGENmL-C73N+cJ)tVjrANu*Nm!13)TB*x;<2?GNFYc=|uk-PRR)5<1!TRJ@pBa(_
z6QtIM9I0&fpL4-H-A}kx5SI$Jm0@{E0^Kf%OR+^RLs=^xP|J%Z^lchQGei&GxlxtH
zyM<NHx0&0kh1n2{`U?u@K|s6Vl@A|ZQ@cljBTdJV7Z@$~VuslUafLxLRmUw<d+Ol?
zy#Fl1iME(!pGkI9JIt5d-#p@Mmv_T!uYH=+Pz0$jaT@=2QPY%YqB44{XTQ5;_4s(%
zy*@quwOL<REguzB7o}-$h<_*w?=}c2x(dl%%aZa#?Ny!-Ft+d3P<qCVeTQ}bj5%%X
zXxD}plc$BF6+8<H(1j(TWjYOwogjrQ6Va<%?hRQ(Vw<l1(9xQ$)-{@@Pru4@y)L*K
z&s(wfsa{WWC||Fy7LjuXsMl~tE8>CLeKMcA%hlJ>CNS+|1PU#}i18h1aJqzRlmHFm
z)*qGww-}ps@!-q@Tu?$En7OO0Bd6;o<;<+ygvPF2hmT}4QX|^R8_rgB^JzTdD-1Ro
ziMyD67SqgcWV_zKKolV%Y$6IM3a1P?V#8u@TfL5XJ$+t3Pj#XS<Bd%YNR5x->Xh0K
z!bqN>Pb<g=-Yj5#z4_9(JXJZ|7suj20%-~q&`u+Rzp}|h0z#QZIvg|IOy}i7=cMx8
z5o&0~7Z_$*TXA0HwHeLsD;V@~TS4R*(l5R1aIl-)HO=23mEmd`QWd^QMLK247tVz_
z*k3#OFv`B!dr=0I@?Y|<&`v7t+92(n?$3_S9O(X7?{n+QK_s!ogHh8^bhREpG0Z+0
z055mL>2KCTwlj}9<#V}c7`(eZmPA+xP=d%>op<1d)|D@N2E1Z8tJi%x&pftkN4Kqw
z*zVy(cEjsGfZ5-qVY;{Nq$^NQ7_7`-W_b*07Bx;@j&<1E_&UfVLo_X!;Z(uTQCtis
z(bW@3t%y&KK$;ist!#A7v!CHr-eFQ88tHU>0Cc&(%4z7%#-%l^3<!gC#U%N!UpC(~
zcp1jNNt7S1TOYo){=x90f;_#PGV}S^TAEu|YNc!oIof~#E0I(EY%LdwQN}H`c$0=0
z&)IJxGtUZ7m<sWz<>@N~M|pSCd3LP3Z{xzX<~ie6ao`5~77Lp-dWLr6Yj!c*29kzv
z;5{+o`SnUucj;=vsD9Ia3CuTo{(elh(&}Za=6juER&<4rSLmX$+--)hsm>!6`g+vK
z2AOz0MEkz$L=wTJJ-Wsl^7Og*S@+R_8X_`K?ZXbkq4&eLu5}HBPJr8eI4#B8Vt0N)
z)O@G@wG1^AWrD8``TZ8GNqX*xDfaMq49JHskJ|OI;2bt^Xlmhs2kNX*E{TAASpArV
zr6E~rf<x@`bh%GqMbqi=2I182I-3-0-kZtOYJ(SG&bJl7o?f9*p1knyd_O8K3HnSu
zf}pnuSSmO_35bV+bqWL`L?((VZS_=yj3c!{VaXM^;b!-^p>HOL)}eYoLJ19TqYhXA
zIZ`CDqMrIRwH7W;ENILj`obMFr*EFvdWNE6F{0o?{<pQ#HYIl=PX&(pB#iIWk!K)r
zCDsX<d(vDp=!#r%A8Z&@@k&Nuu}(k(c5;GVF1medo({hT(H%%JQmk6Dh5O2b>jW~I
z(C*;P5ud+PEAG#>cSvtxbJrNF9*z^h!s@kA$hLelOqs*R5}&U363#jyVB|9aBf1+|
zOR<J_@{37dG~`}(>}xNJYd(8-`3MB!yh384zGKDA$Sz5ckWx)#1>#V9u41BVrkm=q
zi|W1j!Q8ufZ@?sHb-fIQP;TV?6mJ)ct)DW;zXj*8#5Er88Wity{5#1|r+;7}VXZBu
zvVY>jO6r`fRAfr*Qqz1;jEBz3fpI&dJL#?_c7Qv(v5j`tJeZidVe+C9S#MW5!=$Y1
z7cgqpq*-3AyadJd5I41gz1^m9RTx|W;2>Jebc-{#`U>+S*$UWGxLC77csG&{!@#t~
zMTBl}0)b*(0UlKtA<Z<s&3s>Sn~`Mn{&+?%@9V?oYvx-lcg}45Pj*cY<PWtk8f|;X
z2QQk<HbT1ZMnD^fo#9GFtphXRxA*;L2S<(9J$Y^zgiPQDf-6CYxoJ7tFDo)m`V6o`
zh}zu1Xo}{r)A1Kipq&HYSvrtqbL(VCaF`TLc<y;UDjyrCXx(HELW~|G!{TmgBc+9;
zQ1RkOQNswY9bM)lLBkgI=ow$`me0xRr^=4ANX=7xw;o~?@Nk?gVay#Y1D*FRy9mp%
z^mLwolEOtf@K2q__?b3a^`Uf{Pn6MVx`C4+_404$;)QC4zkN5wsXNuNU;$K>X21)Y
zV*SWhJ0rgpxo02O@%}wwvZrTSVa~2OO^Oxx&x%jbFWlM5Q6>1im5hGnWe!7%>${TJ
zc=i5b?kB{&9cZlV!`85%&T5y>XG7z6U}11XJ4Rt&5Z^K!I`&U01q-;Vp)4}oU%tT^
zhdg?t2L&K<<N(H+H~~BpnZ_R}99sAOap%i61kT`Wjsst2OE}0;Qz89Wk>zc7zX@uR
z7GjH69;{gbui|t&e_67P8BV1~_xp?_8p0BLLk#;&$1Sbo2DDMYBuE208A$Dik;r^3
zvWuvyV36QnAqYd>Yjp*a$p_Yi7~=!8z|oKf_4yaa$(M<#t!}kDAmRcrpn{una%Irb
z#$^+(Ry3F2mQTSx+E3L09yypnY^Zcm=f{%l`qc?wTW6FnGLYg#jWSvS!ON^J#}gf;
z4BYgdN!6yw)FT%Oc~eKey;;A2KC2&)&y~)Q5jx1yhCkd%TX6{p)-FLggE-`qh6DKu
zrg9$C_Higvn!itGoGH&cWyWszk#S-uIJX)`J}LRHROy|!$NObUKVEjBVy_kaJx2%+
zM#ur)Cjti^%4l0%=&uCgy1cIZcOjHw-N)S*>d7B;9e1KdV>x_wcO%p?-6no_+~SGX
zVbvWe<l9ZMuQWyDE;P#B4sCZ@yY&WRcK~GSZ4jg<BJLQ?_K$xNDZEj4hn)Fu(s-9T
zgIqk}!0TW76$72H9QmhnN%gh)`|XCS27IynAZ{pUra}GgAJtd3xkZ#rcfWF((cIPQ
z5XFjIi>uU2V#$q>E1}T*cCzm0U}t%w$kdft)fpI(y9&4p<|oHqcQ}K?xkQzBxaL@3
zSCkAbjQBMEYKZ1i#14^SH*THio)p{Hj+k1Rf;2YKtVWfG>8O%>JoNC}&7)x%RJJ=s
z+=|y|fS_y#AlsQ#i6C@oL5M!6I*{9)_cFj~N$MSna0fpM^YAZf=2l)g3^<;w^Q=rN
zq%xQrM?B?bd+{Pa66_|GPK;jXqi*R@zSFm5buU*ihIPCC+xtpJ<wVc=Xo*^rb)=xY
zBs{-$`-`4e8J0Y4?D7}PMJCSlc|HIRQA#BDKiCQSlWnB1>p(Au^y6G5UYl^6`@mzL
zV-Gc44+tr&Nt)fGd*Wk8y=O(KR*gsG39{Q$Dn}D~CBngd(%()D6=Q}L%hMU%n13vl
z#naS!(_v1yWrJ&MvignNs<{FFLb4@y&<tu+uE6a5k|RHulMHXHw^AJcD!Iv84mzt*
zZvCZ!L_+MHjQP9dqHOAnSc?YRl8h6FsJ3$iPpH%SxS>_a<5k1ENn<6AnNw_TSsNk2
z{f(}oAOWTD-Ka?x-#6NHvUX!BM<x#BT<ebV3>R5u8wJL7CykHm3b-}3@EM|wBK4Ho
zfH_2LUCc+=g3K~YpeY{7REwA$sirmDi4OB7ttnqf%jry9j&`>%vByR7SO~igbt@64
z0d*^{je2E`&Wt7Vb5eA@_2=4Px9o{vN267AT{^yIDqw-;0gR?)BwPg!C58$|ONvvg
ztRNR0$+fcQH!a(WO>kCXTQXOt%emv|Ko2x#cO4XW_%_gW-1b2piu(|G;Hzw9u=RZs
zl|JW6WXcs>?Zp$G=b~=S`Y~??DQcmy_*BYYg^(ui1A@u7@@hUfD%T11HFq1YYdV@b
zm$}f8-CLEgp^HGEpIlyEy(r-?(;{QB{uAy%ai`JeOA%$OGWqHmN32KD)mb!eZOqIP
z0S2M~ulr{*R@~+_Kc=nS)C+>LJ~qU(;UAYt?YD=^rTQf~h3Z??uM9`G<hc~n)gQ1!
z6fPan!mdl;yrub85?g38ZGdXqSVOkf)qaSQ4vmLL^NKh2f?~a{n@4}J6)c5x22Mw_
zXO)vT_z)Z==l(M*D?1jm|GD&)K9sa|>L!mh24hQQSD)9W?zNin-@B|G|8mcqk-mzh
zNif?GkGEdkwaxFrfaknSF*pN;ktcNXY^_C3qM1<UMdmJ2x>6VL$7$X~chVi1jmPEy
zgFkBj?gP`ntLjZc3QqL(NS)Zl9Qw1;OIl)Z&DQ9%rATIG<LPhLw!~+Kzt=i6NdBY=
zEXu3elrh=vH<A3(Yses^cCmoBqNaQ9&Rm^#$&Fb1Izqs{g<BSwVt?-^LT&6$O)v^O
zf4Pf1-rz9DY9CXS!5D5-xG;=IUL1918&jj1I2?5`$7K<&v&jU)%2G5M3!F{{0(|;@
zG(yPm!vBCA%!IV)(2&iu8P~%8WxS?em@876P1Z<mT>db?Q7dgT@;@2nDR_@8THhin
zQuSPWB|{dcZoUqiKGimGx`5DIQ=R)#_^6%cpW*!${2)GqYoP=?fPb`xdxs@I7jpS5
zeN>jMQX|)n|Mqyx`TlsmUB#1;@$u&QYT^C9KlPE`!Rz6C-(TI{#QXMic6NWecd_aD
zwEcXW`M9{|jiBfm>iP11WAyku9+jS+{(4!*Az6?8)jDgS7HyZI<BxR+r^4y)<MSqW
zk6Asl32JXvGzh_S(E;txN%Q=B)UQJ=Dmx#g^cX)i#~5OY)w^{F3=VJjtUIT(`@P}D
zr@;sp{J2HL(R+X!oogF>rbXN8#uMu&w|J6^iNm$6yteb|?1*9fKczQuwhbAe>ZRxL
zV5kaNiL>W3-D^9suR2icZ&+pE7ru>JAz(b5M7Ij9v_;thoKO$-41TG@6P+2TO5XbK
zbqGF*b!Dw;rKp-ZZ*8J5)-TCXFmkniXzK(z*^jOfU*B<-w);7Jwh3cb135WTFB%ZN
zW$gq?q%()&N#wXwU~`8V6e4qi3Myja_lo_i3n<<|gCM9&?*MR#I)p;77;5PQldYWC
zIvFrppnV%vLZLVOx8f##i)k1tr_{ue<JQgs44F1<_ZWIEbFW!cnW7PKrEB~=Avy7M
zs#K_>puNDUrET85&L8^~8kq;*b@1k7a$(}ytHzp8rSv6$uJW~WBzJV`)c&`Tqaho5
zb>d7vFLIpP*%|lOxdTx#iL0cC863(%E7QJFa1l$(?2}&i3%A;6xne@C<0|w^)r@s`
z;}gZ)Ujs$6yFK=?wo=C&PjJ7Nd)l6BxAC{%JRXMpCr<SO^blW{MmQDzgZUvr2Ld(X
zJWt7MLF)eD_bPY++xv%XcKGE3JxccN3%A6Q7w=Pzp5N<Vt;+ZHPB@%P1Cd60M@5w!
z4HysH(6ePo2U)MZM`KscPWDDMd@9jiLYEH;WRUe`SB2{?DJY+}<}$+*sKgl#MH587
zpx&*rVKR`#lmFH*Ohr_JuX#NCbyai_FQr2l`BD4ox8YTe!5B9x@S-ANniKn)@KTzJ
zeNO*nm@yNy{@ZvZYdat?ZgX`TZ~Pbz5|a(cYcTc?m!`D5hFY1WjC%&Q0AgS`c9E>y
zt2?~yDITLn+Pu4jAMaz*f=XZaUlJm}Zsm7Lu70QyR@RG7E7t0EKRAN}>lMf8ek(h5
z&{->)wU)c<2xLE6c<?B7+ICVtAk3KfT!9&NE#5J|6E>N2PRCGRs`7Sl(p0t`M+J7B
zbw9fDZSGzm_Y$l_JY?!tl!Yixnr{>XY|krF+%X&abQt0<Jy2F}c1%*d3*HkNnA^YC
z<OVbzKXqmnA7AU}Xm)#XkFB5dE6_x(l!C<QYK(_(DEv^?sIlCF&}zpo3n&p++$-0>
z8J(>6iP!8#cY5Z^hkK+L(v)nXL7Ziw-DMZXZ!pRyUQCaU?p)-G$^!ZYP~sQ<-#~nL
zReQzZQwR@s$ex9VO`4}r6XFLF#XCeCw*DCTWlV5Aq8?2-G|VMk9_~9!t>Le6=%;7c
zVFkIO?mv#>&1$*yUPJ36OE2ERx4>q?!7ig($JRpRX?-(Yw4<K<X)Y`DYvVCO#fPwA
zQW+wi@h%(%`nw+qNVO0`4*pZ5QmZbueja@h?X7r*M95cX4^qH)>(G(a{3{glldS)(
zuiSY=;t(F{8GRRT)0T)Z?M-0I1*Sc#mqePfOIP3?^b&SSjP38?fq8JhKBk^Tl1n9(
z+c<Jq@nPOvn2C(x#M=siffk1IKa1<D?wi(V=n;Fh6E7FR(+U^X2|TH&f32=NDO+gp
zQVzIr2|MIk+;;9DJChpQwvqq3%|Vi8BelHnsyJ$|Ssy`IpGI<vKX93Uuq3JCfs*T&
zUNUOaF)4?5dA98->+hMYRBhg5xR%n)9VMTtbnj6h?0f;mW@Cx=DWO8c(@t8NI&n62
z9Rbv3WJSWikK~UMUD|1?P;aa~FHkWU80#WBp1cs(S7FWu+Z1<{#^m*xNpfVwKA4}L
z@2SGRe{tF7vb)rYF>jxbGHbT~gr?4S$zyxL1od`oK0#A)dO>8EBf1lwZljbpML>KG
zaCYbgvEZmJrmrlMU$x*bQES;2O$fTpiL+tgAcgs2lWAl4CT3-|>1ERRP08SlW!k3Q
zS}|CH3IKLuOZRJhvl7Hsv?-T!k!lsyf<5F=De(Xag?Oy<JE3PcIvDULZCUnfQc6Bz
zMf_NZm^yj2Vp3l-(tK7b0^4rmT#cK>g2uS7bO=)<PrF$I`sFzJD3sMN<kh+eY_VdK
zH|l1+!-);PgM~;5`wByY-3iysHrSWCLE$9>*u1B}<~q^<G_o>vh-yS2#nAy5WFhJ=
z*ZNcX4CA}>1*BI}hitw@A2Y6PpZNnaeb>@pb7$Z*Xi85B0(;cnnGu=<P?dtGo4gs_
z*K6O=DLEUE2JZy<O%L*9gwdT=d8w9gP-AVQm@GQZ32=Bd6)*Dgbvu|LqsUf+eeeGt
ziEWXPBFh;KK%@?(dM=hwXV4v^H(WeLm^~H~F{_Tj!}VCOUE$fSxz*m56YkwQaufY$
z_sB=if%}(!1W>ro=KUucLbU5v_BU&Ex-rol6K;n5K*?BWtb_rQ*#mS}gmk*ys3Hb8
z5$WE%{spT2oh&&WF7@ruesKqzd3;2OxYg~i-_&m<bthN@D0n?h>--${?%^PRi`Yyl
z!U4p&Cqi)h0i%2Jl7hi$I9%pbJnwulnIJ%bxwibxiHnCOKWu=X!gHrw+@U>adpPcl
zqO1=<0-zsrm5!YhLHFl*Kaq?LXm$L>a?Z`$r$PVpnU@o&5A$}N`ZK`q`xfRS#Cg((
z<7mf`4x*)b4Z9N4EI+FsDHO-H+TMIZV3&Cp{&nb4>6lDx48H|zYQYdm;`~A{S<bnV
zYBBv#NKpBy50gtZz@V}Z-t3RMB0Gu!z_QnH<7QT^jes;zP&p@n8mx#q&_c!kyGq}w
zU3R7jyDt>{6BpicRI>^pPq2EZf3?XSfy4a|1P6LyUgkV>u;<nzRL*j2NmZ$2gXGqT
z84Cb>*s@D4LTa4B=<l%+xrD_ubV>k^sxYAm@p$nG#=Mk}b!xLJsA?&39`JzLR8N)!
z2i0QSI=RLyCrw4DXc1N?jPylGF9Ma(;UxqLXuI1<*`wDP_MX-!eJQ5=DRQyFQy66z
z9A%48^`9va`w5qFI_!a%EWgPq{G*!+l4Va9keH|4G^=U+NhSnD+ZV-`BR>-o&bCrR
zE;VhftD|E7?e-3FH#C%c&e!yENRWRT6erk^JSD8lIz8NskYF6;6%$e3RIIx@*KlYi
zJ;3o>%kOK;8GUoV5q@bvtHPzK_ikp=FA}g8%C%}sAqGX0(0psM&bJCwUEMuA(LqNz
z@Rh05;o)3kTETcUAL^NWTa|ZS5_K%*LAE{Kz9l5TiuP?W0;*1!DYvbdAe|Dfo22>R
zHOHxJK@$rrLEV6oe4&;7uZHiyl~aUEXFVlN7-?Fy;{#D0#~G_xIaUJTNxUa5T<9H9
zSYT@Kdofa3<16KZO@Om=6V-yVFJ8{wx2^JB_><aGjNUMzMyx_D&D#%Hx8YP(p9ht5
zDM7x^U@bnQr>#%l1lMU#7uubvrqo*hbc3!K2S#_~w>+LMe2KDrXe?P1h!*T+@Q2x-
zkJXvsvJ0ZCT2<IrPO|)QI~8ffRfTp(Td4Xv>E&+T$v%;JBQjQKyaF5d8WW0FD%-^Z
z?Rb7~wA#6DXxx&hHm7c<q=GpA<u_@2T}1ufS=9lX-;H=hs_RjaIxD;(A}y4B+$_B5
zMmSOdjZJjI5;M<l!-*_zmpYfn<^K-1W8?F4hU5}8`6t>2^^aGRj(#~J<zV7CV|%B+
z>sEgs+9|0q=kz7zc;Dy!{&dFRy=J>Dr+JadLZ~>|qeQf%V}ognRu!Y{Bfg^Ef4Qf6
zt}RN2{^WkVFICe-amFyrOr>xo->CuzYV7fFIgk}QwxqXH4Cu~yoN1y>mpnD8qLNk1
z*oqzk_SXt)01~qLJ`0r(G@<=ryZLJ0W%*I2_Z$B#=Q!iM$Y5s%9-A>kNsg=bp`hX`
z@;o{kgOHo|L}%4z57e7@#T-3Mna;;iz(1=;o0hwlI=%JY)!=J}&)z%2f(&~nmbT!x
zDW$!#GUEmckQ|J(KbP7TwY*-4bM%_;u^uyxi%7*R%f*>sG6`T3l)CHV6zkUQ=N9;n
zo6)N{A-16o<;Xb^b_DZvyG%1a`y}+mggC5hQ&SBm%6_TdwCa8>;Jp$r2If*J>p%@b
zh>lYXlk3F8Y@bp<!J+X*DYli?AAhTl1m1FVeDuY@=53Pp-^kr|&PHyrO`;osa_HWB
z<srkIwa@ism{l5R!mt=z*mmk=gvKg8)T%a}wkCDQ(BsUCelPDVr&1MOM0Vx32GEso
z(lCa)#{(+_VLnt@<hA$3iInl~YxO(QBvrGHA<8p`s$@>`_mnZop(Ivyn|OB5nhU-Z
zD&+kl_Asl5EKX!B=1;lA!37=^^iKr|aKco>m@l@(bF*&`H^*u*6HJvRG12O-ITEjF
z)VrQME0O4LQrJ5cBClZYA8p59MX+f(>|OlFblJ?Cg)b}PNoASTL3Q-2Ez^7yK1N<z
zjX_CN?`?>*=G^JC2J+qa^iDBrQKNI`K4@J}ogt%yb1?ELiYI*FH3*-I_JM(K=9dx^
zr2{-_F9{RxUViIhw7Ma2#_CdS7N#YMCa;3+)o?vqMl3WTg$&CY34S5owzDBgk>RGw
z2<Y2NEcCU=_IkXh-$@{`JuK10xMyQIO%%ggwE>|&$MDWZOaCZE^vF@2j+*;0N@1pr
zKYk&5+$S)jjk{a1sBj5Y#8Zh^t$%q17Ea}yaor=CZfLzqHJge)<X=8kwKIVOjn|+>
z<N5u)qQeg%DHk>Y&+@NLaq%Y_vejQrZGw6R|0WiRX`SfK7wHKa$ryHOJWw6h>k8A>
zE4i1pJ32StXH#AOgZnrUCJRuz`pF>)7x(H@bRqm&k73#`)4_5l&<sO#BW-$}IhWDI
z$Ucx~c$7AOaS-TU4DGjZUn1T>ylbrw349OYgYEIFc+_g%8LC8^1WabWQR=CR1gg&X
zd1@xsgK)HH5DcMLpGFbwHK)oAM6s{ztV4XEj>mQVE7;lZ9%;sfat!8C=rMW{W@#LM
z1wtq9p%O2)y7SsS`06f=p2nr)U_CA!HT4Gz^G##Ml48!d4?L*M41lFRRa>ib$<wQs
zvD)}5`t3qKxl%*5-}+tD3{V^Hri73_#<KPF5SNU08p2A=Ok$y9?}n9}?me)y0!e5X
z*#Svl{Ly%QNlMQEJy9-4aFlJC*XPJuw4Mn=Zlp283HKG3;WJK-M|ElO`tD7=RV6A;
zVz|+J-+s8k1V6*FTp^ibN5t*(L9f12TnVIb6Qk1Z&01y9@4PsZN|bi}%hOv}(Z{~a
zzF?m>tY}(ml7*gfV7c3};$K6s*%c3S3=@F?b|zSnZjeD&>TcFC*&tgK9LrqA%uU|Q
zIAv_XIY^W`LW);riT70$5@+TdND?lhoq+9;efvw;9;k>W%T?mPXQ4a%7#mQ}u2}(z
zK6HOp0nu&q6!(l8LaK4dVdWl`hY`FQk^(f}?Sq$4MDX^t5!BUCjH0GaH1pQZg03>#
zxym;-s^90{H{0lRd&R&42*NlIpfV&mp0LHTIxO$B73LLJWNwP=;V*TeeCJsaTwBYf
zL0<s-XC;dU`jafp1KM?E(O}MiEpvL>b!)?5{_9`CCciO^)Xe`~ntys-CT`44HbeAc
zVUI<>v-&V{c1wiHsYOWGQD@ZgI2IF<U>j2oMEyKjh}b@JY*59DE=vtMHlMxxSmXeW
z937k#T|eK@LYqV~RcZ7=F{|k%6~2xGP&tiIanD!B0bP!u5GS#M+m3`l2w>$+7{v)_
zM6JTVsTYRRG&8R{rs}e;uDRD22*XU~pHJk6i=ihh_{(U`=*+6Jyjm8dI^xmQZ<9W8
zW`z%3<sS8J$c#=JzIc;*BiqM@kK6I?O&TN#uXo%pzVB0^+7`%U-^6w*8eQ*=tQi+b
z(Mi0QwpW1x?iEHcA-pmHwe^MslZ!gX6@#mbMm$_y%w3O5ynO+Q!iS+!r%A=a-q2Ai
z=hSSSaJlFvlR?#tQ<%y<bcqUik*91SAyr$2BhV!5tXvbPrD$1L1Rl2B{CE{td4BA?
z)EehixS_>tV`$R|Gh$8R$Q4czJy^c~iyRBHEo37~tI_TN-$Tzy2|JMwz95GvrmDaq
z%NK`By{>6sg|ni6wEB#$9?$)%7?p^#Y*^Ih5q(ukNZ45+Ar2=GD02$SmhlV(hG<)_
zzv>*vrU&QQ3vcdEC5l>9roec{Hv=|UX8U(=yT>>rva$jWPXk5qe@HsC*sW6=l%9gL
zU6)znd8N&`24)@yLyOxq3)~=!>d`T3jqJ#Ltr9Kh-%DdjY-JLx%#hJ0t@ti$zqvS9
zcW7FXI@%h(T9!%Q&78zQ6uJ#2HX{$YZSSoNm`1=XGMp=nFOZjX8L`uq!g8GhO*X;G
zv@#g-PpOeq1?l4iZWoj<N2G%7CXd?lZPF53ly)O>k{GUo+%^9)xOk79%$V9P>o-+7
zhxH89+Cs0=`Nh}>Aifgig?oZVtHdh2+*}xRp7sU6EqbtQCdqJNlBIJguIHj~*Gf2`
z0q<d)RmzmjeoUTIlYl;L8%v?hFilVY!&&C<+}s9qHrM6>W45%*RfC8k(P8}i^s#+&
zrVN@iWIr?;2W1QGC<Byrp&&y<*tfRa251|KM=QTel-f?eO=iN9q;Dcs!>|=p%p#fq
z8evS8sZ4V>ACiF5BrMl6XObY9@C=7btHr?&n_~_R>j#Y1a@0&?7b7XVK(r3e{KU@B
zd_kNp3#$dr{Cb6(N(6P65xjgbJC+XljCtW1&d*!8@|}R1!cM5$<q?I~5z4a?BWb>%
zY{9!_vOa77XhN9)puvUe8_m<BasP#h$<rNDq-caA!T@^>(}L(Xn_E?gsuZ-IW%r%3
zm?)Cj?``1p{}CbOhHIVxJrUvgtoi1#F#N87z@=ggFfy*4d@%hH23S;#8f&^~VK)EM
zS^kLOmOchXRb%g=<TQ0I_GU>es963yn4+>HF`VD0&{O(S+aidzfILUuTNdP`<wi*E
zqV=l!$`t2iVYblJ_lHD|wIiNa8tw8G6bs%~S4a&di}5qvu*6Ibsgtx-90I3%Jyla;
z+bD3SDv4DTcoovug*ASx{9OQ;`5?MpUYjk4W?bS_t~-*_&!QT+Dy3f-Qg8<3l&M_z
z@*lq+%o4=Evd1S-=_BN6R%D&zGIm^LH!JTx@BES-85F+w_r*cH(q-G&{xEy6cZj0O
zeK9W?!|Q>lsDV?V&h7KJ75Y!jgTA)wY58SbI|Nc$&n2-l_aJ<jw6kDIr>G@P1ufkS
zScN4g{@)TIc(g`11iaMf*!%H${7vIbv}du#L7WMBYkI~+7wLlolR+d}i+ak^KeX>a
zb5K`*A_YN`xQh!M-XLKP&MOtY6U6~3wtB487vY)d9y}WA9gYFzEa-vLS8~fPBiOuL
zKen<3&A~DbP6wD53bcjQXC6&?*4OKa%}QJ9tWTRA^DhL=5gn&{<}AQYoa1gp-_z2E
zB%1KEtmp$=^cuC(9(_Q5G&;f~89Q7{##-lVC8@}UnK7dv?N;lm$nmYOSzvac+NHx3
zQR7%-bA;F}K1t&YS=KB_`Xp|@=F@5+k~`@AN`f?%BUQsnYzwJrj?Y$h)}+>ZTD$Yg
zyq4GiQF;sRzsAQE<Em`Y_uR6AH;=v_a2z~}>O-#ewG2V-iJa#q-pI^nD$f->F5d%w
zA0X!F-&R1=soU#g$K>;a?l!roDe2vdZ6ALQchCj_nJIoey!2mq6wn7*AU=??jTpr%
z<P!&csaJYnPh6JP;~hV4c)SIN8{h1{`r16$<e+30RaEeaeqFUtvjC%A`~di5Foyp$
zz>R(NbgHQ7RXV<tG_KF+e)RAd$POpIsUpz9ZkXcH*?qJfx(D-+?ru;(v@zHh^*Xr|
z1pb=t`1YPR08iZsej-dli5tkNXUYMjY~LnzF6s)t7%z8HH}P=s^*4OPM_2W?#w7P(
zcP{R;Tc#%)vhjvC?znue^(XVv$^A9iG?UWFc}sv%b{>PwZ19JT##-#RRT1p#wz3D-
zU5`*B!MDcoDB!E*M-Gns$eRX&@AYPu1D~I}ut{#-U`<59{fKgx<S5bT6!$R1M8V@+
zIbcpW6!(MCABm6`KOewvsQ#(>qsLnRDM|cH(*Pq9%b!Ww1e=`J#{dAInAA->y}#8>
z`_21vbNy!yV^A>yjBx+ISu_9NM$`Yb@uzS+rgCI9xapaF==MgdSNe}};Y7^>5S2}B
z^}jrZ`NM+MXd$cN-1<_mr2Fho;>Th*wXy+_bn)Q9r9J#8`anY@-G9ni+IT;;FB@w3
z=o52R*0RN4!}5e>Ogu2zF+wo8vDQpv2!5p1Wf{U)p70DWY8kfq0}Qi!FeZ1@{|{&L
zkI4NQ-T%_1RV~%St8Fb6OmdK}e}Iu*E!D-tn{0te7wrEYSzn)r^l^jAqy1^CPa!5Z
z4y|uJ>S5iK#l^spBQVR=4!DCk9hGvl85u&X1A+L&TpB5U{IL5`I$BF){Ctsuyi7`<
z*IXqs6OsBj3^jYPM1}DZv58CMto^u?*aY!dS~2+|GFy;U$37t&AAxuY#*^|q9zxUv
zC*w63(%%&F9O_-J0qe5gZj>$Nxvi;VDTaAYw|5_%#^5BH*(D5e|Al^V)xJ&4g1Fi6
z<l=}kh3=rIEh}Yc4@)rFyAn~i?n`82s?}mco%)!PAosQFEFfk@P-1BhjOZbhvm+t6
z2m5(35{xbgLirTkg5qYm!-a=svj>c)5O6J*hyWK{F|+eL<~xREHs5*Gy6?2bF9ASI
zJ;tBG?%E`ITL-aD^Bk4T<f#o=E6}<+Ul*pD2}Y~b=fKV;22LyD;F>Rcr`Na5kP4e>
z?H(JVJGns|QIUr~9Bh$zn{a%6*d#FPPwVq|v|HbYn?vi%CVb#4CH~=!1zVCunxhhO
z^_(=6Nz|WCJs9uQ&pZFBg0}P+Q<?}kxK=xHO7ZfU)fbPr016G9$<35zv2W^p3&C^w
zbJ5<M=O)DQU?>jB(xXL{ld3(R)W0eW&5|5@p-@7|D!-f$*boOm$f%l%{;0Fr26yBo
z3(U*Vc1Sp9eXzV-3?@k@7@LpQ?V2-``X<FC++03o>twXmF%6=@%p15=f?g&KB_oor
zW+s~rBZG!-(xN980mxBVOP&56HCYNcpK#Is`+xy`EOY|8CB4XyZ(g!C&#cGltj)6X
zMzZH=a1MJ)>bygT_Wt9koUt%<on`!}3IGreMb2!`?Qu4H&KP&?9mIaNh}-E_z?uzT
zwX3f11jmZrkElP=CjwK|c<W}jzXPwbRf)3GcG_G3MJzmx+=7N7|E6r@NO1{{tbf1v
zP}{Pn$HO{uuvBYth~1m^0r?I~km>39_#$o-RnTy+m$y_lYSvv3ob~@66(1@>kJF%;
zLo9QB8v)ovQpGM_cd@hLchg`Yj}tZK@p3UR=JRuv47RA~JP?-18%H|7{u+vK+%&($
zRqxnjcJ>AK`YkzVR%V89rgoV}Zuk~oT25wIrbK;$E{V(h4N5%}>iNK%?=e3!^L4X%
z{(ZmL!0Q8(112DPBXImzsV_b(mfQnke;_B>r%m*a+HWg7({f5?HPND)>d%}YNtN$2
zCb}nrn#ZyWFZ~ObACAGye%>DX4m&9)m)0sX&A9h?3)m}LmPw6i;pr@x>-!Egx$$1@
zM*XAWRgcpnq84kxt~FQ$jA1sRc$KvOto59M#|5W8#&I1__<sk=c)Qs-PH)0dJ94!D
zxP_sj;1NnOWII@dwK$n~*aRwknEubpOZT6bx9B?o1v(iE&a<+S>NGRT^Z6z18=BWr
zQuosWc{#qE$rI4*7+9-Ow-RFMir=*!gy?=0<Z4*R6%TyvN!mbRLNOhGb>)GaHkh^B
zxYz(t2v6L$Lpk;p7`l6xwj?gKy^Nb8`5;{Lt@G>KT?!FXUW05*^(~3H%kZKo1pYT;
z0%wYFhDM6GiL7X$9G-IUo&9yp`|aiVG%`P*lN0lOIrHuLmV@*%ay|X!`sDI+NH-@d
zEBotXbKQnlv*(ME_x*h)f86G_rYGlXQu~{|KB1w3_p7<aC?1+S`4FA|EB>VZ3_Jlu
z>f2$r{HwdNEWSq-E^^`aS-|l03Ze}aSwg%Ro~T-1N4gKBc*M2i9x2Y&EB}wG_*CGe
zc$y3(8A*ZkW1`<M)qdIe&sNOs3SRympSebKiZzsvj6uXh8J5tYhoD`VDR_R#{OF>w
z&6;t;nA+MnM%QX;iF-gDrs{-PI!L9)T+EQY#Q)p>Xe!X0C58Cg2<t&wi4fWX3e4W)
z=rYT0xLw+VwECn^GAl^ZMpZsZlNQ!wn#XEP7^4Me*`g~hXj1-03&Z3BF7x%4Jx@Kw
zQ{60BUy1NuGrSkQFm*|DvIY1__(&O81cEi4{PZI9$hf8|wVb`^H$QdIebIWlm!$<f
zLZ8X7xGGdKVJKQUGw0^7$SH|aV|3%Qb$R6>XDC!33+>z^KVy9Cd{Uw*%NxSXm^BC3
zd<%02CQLo(RSK#8>Rfb)lk(YWu$BRr#YCggirib6p*WBESAR6uAO$O4n}Rr97FN8q
zQZmJl&w1V^&wJoc!b5I094`+iwGaau^w%SB{EfR$w3jY@_h|)&Lj=G4RFV?^%>;~@
zR6?;aQv?H}zMbLQ`=)@brpPDaXysal;~jN#VL`6%uTREvO8KpriT7JqE^Doq#YjZ~
zdT#RzKbfkqXe>%jJvc+|X8US|*4*YxA5vy$2IMu#^mG2CT&N@{rn+3P1Hz<d>a!_)
zt&5%y?{f`${U&b7nqMF_M#BlHxLjYlRwqjgOyQEN{#$lxm~6mD0XdVXrkv8v_sEi~
zlN;0u#_kUF>>;lD01wMwK-NH(tS60=x7vTGH8`xXb(o|zq~bM*)8rXbb^1@C`ZJq$
zN0WxS!MY3tMf;5ziCRSYI|VA(!IX%h1r{YJb0RBm8A^n(a;%C$kLD6v-s<#WqMs{_
z4-PzTwZ$*}17vbb5+W|LX%>IGqN7_rL2bnO7$dCKqQuzq5vG3C|3M4s5QFhzFjSP7
zuVeN&w-3XxRbehaN|s19XV(45MQ2kq&t676+=#DfhTone*8WEI*Nk1vKs(9x0?#|B
z@D%U39(&W`Dc`&WG5UHN?WHXBRWmIhpp1)L=gt~E=C=Ua-x6b!3F&R4jJq2IH&C~E
z#~k2`WGWR!aYc@>BQIhhtw)JeVU)eJYQ^Oz7htxB<SKCxE`5S5C)N{CD%u3uB0(sQ
z&-)I}+JaX}IbdgJzUKtFV<_MP^hl{!S4YhJA6xGj-AUB+YsZ<`=ESx!v2EM7ZQIVo
z=EVBPwr$%^PVW18&iV4by;kp4dspwT-F;Qn{?)JL8IfV8ooviqFHz<}(a>g)(|_j-
zZc+Op(5jg_wxue0i}hy((U)T&{0juAR<rldh0%Pt$xNYNG7x!L`2q{hLzYsEn=n0@
za9?5tS&?141#b^NvwQ2Zp8E%rRwrorV2GhH2n8{jce?CN<r?{9qTI+(3qvD*p{6L3
zl2nQrwUeM1ZkMln=P{R2O*XI(=-ykPR_nn_Xx_e5>NsY#K!-AMYshx|tNkh4)(c<y
zRX<&BPUc$2$ZVU=ABkDFizm3Ekz$%U)3Ail3bmq7cOt65b))pg!%XTM(C2$mG^7?i
zforP=H<l-x0GltUOUQo*)o3J)b+ywRht_B631V8hG#g`$Ftbyu$|sy0(&REOMuJUY
z%ALv6-vTU^wu8M+12a#1?dSr5o%3#@P`h8G5#bj}pHVvaYV^$RnVx~onJbVb*B5-O
zB(6+6))&hW_yZQ1wT2_k2F<H8M`)qhr%|Cooqz3<L8Q3^(`Vvf*sfwJBK<@ma3B{^
zaB%Oh-Vv_4ut;JwHJwUd4;aPu$qjcjd6@DcE>dA`m~=wYlFDds7QxxlZo%cqX*D{Q
z)>se}nEoIec8mE=N@5vzhU7R=VX=q!27M3$olj&Bi?ZlklR^h8aLn4=i-c8low(`q
z0T-_cygb0<=>bVIS&agjb}Fw$L=);d0#7(~>B&zIt{SdaQ^ffAnzkzC&O1tUceM-0
zE}weIy;dE0O*7zuuSGki$|*o?xK2W>v=?jutu78uD)Vg85!6EC(e^`OVHWa|NSXRJ
z6~wBC3X1ql^4?VFt4iV!1$x^14zH;WU8MtgcIZnH6psJoVk~|l(&r<{F8{Q;n2Ck5
zqj9yaYPm<WX;li=@Ad`=CUGvHY1Rau{#;|Ew)f7o04}=?>hiCUurH~0yBxKK9C>qU
zm~3M)^Ad0)xw!@nM5$+Ur%!L6I#1casP9V{C2ch*)kUE-=dvyOF*ruMi^tV}gw9$T
zV~~0l;0%OD_bmU2zG%CMUf0N+iltrbi91C)#9O*h_F?E7<dC=byH&jNYdQ1OSzeG|
zEN(hPJpbX$_MEu&4uuAqN7wDF)TAIV-RM<!p*ABB9q#7#7>(ZPu1)8dM)Oh0l(3X-
z%nBq8ONQ+B@p78Iz&jx-YGI6LnTC?d`TWY2!BE_Cb@n{Nl|9y`uQ(-1@Yum(Q}wQy
zqOFOWyqo%kffX<9M!+u^Lh<aAuD_=S<OKw|)-hd0kMzqx*m6glsIgmUbC)<qXN^fH
zYe#v34$uJrX(EBtC{v-p+`5YAcqwhyO3bukg4Et=jE@IvNNx%G!>ot=e%h!`it!sm
zBh+n*mE;JTMJ&G^=os#jsl{uliE+9Hr}v+da}jhRVaBBY7Uk$GIdfRuv_5{kx^(32
z(Qq{#1(@}yt|%rJN9ZPI6&1C5zCYx3dUx6(Z4EEWAI#qs7tm*ME^1GzBe`aUC|&>}
zi+9%GEgiS8M)^cEYSIzjutw#?$)zzky43eo>QN!A;?Z7~Q9OE7(lmy_XsV{4E|xF<
zo@C-7k(fJooD$P9qKg_$-fDmzDIp>IXw8_8_ux>Ry4)pnt-b%oV!da?`g#1P04?u}
zr}_IW=iNdpSPe2cN>O%SpQyBIs`a$rkI^V<PPyoxbZ-Dy?F}s<C6)}_sp>ISkI@l<
z%W{5_&1|<Tvrx^n(9NK)udY^AXB;fu?9_&rC1{So@)lbY6c_PUeZv8zE>X8}q!Obj
z5HUPq2^Llx)oPf?Xfo0kf`o?JyDO~36!>%{E_5e9@C*0RmP(T)5FqTXrV^}w2CFO!
zw>!}=RYls|F-L(nsThlfz6hwBAwl2I4eO9!Z3d`9iZV)f0?6A7;XQm~O^!QlOb;fr
zr2~lFnMcnTNdUN`U%zc9RHMTfOJ}Q2IPxKXVlniJ*GS_~NmX-@k0+nmrZDFW#!&#R
z-IlTH(oo0Az%PZ?+AcKw*Wj1f+EM{CaKGmnxSQ+O!)`w-$P1#jSFa@e^4DL5%2@~d
z7`g-A1m+l#*eZ5i859T-C_;*H^lgQP62LtqdPW@byem0ic^pmTQ-G|D>g0oBdE9c_
zW;x2I<=wZQeyU;uxe>gJnFG=7x+>)zMDz7_aF`2gZy1BX06sU!-<?y4pb{hljNLD9
zW5W9z5N;B$q5AeKtb5gIStao4P`}503N=B+4ECN69xWU?vdR1Lx4Pc82F*2hT{q~t
z6vUF7z7OP*o6|7pInKX;M?CfI{|-TQ-FWmb#x_V?S6th_zpRspF-KIn%A{t?c-jj~
zxJD`LoNyw=I@D%RUW^up^y{M8Q5HGXcyIXa<8JoZ;<#Z+>_f(NkhTD^Yezlnm0wOB
zw{MP==2J<}u6r06_Y1n^aGRWXdg;-}9>w+1y=X^+0kFUUjjquxQhd*~&%ZbNN$wQY
zaf%wxGjuFFH!b~mGKJKI;hE~<157ZHAy{ycvB#;5xmNvs)|qD(CLcU#m9AZouZTII
zGH54yKYsnvT8?ik<T;;clH*79UqE8n65IKWHvxa}r@5TSLpJJ`R;yWGcKD(hjdS|6
zIhrZ`+vVNg=bYKK1V2WO6FbN9LBjNIgEPqN<F8*(oBt-7MVsOqR4Z5JIJ6Fhs+|m)
z(qW~UU>}5%Q?8Q0vGoOH70hed{im{3y1hI9@-&jp_WGulh&pxXzu#5F8+iC-zF;-s
z6KzXN?>TISiq6Cub-cnGB_Df{b#fv@DDWPYMut3u;TO5orsEBF8zK9c`O$d&VXSIr
zoSJFMPm~5UP4h1kvc|(OXZEijY~=U%lpokpgE87rVf~6?Ik1D4bUlPIdI&v7Q2&WE
z`ZkylhBq7h6-rw>8eTjdTAXwQ>FuF={ptUg-K7dOcy<d3g}Oe+4%CsHaTlRc9>>Z=
z^Ofx=aCce!YH!l4rB4P<;zVn1;W_|m6hOh4!bD6-uVENlO_0%Y+lX2Cg3){RZ8)T0
zoI2ZHgKk`>0aqG%!?ytqe>^7fTMXkZzZT4@Nmqq_Dx1Fgx@$7vCW?6`yr;eOYkcy%
z?R9+caJ|xvww8bsPrYN@LJ)@Q5X-Ko`W;*`*r#t-ZvOsXGB{oTqIXPGf%+r4O9eY1
zLBpxcLn5T+b9H&IIM+U!Tju>lhMq8xQQPahMS(OC2ei{shyJ`T=HTr;tMZ%OSJ{y9
zhT+c0n$tAM%xBKCPJ0WkZsSX~Qhw(;9R1+3w@B6COph+`N`h{FY2Pa6>6Q$k8%79R
zQgnhE@h*W@&GJnslf&zj#@Oq?T0Dtxa*deG%ewUHXwKWp{axrH?mD_iTHMCumv}Ov
z*-dgjuEBi_2eUNpUxZ64ZB9(Rcg9(1`EtS+3nSA&HZ^C%O)maH4f!tqd1={2TB+Nx
zCrU?^N^1d};}S?pmuz_SbSxI`0NrOOGf)$jPhI2jXT>u+_n`$vizUTdCVUOwJ2YTH
z5zZSC)KEMl7gDDSQ{RJdC9~A8e+Zj=ijj*kAS+6v=r0-MK)A@IYiM7Z$fdp|VJ0Iv
z?bV;2PcMyx;c>}GtX%XvC{p2E`FoZ)bJ?!dCgM(S{8m^$Cap&;ODWtn4T<Munnl>H
z(AI5oai|G6*J<F&_cyRWm{GUnq0P4q+c?8r|APhJPx+q12w-jYG(Ny(1i)piuVaCb
z5b)S22hL7ya>c_P25bKl#ssz<0b)1y$6*4%VeMqv{C5)NDNuhGOMXElVNB|54Bd*J
zHnX_JCa=#<_V*>TwmGJCN!OKRYF|~!MXO`I;ir;et%L1lbIRD-tifX@)`#B^MsT%-
zRA$A+ZNwQgy?UGbW^xh*houYrM_YG`5}~#27gIB9L$}uZR<Xx2lhMg0PUA#12a2<i
zTpaxxY>^--OsXm&zeb;dFhv#vo?!(cPpsqL#c*ZIpXMpG$%z<P#01~=<Eg|P4aA)}
z-EZdoe>67BcWKL0Nnc+epQme^gZG=;{RS2H5nQi#5WR2gfj@JX7Jxv)$^Qhbok(eO
zHY_pRqO0fu`9D4qpELvI>wY%}Vf9Dsi_h-*<2^4~(ZEfBp0hU2)TsnD4HQd{oOjMh
zB{EYb$MiD`YQ8uQKRza*$W|2{wI<}V+;DpsDYyvN{C2PZ0=GZU@&1e;O|dP0S5W>=
zZAvb_f*ibFnM1+?8>ZD-@&$U_g_Z1S3A#_E<<|EISq9L?!kVOuu~u*{uK#50EgpNa
zr`Yl|i7digykLksbPy>&R#`(RFgu{|pl7x_z&*|6Xzc5}ORA{kq03%u%5jHE{<)t1
zQ(0j&{2d6#fBR;KHc1B84dZ9Yr@9ibnh{ETz&kw`oQl~MlpI81VFSzGoTz%WsN|_i
z9MzBlV_xo|X!4Kbh-BKNZNux`aw10Dc*cx?ugVqIwoJEG3p*X}#@qtGP-#I;lg18D
zVhZ>7eX<d%C>!g3)3IPG4KIu>q+bd7!FjO~LbHfWhSfxb7UD0XV@rhW&8|#k%+USV
zlmnKO8@P`Bh(B5J-}=QD2Swmng>UQlx~21Tq=oVH;t9tGsO=;?(;8#trmJ@orzGuo
zpa@#BC5>!i1SD^>htFjJ5qJI2%_}&Yh?|&+XAu-?Pq^&HDD+?4ndc6twS=vSiIcmi
zd#h{ru%eM<>)De{|4oNy6&SPlkcP~W&P0EvPtxWrNzkI-<;rWFN=(JWr7U^_3(NPq
z1(Ovkk3EYjW+>4u1h>9-gE?=RJ~~SSKkyb;u+fq}Mw8_mt^P3(x}e|EvE9Gk$C^XX
z3RNE+J5cLEqvl!vbzac+@8TePTi_2lt|<Wo^28cDjnODD{SmuCDV+&O>y6V5Far9b
z@2|hHN|WL1mRkA|YBgSsR)ki2h`MSmiBQ9^OR{CadhQa)8mZD~$h1+^m>%Ipn02Yk
zc@t=*YciB8*!g;&KP~CCU8=~ex!y=8CzuFnLVBF>!rMhc&K{;8fFEBoJMbnD)UNV^
zn{ukDlw;xv20nz87Zx@;aT$5+6P~u%Cz?(nysiSpdD!&N<N3~({C90=EeW%+3q)D4
z^<f4Q%IFJ(^6Liezg^DbsCF?Kk%3(TV(M`sZIXiRNktEG7LND=>g@kVKE@F>d~YBQ
zYMSdD8*N0@Ukpfkrq>3g)R{D#hE|*?44P=bfsnijnsNxBV}m=|r<Dq4f6ZHlhu9Z?
z12sU5hJ}hRO$`LZ8qY9?CPy?puEA+m1Oz9!K%Nl1SW`mqHZbI27&S^2Y-0_tJ)mWa
z!>t!HCW6|%)<x7R5+HLLY`bkty(?VsRB$~DdlajtFB?$%MPKXxVW%jsi|w2CzuGZ}
zN<p?np)^a27|MvDl>8GXmEI9ZF2#LT^HB@rE!G}Pkqp>LL%;djkjaT_rEPK5{dR?-
z*Z-5~4ois;ZXQ|2hB9;1T#;5$9`6h>U(mYOvC6ITZM|=vt=!N3XA)}#0b&CN;9f8V
z^*Fv0YmN=Li~b!e`x-w(Q_eIZ2HODw`tsqcnJ7KBUSZ#H=IzX-{wRE;8VK+RQnsD7
ziEiNh(zWBsWXHaf4YQ>M3ry4X0l7u1`$yO1LWt3cQv+=PUgA5xKlz^&b)<#20rJ*f
zdqe$EHVa9eYqH*}XAtCU1qXR<08?d`)(Ncota2v8N3vSl8C!)&=P;XzEUDSAtg?m)
z?RR^n!jB+LRzfh<1YY(c0e1E-UK68up+xD7t#pC8s(h#>Y6sf+l7($?lvP*-veGL8
zrCMR@$K3E8kT>^O*R8m9<O`R?YB~0ni!b{J=yolMqLc=Y(HRZQSUlYRY(e}<$vSS+
zX1+rR<oOC_7%t4ef3Ru31t==oG94P3zo(16$(xjTeQ-5sZPPt!^ou9EQtmQjDpv!#
z-*Q*2Ihr&J%6IFBh2|aMYv@!Tf6jAzkd?AHwGFJPJsDhnE=Et$Ciz$9Ouw=isb0_4
zsM3$pS0y*gd(PZSlH1oXm00H%wrFc>vg%nqZ>Jl5MI4C?)vf$_b^M4zjV943W}z0t
zS7GR_6Ntqap-1gT{Lx;w#48t|=(JQ!pr7jD@SF7os;w#&5lo4h)d~BGdUE;7NmuEr
z`~K|vdX~C-j;$SGZL|GY{wUqAtY57HvZfc6DcBH~vzi9hUgjXpH;aE>^*@UGUYtVR
zd5(Y5D4YkTc|c9|5WNzJ$eq_(Sk)nEFUZJPIZfNgFcXd(I<FSmbg-b)ZfTguz|*y;
z)PFGq#l%MRUsb9Pro0r@!qsR)9QSH}7#O@2a`GJ>37p2*fjq*^YF9^-qHcxZ90pDc
zcGI3$d&4S;sPkx@1zt4sztNc212}kg?{Q&TP+Lw;;F(d6@m6!JJnnf}5A;?k4XY5L
z*Pr7l+YinTCA?~lr!J#5=(==>?rWB8o$%9q1FQ0h$YvU!fK~bHrZ=!5kC!=8PIzw`
zghO|e9|#t?<hJ0cO@67)!Y*()F{q|~E+HgiIJgMFg>o_1q5?mjszc<0s+j1PT<T8C
zau-`Vq1O#=Ii?g=W}J>C7FwOxgapc<-sw!9p-{WyF&<yYDK+Q2K}_~0aPk1V!t9(y
zJ0$$-biSBXnXLB0caT17lZ?6lv`EqPjL{AvKHuAQ+r{k0tOgqR`r?D16!)H;632~(
z0erhMMX-k23156WXbK&|ekd(bKy%nF(?Q@-SiX`Bx|l=>{c=S}vjOd-CWIYObi-&N
z_(v&aUhK^pl1$OKDa-PG_aMbYHa$JTi0HngKQ1H-3G!@>7a5YkIq}CC*X~NOf#o$G
zbTr$SIF`l^|LF{!$poVj3qza!KS9}`AAKIJbI#VWpYtFa>-Hl2ayaTpvd0@ANX2l0
zFumJJsoW24>AX7-gJcKq3`_OZ(~Pf4s14o`(QI!!Z|@H0EVPp{4OAj|FDW>k`;nMQ
z)ba(L7uda(nhg_E)m}TUG?4c(J!SpW&{w3fV_PMOt32Qo2_S5(QYUcJvzU!StwFm5
zoI(Bip6uezCaT4)sNo_u!&a%YKAY}0;@&`|N&N)jb=yn({sPM<Zw--K)rGjok5<!8
z8Wz`1vdmDP%1#97dFqyW*`sxl3KSJh@L_E?mh^QBplR>8n2>eh#Ew<_{`0RYIgnv8
z+jvtj??Ri!O5U4HtuqEV3a2~)i<$|mLx8_{19wE)F4)YItdqZ68UJdGU_iRe+;BCM
zptNSuZPQxwEq3vT62US71iJg|`;#nEHkd9ij1G~<K2$QLEks2OW#JjzFQGd#ls+vY
zKn-eh8vFCT1!=Ftm7ufZ+T_<JK)Mq5(R~sqIhp>AxpbFA4;WnZ%ublw$qmhD&)0pr
zEWB$R%UKs0C8ajYWy&1w<kbbbl26K4geYsyWamU9jzPTNc&`nLYvun&RwN1$A6pdo
zT%MeT`#uweurPm4V6TjMA_cW-ZxBKXa;b0dU<}+QY%0aqxjwfJB`hiAsuqIk-LO%Q
z+R$;65~?CCjpZiKG{I7=)-=)w%V+SelxkrolTq0plI@50Dar!c9X1g?y(`I3&79yw
zb=98Nvi(u~=yvOE2u!A_Mn>O71o{wpH~58ym!3S5u$?rtmACSb=Jo<K4_E|<Eob^y
zhtXjosv>2+gngcT@r$-U^S}fraiBDeRnwmSIU%{KDi3gRN_00d{x;X$;cFD#`ACgq
zjMWRD-CQ`6jrJs4j$6;uP()O{r*rw1frx(g%N-3vw719C;A@l;XcqkxY%)mW5JrGT
zzn_KKdV(4agSCGe9trwS`MKpj@<mC%WODNwd@i@CK3Ldd-j{0v25Pc?>Tc!-T^i}T
z&dg%J9-<DNxlt+C<{Qrrb4z!lE0m3gQ>}h<YMfN&hOWD1L-&#?)a=l>fHyFM081O`
zLvE@%_Hr8k%0Ji2leeEj_Hv<u$4kp+i{>T-gYfV8z^=7ic)qK<trdfuajAs3dBv>;
zM?=-O`VwPijUyG&(bHkU62D!_*KedZ81D~<%B}GT$xy7ZRQ`cdmbR`^6X@PV@WqX#
zRDTEWo873<RO=s!_J4Gr8EqPC*{J*Z>dzn&@7izX2Qar!?XBHwp@)gd(rMYN7sM2J
z8kCTO*bLf^vm3AvIh%9kNqAkZ_lxY?ZO-7nKRr@4|DugsUL&T@OQ<>0)#QWT?d1=r
zqhZONgnGDKXTC2%)le$&3tOplc^RSb(`l2M%wT}ArU^VNjnTmDc5Df8Z#C~$$$ZT;
znLcY0a|TpI3Z`Zjr$V%)y&?bAx_|U4G5i(h=N4k$;60XqHT}NKPB5|SziQn@hvTx!
zR%kAK+aO6VA2CyCtZ`qMqB0=k>vNI*I8Z(Mk5Z*m&XK|0&xCZc&rLj2rF7oMN#*iF
z(z{M}tYop%tPI85=+U~BNZZ6IG{<MHSAy)g4C>QO($3IrylG`YoB=mEGwJXy^K3B1
z{qU{}mw3)<UH!xo#7#y(<yRMBX}WH5LnhAbrW+`wKvxP88x+QBHX?aSL?%hiudm>7
zr{i4T-2a@n{Udk4u_DW+al-QsC+)o9l;uSC-*SH&cEuIX0j%VS&Q$Z%?lcW)SfOtj
zZL9);opZDJ6U{atog!JVNCTWzYSSp)UT`(BR-*tMHs%6KCgR#U4kC}ifgvf|E}y!L
zXi!Nda^RcU0W8Qr>(b4~y;1Oor)Wd-gI!f_xF}aj_;3PCvxa)wFFen*zV!b|m2NjK
zflRHuU58z7P_3tYhVVDzl>+XAm!s}kFJqvyy`2*!`8X5b4)6PsciN{Or=35>?{9lP
zUmuR^KbNmJ<Stdp>mREqR<Jxt;G#VlbZ>mg_a8q+nwr*Xt%eOcv7Jsm&@<1?YmihI
zCW$+a=1>T@fU;F7*^h0)>~)_{$ND~|B}6^&7punu`M*9(5sLE1rRS#nIjy^<U{49E
z#{Qt$x9Cx-3^L>!qlr(#tAhV|XFwNU8CD8G8>lE(GhObu&um`;T9QPdo<Y_L4QwC9
zG9&;<ZZVM%nbYOb>bUaY(sfIz0N;8w;M^>~YdvZf#cw=@B@!?T`k9oa<Wxvr^}~FB
z9=*FAkh6t+II~M9&HH_yc4SReb=Byw2BD_c!oYp4s{$NxG?nM0$zMi%9ET<Q?-lBU
z;ewbCa%5}f&dnk*C26F-U=mMp2uJ0N#F#mcMaj@;W(nM<jElFg5<PY&OMGETfP)LT
z0h`kVe4;L=i-%2|FdiF7k&jof5K(vcRXF_TyoIM*`IgRs_I*1LAGFBoa#-T++P*SL
zTAW#3#d%M_3zA~Ls<M4SK7HK&Kv*kX>^cRk7yu5Dq|&4y1E#SWm5Dme`dgdVi$Out
z&w;3|W@sK%T6~dr6xx$hIxZjQQhvIkt4#)O4Kg7wbWrc@Gz?57xY$cWD7UmWUA?~?
z&A0L?vu=hF!0;i|xTk@1k_Xw<Y^U_?rWSf)13*M?17656&#fv}T*)jYRR9veDB~C7
z^%F_Vbjw$WvdN;p>gKA*EP08-M;@fvv?Wi$vAEEzI%@KKa9<ul(0Gm4%H?W=P$&%e
ztvxm6imE|hU{5__&3T}!<U}$EjOpw197wAs2={~a(U2XMzY9^Lk@Q!Tz+WpBfrg6r
zu-Th*!{jNSs<<Id4pm(gWrBVbdvn^s+{CI^8p+R#4@bl}ya_sRRrvyIP{vWbCtOOJ
zlL_r(BB-uGTw6pur6=U^Y5@~OPiIgIK}LD7Tk{u07PVdf3PNG{G?n^yh0ZVMK|+Jt
zDU1_K^a|CC@&xO5&1^jH;f)vO;+bgV@m@?awsc^{PCE_Yi=|3Wb37F4AHtsPVhz+R
zVP`Cq%eF&>Wnm==GrrSK2dHxSOUitLC)Did?ZR2n1~s5-P1zPhW8AR?+@TBOHSn!m
zfXGc5W*pp4RIEbRSR~XqH*Rg0@bSz<2{pS(2)^rP+FKc&<9#3RK0XkD55}w&ldXsN
zd>+FDOVm!)lKAxNhSUgb7<pbYC}gB;luCWPzh?Cp#Lfvr@ssv3@W9}+_7$sHHyH|~
z`Kyj6ereG`WR+OJm1ae`b$={`v9psfCgrWpK(|P3lIDjWI`e?Hdb{lleM^-XyF$A9
z99FzSkegHzucxB1-6Ax@5>cO2S5`udBGK7-8*6LMR&6;CI;-HWeHevtm6YwPqM&=4
zsHdwE{b|<sR9QR0>=C*OuEGyg&p45b5yqQ&_7nFQSMQZnBkx7O=_!>`K^bL5o)v<K
zxc4He^Eo=ebK<iPRxv<<itsT-m}!HQZe{lgnW@Cu@z8<BVnR@X{wU)^t_bvO**zgH
zs4zCj^~?S;4MZJ5%8%=L4bK8&G513jo|ywm@_dTYdTgXks_aD$Ro$8|Ti;o6w9X4|
zdossYWP{M$RF$f_y_4m%^#UofXsjt+7B{qVl3F)DM^XZuSY%y4Q9T^M)r9N+3#U`q
z0UAF2RTK5Fo>t9ia7>D(BHDr4>HhU*$-yu*-<GtmX8_zQd=!EzJ)o{!aJ_DHO0<FY
z@VBTDORimsLVukijOA^GD0ToB>|zMwaM@BNivPU8QaF#`FMNB7qTcTr;&AhpI!XT{
z{%fS`)dYmL01f56%V9#PRZq=JGLguNdMSR|1<8a9e!0wrV34brs<GfM$d>h7F&i!R
zzc}X617LZH$lX3~wppU`yrIT6Z<{4-0cNpJ>S@cu&?<)_*|q1QWV6hwvM1bj@R;Gs
zs!Vnp6yF41-&=SsHni~l$Jf5lG{;qAwk(Ob<QC^CB~l5ON`vg5ERuKKJ^#r2;xXZf
z;d_yb4o2sXJNRI5fb9CmA;OrkxmR>_5;$9pKv$k)&R7*S6=vKg2$5l13&_hO02bLZ
zAKKaQ{gM`$P>!AsTia1NTZ^K{ktS#m)~*>MGZNY`cP%4ei+NcifW?AeAC79W8LEFF
ze$<YaTXw<a))JFa{*Jc6R;Z%Wq0nTQqp^h6vHS=aqW`&?wzYNGS03V~9nvCU{v~+~
ze2AHh@XQbJXDrhv&-ee}$AFS+8y2z_O*DwE?^6^PD|!U0ziM%(uTNsRq#Q+GDG<0x
z4@uAl8&@Z-pP3LJgUXxM5KIJU)fI&glE7p+g!7EfMH(keBPY!Lq6{AyE-d(%Y*S<s
zgkiZ|4hJJrRgl#3j?U7j<tK-k1DDEu4lbnX&l^FQ72af-pjXw~LJE`?@8btAq<g=g
zcPkw{nJiZjAy5h@in@BfTU<RjH=9--k=duT_w(~Zoe9UkJveF&Z~PrAQ{!-QE}_?2
zefANll1njIBzN~J=%tRTHi@^e_u;*Z7Z3G1ytp`ci$Nkw^0guQ@yGZJPDz5eGk#W>
zbc9}!H1J%}V{3FHi-Awv1Ef*zDEH%AFYk{}N$2kad2&K8sDiABD$Z9!M}nd#DCbB%
z2e_nG49LW<?}*8gjSiF3qy4Y9@!IY+YvDb8A7M4S5}{$kAjWGYwAG;vAg*UKGWAP%
z3jqpZ5h1rWZGn{lbC-kL!&^tzTc(7&!vR=eFJkr5kjNQP$*j#A@X^2Y&ha3S3Mnq3
z9dl(M6dt#>Z{u0>*Sg)kdf}yi3zS1F@-o%ju$kqW;Ci<kC|=x3u4{<V3RZ-X`fBhP
zBVlQ?RcLg#cK>G5I9n)cGC2}@@i15<5|IcM0aj>r)Oo|NV|H~J)Xwnn>!B%;e;LlC
zi>1<3=z?4Q+yC>>1+xHZy`M0r#s3Qy|1f|wsx7eLMreX`HD55W7I1^Kxy;Q=-iLBm
zG5|?{bQd&Yj#=Y;P}Ya4Yi5v|jX5dd>>O4c{3gHxZ2Br6)(DEj&{{LM;h>5vya>DE
zKB4sG*#>VT8+1cqMmQevIk~E;Gl#erN!et$hEHOQ$Ks1_Amly}8_ALBky_trhquIH
zKxItdbR}UBJe>irFm+HiFSKdwazvU5UkjmXPcUFwr*U!KdlV$j8NmVN;oOhR40eYJ
z0xy`4VBdbya99RvZs9l~-G+3VqnF<$fUUz-8P_z;>u_;9V&ouD86hz+=astwF&p#h
z`jLVADV!@9K{0}~lBKYYqi9sj0bN0vKS^3hv}Liu?luZ*6(<Lw)5WccV`Yjs06#st
zxH<@5^Ku`>)|?=nf)_y;S2IP2kC!OM*V#G)tV|#?T|<Yz8y6svjQoqUy1FZdia2@l
zT)c46E4aQSaMb^j-cn=2=q0s#zCJE7vWRMlJ)H@YdFu;tS)NwoROd%p%p)%JVZoV_
zr~IJ&;^Dlu+w*A=3Apehn?J_?_m|1r{wn>o>~{Bnn^`VnN*Yq?L*0jRSoStko^d_0
z{)oy=6VOtu;lk>mGRw!tKXru>u|tD}ty`XFvRpy=EN8;3KNMSL@qIic3cFYhMfHR8
zPAVRkGDVOcL-!+!`m%c&W|wx??nR@7lT8{tQ`)5-K}YjMGLk=EmwRWB1Ue5tuG#JQ
z{<5;rK#H6j<AS;?P6?C+vVB_I1Dycx_38&LHU$<!+Ukh=&Kz~@6gtPC=ghWDI?*z^
zQbnJw>UE|(O1W5=YT#53Zy)6^ZFq{}Cf;L=B&?KStLn7B?ZBJ#1zhmeP95L-$Xwgt
z5}C91$OC&X%)Ad!z9;G_EgD?H3Y_N-tk`G=^0Dlx>Krzfh4R={t4oF))IK8Xg;6<A
z{9dFwuyv)(D(u;1xfdCn<i;<Y^=df>Uu#N7w<9fxbO@wrXS_?wLxO&jY6l;J9ablg
zh!#7WHTg&%{h|{psc2xcE#wDrek9u;m-Kpm9*%eFf9B*O<kaFlB%E4bV_sW&62we7
z&{;Sv#MRvIFgDkj8+J4TXScC1`*`7Y^B_8%!~4{a357M)jPp3!bifm2Qe>z7Hy8`d
z98NSjv`mP1waNa7q(!*IMSx?RwoLahay<I}Nh9T3o<hn?D&5AXvO2VSag4c1Bb+h_
z<iH5kwWouf3i<1i{WEw0{S06|>=>bp7tac6$uS9jc~E=>9T0vGa!bK_$U3Q7WR=Rn
zhBpSa7qU4<ePX-m@}!R~4o(Z{5t%o_>+480zKbhajk$Ye^4}H7c!3-CBa@^&=&$mu
zw*jvb7>Sy34gudR>+z+Kw<J1&Z5fUxJ@r<jaF|Cdzd{-YC?)~sepFnwfhh~vO~^~h
zeU9qTnNl(QY{Hl&XAFo3Z>ys}7i&iRxtZR_>p4AQT4~OUC^@5_>|0^qinu!)gTB}q
zHg?qpHTu=l(>Ya2_E>kK+3qMQtK(DHqBm3MJ-Cz&nzPJeu0w7l%U{N?C;Op$tDWd$
z?xFqY<7EKWH241N6cXpYhZ)ax^zrzQC+F51D*LvRIrkd$ziZ3y4ny}-?ps*Xwa+L2
zasRmNK+Jfy7eknH-G=VLIsSKZ&h3Y0Oc+zHp8f3ROp&R;Pl%bbGuW(L<_(U5FEOOc
zcKp{9(cK@@S!bjPuYr=O?rxl?>2Cb2ME=w9=*Mg+`5k1`WPrvq_qngx=5^J3$B*ro
zx%8PuLQ$s6dhP*@Xhn?m&Y+Y~>jGwJrlt#QrnbcuvI%xa*9sq$|90$U!=e;d{8b+E
z+>Ic(T^P~BJDq2VK$cK>fTUPsGR~<6BWW79T`xQm2-rxg%6Zsh_js0W%=pVDsd!`q
z6IBng?(NK-wsQ3cBEZCSP8ZiwTt~Bg+!4M1mvB`QJ`14|r_9jf?>07&BCBGr4hUns
z-wGCO1VylwrI^uGjj(S-t62vnp<(?;tdrwvj_{~@vqWzCs%gwe?-P1b9_yM2!{a!e
zO&pZq6>9K8pec(%w;n>KGDFC?hVwJ7vT~(`v{rbxqvmi`Qb<~<me#AVe*$dwiK3H7
zmH_ThHgGFe(KN-Q5TVr3Pm1l<`guhY5KoN2H35*R%s49noo!6}c%wORD|wcN)M0E4
zAKFQuNm4i~_1<g#)!A$QF`a7w)Awep*QS6tk=UF#H?=!!&?QG3P*7>pOPWj6ox{z=
zfZrj?&{YT99>oD5eP<lB7&C%&wv5S<-t}Uh=0f2qLuT~WEDZX5>}Y?m0b|qmcPqj@
zsma4Yw`~Ce$6i2|@USGt0J7gV@(nikWr7f*QFO*Y<YFxTF>K1o!=iXh3_!qjo@k&5
zem<^eT2(b|vvyOx*w~;5?iTQJD%Johllns&{fzb%ATBb=t!2cAfev8Iy4&;h;LvTy
z3L{X2q&tplAIS1JxQj84<=oYEAPG^q1Z#b5or(aRSy5M{GFWT!6h|9rw%_Hb>f6Dp
z3I$c_^7wG!=qCE<BUbVc6rfoV@<VZCD*rn46pE?#*HoP;L5YPkm~P}}OJFak&XgIq
z6$<6hCVfE^$~4LEcV^4DM4$8($|D&sdAL#n>I;;yFb9AT$IDb8hTJt=(FVr=HH8{j
zD;CPsp#23}SStd_KgR45(^*OYqr97%LLKY{4|Zw*p6DP`-TjF=gewMV<<@>|feF@%
z!vYOxq3|@*&5XjoI|(@CN(xLOZ3TVu5GDV(29qu<`$Jei5PWkuNan?*+1AL4EI!_j
zh$$0&^<+BGpl#RpG98Gj0yiv7^ubD9F8~j_Sj48-bH!t4C50Y@EBfU);HtnEYen&a
z9<(C{BvsDx!CW8WiHIsa0I47dtFA?-AspRQKYnXT*Tx)AWCC#Wep?tvWvbtQVhDjx
zH<k{pRfyueP+tH&mNp6asmjPVH-?}oNYv1>PVtEj6(eV6kk&H6sGa~c7o=ig(t2hD
z{H^HRot=QSmZbY5@5~H}fO<FqD4U&vweIV(?d!3<anw?7AQqIj?E)P(B>&Oj;EdJo
zLx*G^U)YDpc3Lkz+h~?6AA|eY(q7L_%5Y*j2R=4F%AOe8$)3R9km}>iXzJtmLN@Z0
z)zHb{mL0VPaLQGK(uH&YdsDe-l`nQ{&Tt<y9cx4AXW4E6ZnPZv=BIHmvqQH4xy6O-
zb&LNVAVMRcY3CMjFo{%fdo4y3`C4LFo*?iUa=L(zTMuy4viB8<IfhA(TNk*oeg;mm
z|GNtJ<Kh0V=f6)S<|aF7JH|@AR7^QQsm*fI{qE(Y;~XZHvX7OTa-f9#-))Ib+7&@g
z+Gjxjojd+G!KDF_a2o$C{{~eUb9#^b6x+;7kT&5ik4v;zfb}DJ5Hy;%|2h)C?Ywt*
zQ})TOgX&E7T~U8(ch;rLNdq~yFadaI{`GXuRqfh$$yHUc&s9bHxj9zyoOKteYm*np
z4SzSu7yrhozXz=9hfjf);tX*LBP7d~?0ios%<^qpHMV;~<Zo*wX1o(V@MgYr+!Itk
z{R&lj25D_gwxX4ws|C78{GS&j;TGkp+}Wh%9bAqnvruiy18Ik<*GdKMox*j@lz|@+
zq=18$0X8;!N`9N8RkHd^wgwB)zh26I?D(eas;jqnZJgPIra4c&egpmjJp4nl6cUeA
zMI~bgOwNj`#}KoSF?W{SohlgGc=ka=eza_v{&rI^Fm)F!vZEOqbvm7sVFGU8cmk3M
zDUXKs{L?)iF6L&+b)F&{pCu@3rRV_`9n7uPx?Es%{MExpTCIp=@{5yYt>1EHnZ`u4
zegVvH=hdzGf*bb(e3E=c%Zb{`!(O9}6ei|>WxITg)|H4<jl;N_^6T>yo;G1bYZlX}
zS4WiD3Q#+iNkI+q)~IBdE{YpA`z<Jis>nVU3jlLpPM@>5xCiaEmA^DwX*UvAB@Z)O
zY<^UR+lEd5R#3rEE9M^)7B5U;H2-J?RhgEvjm9WB+PDNN<03mf`#-(~CS2>uNm$oJ
z(NgX#ywGKY@Sc$!$+kDXQKhsIs+iw5$<OF395~70dO$SBg7{W#aJoBIHMtJsv!}YD
zpnHr;l4gOsjeLaWDC4e>TTqahTq5O06cS7{y~18U@r6G|Sx`YO93S}kl_YJ;lKFiu
z@8^-f)$(P?$$foozxPufU^c>;_98!r?fOtpvG03eh19usZ*$njZ7;R*Qt8^om;fxv
zXVjx<%#$}ajsEptX$R<%mg8)lgDRj7F=0t2>D7{sD*oz0EQZQ)_imdYLU}Y8n)4ch
z#t6K^znLbPiWvPe1v2{9KzuDo?pSjd9-%+CTFTEKkdF>o4nS8fk0(bf9}vDSP;-ug
z%XCnH=R>{ol7ON!7q0pCyjwO~2CN<Y#y6#Qd^&USt8`tm^q9b1CBC!YwO+-Q+u}AD
zPD*=o;_+bT$nAuWCBFt5PU6npxIOqWLH=WQ!oN=^5ktG&;S0IL_oe=PaC4lxyg9oB
z!BqykEc#zyJBYi4x((Gn2L9Y4ofyUO{H5^iO_i%7GJ{O2SHE-l#ivi{y-xYr^9U|9
z|LXeSbBcDIbgw?!;O@B<m|9<I<SO2BO;2kiHmp9&P&i9(z6LJVqJL^fG8j0Z!2Pj7
z<kOYc8a^z<0v{XbN3n4}+~LdBhOzDmO|uRHr;KRVh7P-P8C6cET4|@rjQyy$$s&b8
zBiW=0B@v)T-4s`+S!1-1sMISHmM?8sc`-m`n!>@dL!^=Omu9}Uzf!aec>DybP{Qsj
z$9I1LN&)T?;+b297iqbw9{NuRznOS;g{tLvc9CJ}C3MnQDgYf*rKVW`5SZ#*)!@Q3
zp7nF=Xor$x{08hvc|$jpc%_s9%yk#i6~%rh02J<m5CEV9g;_Zj3#G=Lo!jMw!L8f(
z2X5Bn!pZA0c&|VA2O^Ln^v?kYS|O;-njL&hh5r=djjKi<=yTX^-6sz9cVMP_4mF?K
z8eWmaYR!;iT>9NJio~aW517_*jyXZ8=Q(*^I`h`Zp95Uf#(4iCOQ1d?bT0MOdG-?i
z$H_2AJq3xJHHVfrwrB`iAAscQN9zK?Ptk|1e-d_uV`0w`gs01D0^v5+IAD~<(%x$=
zK%J*;OE#Sz9tBI6UjgkH%b><zO7~9?-TUFNT2s9xTxO?bgIy~`=h2;{!DNG$oH9Q^
zd;*HP{{c^po2Fj5SRGka)cIIMQC!fBM=DDE?We_g9Sc;tG040~Ut?CtC~1~yJiUwc
zxfPC=B~2xRe&aYz;24%Xksl0<m-kMr1E{O@c}R=Yfu_dtP<EB0A{y&2NkOBGHZ-4o
zby5jZaUs?BgR*9bY|zBN@T}Xo+^?tIq`aG!4f9Be*?*KB=XFR~@i;S1$rA>gzZ280
zl;-9j#Z|df6BVucEwYM=vNmoyBn8{g4+^<uxVUImPv8@y*9vn?6lZ1R?bIZM-Ew)H
z!z6^<a%r61Bm~{Eah-=H1jHmD-ex5D!-~G@<X#MtE>Q9gk|u6?mBY0E2efCnJdVlK
zK5P?R;HBm)KH1jD5C2IHane8?=O1JVwKzYIvbkj&JDH8Lx}_;QNsY3&WeGcd9AtPU
zus8)9XRyIHpB$vCzR`Aa4RJvoAx@{n@thupD&!H+jgqP!#>iSmz|z<h&tfKb&JkH0
z)@jECC8?}gAY3FW*-}#;nvYUk8tK8x{NdyQ8VVxG^3EqoDkMw8O;w)D^~b-N`weZ>
zb%|Jimf*8@;EE>9rozPw>Np&pJ6PT-<4+^ED$bD>AvbGcxM^hAEAn=EZ&yJnGkUzn
zx#x8Eur6d$?G2|_gY<<wz$uM*+&2R=71G<rz!Ep##^8(qXk$p;c|Pi62>twX7TLgf
zcg?&j=DZxgagxNkn<kugm^w;@_7~H8g}OuOIQ>R}gG^cC(`Eyg)wF<&XZFc8xKfYx
z>8PrdgKD9NEcgX34S@#@Kgzo-^9Arx1S3&BJVIk1X)~i7L6}=4#lWsqbHVOP+Xmd9
z4S`&3$;_~p7dcg_Pue6}9n6}(;|ZP&K3Ob!K%uhZvS>g!^4OU4b6GL{UY_oLxnI^J
zq?-;<SbFcLS^fWTU2x|fl!wf5i}LRh0Vor)hRB%5Onu7yo?Y)=MXiu+wI;LdQX(1i
z=pNqe+YfAx{nyyrpMmv<^`_jrorM2OZ$F^N^j}od`+>I~)_eaS_<QvIFYNt*+&M4T
z|B_tRkIT(v_rEL%{J)!j0I^4P|8Mj$hPE?1OSuN3GrA}|{jP>((k;kXoUuXeI#Xa*
zcxRjjiw@X5etmgk?RDs9W9@JWiToRr5$`cFYAYBxsr}ODRQvXS81IYj$IdHp`6h#c
zwj7OFzC$HkD*2sL*+^aM-$-qj(`O6ffuS8HApd#a#g<t<toXgq=d}&__j-0<JNH<w
z36deJ6$3zAq&=SMRD+&8f!|{k5f2{FMz6trI%s!ymGSfAVv}4nv5t;z1m665;!0P)
z=>rQgZk*r6Q8eI@GXMY2b|guD1o1AxsD+2V@k~{@h71i;O#3D4+aiui{rv{_nMa4z
zoRE>V<_R505)U5pJFRX(<>+RG{8!L#>@zC79J%bqss=O)zu9iBj~|>t)*5n=@_d&7
z?HhF_<wL1MJ4#DzbbaFGR&dd2eM|mbu_KDU*7~iH=Jbc75Kj^{*7^iWTiEXUqYVLg
z;_1}PTM0$0{-5P!&5359{nM<gd=mcx@T7|1RwPT{R>aHTtefpRQq^%@)Jc|K-Q7rg
z+4N~g*%$!gOH<9Vz`A`pc$kVb#Q@2@95rkT<f_<tM_^i#U38&xaa6B^5Vl}-3-6~r
z5m3-4CnbkM;Hm*0`Z$?OD+v!+#B>}?=WfXSBfyLRgta0N0_i$i9I>(fKX*Y0`$Qqo
zl@~z~59{pTprD9Al@g3MH_K+Fp@V0cIG;zjRY{CD{%J=y2LljQiKtpz5UHb)aQTJ#
z2R?8Da-F+9z&LW<GUhL|<m_xW3=*;TTW;|eD}b5_hs%sExOn4-q7jIp#a!$aG#g_K
zr!jzQBKh)=F-ovxz@v;g8pc>8_~ESoi~P^;d?&<U6jNQsFO!cK1(A+-G_eY%8k@l+
zCI&%mN>Btey&pQ;lSaG8W8G4oy&y+)t8igL!1t>#GDbiTtH7L}+E>8Bq^3&=5P$`$
zk5)3#k4`gDbEt&9;POog$Qi0<VxY-Q3BVg@Vq(Cxq21TU!UT13Lwg<rOzrDotr+0a
zfO5x$ndrMY)SvNQQT+MAyx~zM2FXquPy{@7>bwQQ`pCfFeQ4mWiX7lCt(r?&z-m)B
z<U0XN_6$lkcz%^-?XUBVS?<~pp@WA^3@<h<aq}hsD&4dI1BZ^YCddgVr{onMo?6Z6
zj>vNpeY4vx*bBO;v;f+{cc!}aR=w9E(YS9Defm9rEX?2d>A+s=q){*W5D=#}my4lG
z4*jsOJp_Dj9EK2V(d4E(yL*vXb*x+h!&uZ6`JKzKuya*#k$k2ABKVA^LDkhtb9Wvl
z(EfiauD7GG*3_~Y0keB4SeO-KIQTsifRckf&_QPA8-9mL*l6tS2>{u~IoZcK1bvGL
zDK`<=;Rv@qjq9E6Im!MAskMWBqcqzOp0)T?Oxe6AXKw(mCz~cYe<FvC`1Z1<Q=?U|
zQ==EXT_o8_8r0GI^o%9P$%`p%`y>|-+4l=vJBiIW0CKyQ6wS*@@Gd7hrzsPlW~d`L
z*dEen=H1SK-iTwk3k?uYP%Rl@JN@*s86w7?Hs*?hNZFw@k5232+IBm@C@VPsg|Sgi
zI@ZAd!dh37L#$Me(GRvwIsB|H0yycKe(3D~&QB$N0PeUoxb_S;%^odh9~n7&{|De2
z!2Tb+{dXJZa4{Fha54P<BRypRSk+3rNF_Q~nPh5z7>_3?ZjLhcxI<UAbCxIrZo)HT
zR7sS6Eb25jL8;v0FjN*m>NG6Iq*m(qaL$ABhu$EvOVKLCjx83sb&oAnz<+MwV~dcW
zPl;odt~*JME*f-27!~XWByNOkxX=?G`*wqDp$Gm`W9YAGT(tkZ87nKzfZn=DGk!YG
z{3qna{XJ_Lr_bR+?;j=Awv>2q2hD(R`+_GGO!I3mC-JjrtBP!U#)6IcK~qAn!Kx{&
zdh9pB<JJl86S*TIY70imUk4?qOzIZVh>+<F5n@4{Y^Ew;jq%a58idg%BpF@m>StD5
z2$Hp31zSalL^DcO5%jQx!ZA%fch$0Jv3;ni_8AZlC0JnP-c^<=D^Y%bl{5oG_{qS-
zxe(uvdK92nfxgaU@=BOYx~W2DqpXHWp|vHm901#(xb%F;ZVb#hmi}&nj_!6tinvE#
ztZx_EopXr<+1wolM`6!aBn;I6uiQuBgODffsEA8v8c&pBDEisLI(suOsiBB#nG(#8
z>W0a7m;QmKPg`P)v<b0fy_XIX;nLsgIg)-|s&(G%RHgyTIXzlvnoGWAg2`Tin)mj|
z{E+oN+Kg)D8jtm6kJL;rYxIhWhB_i}Pk2SiOK$@yNGE`0s%6p!2kEjZx%l93MmGfY
zT6)aaugBzpqxO|V5ZRdPM2(d~Tf?g&?#f!l3>d`_Ha!?{ICPOe&jSf&4CfR(!(%x?
z<ina)ZWj(l9_$7QX;sP%8unomb}JHt0X~VLhKfu0yBQpBz1msRH@4qF>OJWtiTpmY
zU(aS-ub0Mm%YM9H9tGcTNv{tF*WX=y*@Cf*>-y+44t|(hEqmU~xoHZ&qK@BV_McvC
zV%7`y9+%W1s$4;021f!#S2uY@xi6;BPE-=xcf0-|iWtx&{bhN5)J&uaxq(s0oQW7t
z8>eAXATXurGOM!xeR2i-ExnhWeqjf}@RSFhKrh)=86y__(a>!Q2Q3LZsP2wuE|3E4
zp_m{k{Xpj_(z23|g>iTz^t&f5c_&cx;H{SYC&C9;C4;|b&`e}jtNYwyX;z&&Jdwal
zgn%)XI(d80h2qNNQO-A<<QB9)dcNa+2XD{Qwm*s|cjbOZ_h0k8?wg0RAbx8bKC?6M
zt;9Vhd#bDMew&)!kDF;9zj~&$K15jny|%Tr+rz<A0W54V29}SjKzb0F%zBkWr_!TJ
z-v+klc^e$vU8>RfH@g%R3k~GQQ0c8jaR4^a$Skp}rVApQmS7bn9`N6D2<`g{LyN#S
zA(tB*Mg+&UW|2*sA)lm}@Ge!l&gfHKo>mdJv0wO><ghhF*zktcZf0lAl$V<lvRX7c
zDK|@GwkBr#h61$cx6i^$S3{1luzh2trLG}#8tpskabO;wfW>*^?_yg{oAOp^p?YvF
z`bEfwI^6z#MLQ!L0~OvE+U*@p=OEU#UM?R0fl$E}$Jfo%)fKrLnZCvsTCFK{$IKE5
z2AreFjRonHFaABgDwKbssWZ5LOS(Q0-Pk4{1h<{{tFmmX)&CsKl}p31Ylx%t{TYae
z4au+Fg*FJXcDR1t#nWksnQfjMDG`SuYV^^rc(#Af2|?|LP8bTIVr7hO8G$UkHryL+
zelkxei6-0H<EDZjR+{a*Aw`~n2=*V9qh-kzvq<c@-fZZC?sJZZaHx)nNwclVd<{pp
zJG&JaFzbqlNt5NL&Z^1w`G>Xsi#bC-!jofrTFgDXBXd0{O&#7&j=+%fpUn1d6I*Cu
zy|pC)fdOaD<kpTROcw1demB5T9fudN2r=a2C$Qh(M=#EJ*jsDY6;V&H-KE#|SI(|F
zBtdU0V7&P<?3wt^tY6|LXHy%Lql43o{rKW2do#N+OUUKu;t2XhhY~aAKhyKt-HRi6
z_2_eNL+RQ#$z7QMGPX#K1LxL@?LG$hF*TN<Yq`U;>dYY<snzOGU0Mb<a#3c!_?Bt^
z@hRnMM)_AW`l4QBDS0aRgZI1|acQ;Rr6b4Q=Np4z=^m8#(;*`e^`(mtmQp6Z19XX&
zMtaN8$+&ycS8v?TiK{NO(zAj#O*9wXFWLqKRcJjXk(5eoo%bmoDk^R-WFjTOUGMF{
zJzLw*Nl;H=Br9Z}isu#0N*c%q6Kl`&&(|Yz)}p$NXc-O3JYQd>%Sz5i;Aq(Ri3Y{l
z8+EA0h~72EB&<x7Q>F$x<$2O6+^JyqXn$v+*<h#SbKx&HdN>e;bsKr0e3dTVQE8H%
zjl_g}QH0HSBGc1!%a!r%!cKU$Sel5{kW(4@hD#S-g_ZwZ-eX|g(a<=EnZLJ7t5-{j
ze#WF#%!O-~1}kh!6SS$ncZypyyv2I9c>nQ};<Ij$Zwg&7q&<a99LbBPW>uo~rlI~n
zRQ+R+CC}G}3r}m>wr!i!wr$(CZQHhOcTd~awC&z)pZ@*N6X%ULBX&hrX62WPirAU=
zy4SVXW*m>gQ^=^Bfbp44BLbiZcotzYbNJ1zbg=?iHgCD9w7?*m)Oe(@cwD__gq`yj
zdWpM=J>(UaIpvfOBApq8LkSEJ{#8DQRwlmR`G#A!LjF;$)%Dzu(Vj`{Pn)%yAdF}y
zgkuqD!H)t9-j6*cKfU0lQs+hl^SsYa1SVQxBMcfpNW@26Pu{0;c|lK24@Ov~U|>0%
zht+0QCv2HmI!fX@=PQ$pCw<O=DnJG0q5QlEgi4@8%Kf*?wSN8OCyb@h5_CeJt+`TR
zlB3y*`@as*|K0wK-Q{q!R4YyLMr*o4b1n5hk3_3OjmM*0b>s(5VMK+G8Ky!UOLek}
zqYFdSMm{u?j;bzu<o0oFHnyUzEjA5a?5G-O)!8+k`U~#;4KWDO({HXzyrgfK%wrK^
z_ce}AC^WRzfodCATowy4IFcz6?SCoOi}(}n_$w{H>HXB-24AC6Ww4s82)9{#S_alJ
ztQsQZCk+j3Xa?aBnH`jpc1OOB=D|ttrm9&@#8si@PZWlHxTt<H8_CfzYo+Bf9>`}n
z8;Zx!DK7O7+ZVHp8jwy-GBJ1y33*I%>yk%C?0$rr+yfPa4RjBQ>M8u*P&FWr&C>l*
zKQ11lT5Y7f)e9ov+wN^t5~?VH`!~?6KrWT#5sj+0@LbXEwTM4lOzyCQNsCkxja$Z*
z%Wo&D#vxTLFY`!c@E8&~iaH_)q_s)Ar&&bwYv$yhA$*N~>HbZ+9$Mb5oL7MPHxd|`
z;&GN+xuar2%$L1KFD_w^{5;n70{lk2CBnUuRZ-}b)El9?sk&y8PdG>ov}8~TlVJWX
zfj5D)+WQ`Eb{*dCtQ4oMaqVvD5j86l1<fKZEC`>t8o#uIFLwQc#!L#YSCiw+;opTr
z6DPE?olLL}W9-fDOF7L=wpMrrm3iUtKvvCP3Pm4ugpuqvm+8PL%_;t^gI=-=Bo|_2
zUK5u8P6^af=rJ;6cce7M(FgSl8?azNqcN~|u<pAHQ6XJ8A7@bE1?{1Gf)KiiK$D`b
zQGkf2k~l>AbH_}wiTWvle`OQp!@W~Ux<vX*&dMUnTP#olZ@fE3{wjkg4^RSS2~+~*
z5b;+6UHX5Y?f>citnRI6lSSM`0g^@Z-`@L*woi%aw6tfq)yQUuE8S3I6K5r!Z_0fZ
zz(~!p4C)}!?Q#QhK_)QWJ|p8D{*&G9!?^6dTKZ}lb_Q}8y9oEE%k5~sM=p2k6dmrh
zv7lC8OU{NmY=0njc#YdBT&xv$=4J)N>jFCTsk!yOo(>Y$)71P#CVJId-F*MjA{^IK
z_NI=#BFAzrQX5}}G`#e+p%`rj1j~vyVCX+3v@q=6cb^Ckex8E^>Z`!M4*%xuPYPpl
z<>9q%(=r$=7e&8|te#p0qI0B9pGjgqbYgD1Xyf1}`eIyWF79k@N&Qb%Q(qgxdFS(&
zWWsEzW4$vOd?yvX6>N6n2vrn|1qoeo6WOiZJnf882c)g}WXg~rl1O3uALB83q{b?4
zy!4nV1yB7QQ9&SX!ae8hQP^<S&QtV~woYUP3}@eR;(-T3W!pb;DLw5Ya^f4(Px%h@
zqu9#v@%iV6jkW!qUdrR!E5r_C!mc8PN<o4N0a_me4iQJ)J)g()6#4#<dN?U&IFD8u
zic;Oc2HT}(-$YN@+0hUE2i>QC^b;iTsp|lz*9|+G1y281eA0U%J9R0=(J$%}?Y>$l
zT4ear{Fyb1S-;_|)Jpv`c!~H*=DeS;=7dpz+NOqe;nP{9#xr8VdJhydQ<VA{ypN^G
zk>1cYI6fzQEmkkd)F}rpTU=u-mBvQVL&XA7skZeFOiMdiTzx938L`jndhq&RH{@${
zX!xhK4}uDGa42CP`Y=3bP6&VKiIJGj%8ApDyxua5k@uHSFC(1BgE`D(Go8ObYknbB
zVYh0azA%Q^QHAUGTLGG;wMZb_Q(3wsp)fg%O6gCEHer{M!TnYzem)(KCDQPd-9)Fd
zYK#N0ku}2nHa)PNL9k!FYg1_oEJ#9QI4Q7k$j0!$x3_$aiElABA*JKI1`?ZsIES&e
zZB3JN&$tO`^!TF2jl+>8Vyaowsx_#YLkoeqOm2@c*UiL_c9XS$G0)Aya~}kS=U%=)
z%~L$#?1QEneXS<TNfRfB%ddY?hD!_xC{J$O(LAUfMMbFSJ5{E}o*!ZpS3TQ=>8v03
z1t&b`$h_jyg7hnlwT2Ntq+VSh8mEFI`Qc&)YL77(?~mK|>q%hQ^bTW}846!@ZcI|W
zN<RJ|eI<T$lANVQtqXM5S~X5Ytr4o9pK!jNuG5`~!#7wL(f02h**1f$Xa@AETrUH|
zq<*=n2R}#+z9--gMDB;6a>t+F<bk4&!W3cb#boU2{%*gaJ58N=-unHgJ$R^yR($6f
z+U)J_2*_h`1=m(I8}iOV((llq)!2-sR5!lX5-gCkr$Ses)+ao<RO2eQQnEjvUnF_T
zj9}n?uk9oBKLs$^-GFSN6I1*>L_A3&o{UAKC!g|aFNDe@=FmXGh?FB*RRl;KUod1>
zmp^N9jdDc^kX62VI&{dE)j(oMiJZh?Q2#55rZeWnhXn{pnI+R#g(kNSYdQwYrvU&k
zEmR=~&j(rd!eSxhu~fw6sBpB)e!n?!8o+`nqBg2UV*^<^;|9*Nf9%1R6R-QUNvo-`
z1$>Ci+TS~x7N5|^8(pX~=#;IOwpF~lk=|*%7SOp~6BSoz#~4Cq84G2_s0=rc4>j8K
z%XjlwJ{HWu9TnMOoWFTXFUCWWMIGK7vLoVAe%J6aN-D@Z!A$%mPM#H!JjI0-)W=+!
zUa{0GZxioRIe*i_w~uc$AwE*WT*$yglEBcWP~b9`UQ>Ad!EK|Si42-uQkk<$*G&~D
z28Dz5p?ks+so=q64yiEPkmg@k5M0KFVqV4Lr$-HxQD%*eYzA}sET!Z8QxPNv3Tn)>
zZrKQBmc1WImpg{kL&9Uc-!9Fb3zy2Zy0~aC7M#Q0B06pKJWi%*B#j}1EaKg*e8tpN
z%PV0yWjHTk&MnD|W1*gB(*TW-0keAys`TI;FD#i}#E0>!d}6{^ym*=JV9xsEeksGE
zKDox~iej{ie{RGHs(lX8Ywwd{eEAbP?JF#Z_qz?&{?0$mP<@}-&Tw8=Qe!2qYWMaA
zI1Isqbcvb2m?zG49%}7mnVnO<C6E%C3l^VyEhvw6M;#OKcFlbS9?GKDdu}Kbr_sRu
z6zJ%+TV8mD&Y?Bioiu|AroNw<Py?Tcl?V{nZVeCBEanhyQ?LRCojlGm6$QIPS`l2C
zRn0eMN@k3Ov-PP*l-5EP&A8LO<GA&=KG%qNgkrEWkwpT}Wst=7QQsIJ;PJ}Uu9aSs
zCkG+VqK;YFr0Kq(=aPuy9SnYR1DFkbq~R|uMK{4;FI<-EArTB2X;E!@x-@n-Zlwqf
z=EGuHLZj~zZq(MVEUWo5l$h^8_NZ%g>MK;<ld?Hw%UCt5);RxB^9v?ymMtirnSZfl
zFutuSln&e|o!81ali>qXGku7xR->*7e@&qHKD{O#ujv!jfK?qbs2Wd~wE8)uJHyzv
z8BwrDbR6Z;E_}GwqHu~ig=kDS=vJ_eerRqbak{!2)V%8h?PHQoEoW7D?@5tQ!*y(+
zQss~+r(jRmfB}z#V=!u`kf`h@vzMA<+wCmqi5#~U-wCJmN|+~yG|PI?1f6<&uHVm9
z3U*vFga?|m(j-U-2oF;M9QVbo=CD;QtrTg9wU<TVKbucIL%e;pi%AS}hgY)p)szZC
zy!#hrN+f(gOa76xtl^8<tV(8`9f4~mtvZ6t>h`oI68wdxdOOsMai&sUIx?-^{VVU-
zO?)JAJ|ABHEA}BeAt-9{nJ-svcBhZq@0kx=W}z$?NBirx_Ugpar_q?DQY(v9eD{#S
zaeG%3^Eb+GO%}j_s1VZ&b)%)L{4{vTRa0^{wC=12nFaY`#lJ7oOS;{R`u*)pYRqP)
zKBAX4?ces?>b5Y{QHKC36K)TlwOSi{cSzS_o1m@zeB;%+@-)D2sjAX>)T3zzDZcoQ
zHxavf!y&BK<tr*yP-sj;$?4M3&RU*TQE5&igS&s?F=zs(N$Kp7x^-yLA3@{;c07_6
z;&knDvQ5d*aiKIGA8}EO<P)HnyykMD0y-`@NJfzy*?+5PQVGRNMO!TB93I6(^IKA}
ze?y*_@mP_ePJ*fxp>5r@yee|`wgTZ8ont7Crl<a9{cU8q9qH1m+%tb=dPU4s)aT$k
zsXmp++@f=FvEB(CQ>5MolKBhiv!Er_@J^D9azmu-gEWg&`j&>Wr}{P$y{Dg;ciHX*
z?1w}?o?v(rH#M1?mU6&2TtSJ&d^0BREh1o^udCdmNnOoqbol-1_kF7e_gl!;kv-$S
zICyMScR%Vt-N_tvvRlu;M8WuGK9X*zmsj?u^?m`QUT((6C9eAPd_Vt==Y3zCrRjaY
zMwRL1@O+*h_R03X04~hPzeQwS8-8VoTLARPv7c4)w#0yw#t-3H;9%UO&2h%USdkFg
zKA-6Kf5as>xo>-H;V&o0)QDty`p4zl!08}y%E2_6lHS(EB8A~aM`e#VF^j>Wc+w<n
zG+YUiEE9p#CQvMPot+$<KcDBPhwvNI@yYYmh=|_=^oZ+Vpj^JPna~x-Q}X5$w(g0G
z|BwZT<iAyLz!v2{!C%@mA>A4IDZ%lNh@U#2f(}V{M>(dDuvE#4ZP&r%77~%{1#Oi+
z#WLGyI>=t5ldHZ3MwNVI9Ve+Jx-L?JSIAJmz)!=O@k}QvZZ6aYie|7?uLeyX4>k^#
zmgJ?AP~LbCG-R8~kLjl5*scN|su!a7XRSB<m${jrd{Rcv^}05he-J;FrZzXkik;Ea
zF}cU0t(BZR(gk+*DXO}4-w5PDa)Hh&YeaQ1YRf%dTt<{CA;E3>lUtFgqcmJS9N%~A
z&43P3I@I*+cYxp>)^f3Awr;ZE9h*~IiB+lKinA2;Ax8^Jt+jczL(Z$IJb?&=umMw=
zm(0Al5}!+_Y{YGFgyiL&IMX1B0bXB3;0~ZQgs`FoNS9Ej)L^84v0?>~SSvnAFy)Ju
zvJnJj^<Waj`5_aZIk|c;X@UlJc8+m9ub*1NgE-3DWwh4-VN1qxhbA!5%_6nN7!w33
zO%e$GVt(eAs^kbee2A3-*_QS9X-rCPezB7BN<Hf)FyU3ZH(M8x8L36dQYo^~>ca3z
ztkx7^IzyG;{|}D6f2alUT>=ywVdFZJct`|2ZCma3B__`gj|b~r#x&#vk+Vn&EqC69
zI)e5lWeb%tA<KWG2GFEM-)%cvr#G2elftJqG{``R8TDJqmjj^A?fVyCLy&)QDETgu
z)A=2EcHk6L)n*Om8BJ6l;fhlVIf*-NM3uS47*l3UNjSVwNWt&Xg+ZQ1fJ6x^bb8Rf
zaKPxyFuw@YmsZ16dBk2ZA5z}<(6Rt4Ar~L|Z~&HXjz8E5RVni1pPc<LCR6BY^)`|~
zJ^A{$x2e9Aw5R&m!;HnO`+Ikq6xk=1#G_-QlfpW1_2^;WyU86xC4=6u$x?9td<?*-
zBGq!aoah0K1!l;(Walg@vP<YAT3~I{ey-&s`j%*A(|Wr_+xiP{KPITCLBkaJ2xY=*
z_AC}spkYQ860)Orxv$K*GsavA9_vMB)RL0V+Oi~4*pozugr`dbVFR7j&}t7=YI7tx
ziX6r<kV^_`B$gtLL1S1d!*6`3*Sy9xOU0^lKV11k6zL^FY~vm65?*+h86s@44b==9
z>mNgc7<yQ}6=YV})S`y^Omcc?c0;+4m_C0-g|c`d|6v2?0|Bf89k_)<yr*&~)Lejk
znt(GLY~gLb&U85erqBIqn|G4W52O~XZCfjr!U_ZLYAUy@U5!p$=yr_++h?xoCJ7E)
zd@Opt_@bj4iCey1_NqMYUFh1Ir32QJ%VNTkhCUx061eNAt0-qc*qD0z=o4t{nl2u=
zT^suF6UfBM>+?(5cQb3V2oS8b>nT&X%pfA-^N<UH%TkREG#3GPdzRCdxZxpgs9mM~
z3(cZyEezxI-pTlFDHBMg1CaTe{D#;>Q2E7M6XlX>Iteq~e)w>DIaSg<iH`}aNgmcB
z_op$bxc)s0!BvYJ9gsz^AZp45a;CM(@@<#75l>AHWhL~8*#L&{y7%!nWcbF!j|r{I
zI*ToX&A@~X^O0RMRT9Kf21)cY&Rt-^_!0Nf_SO3<)fc0aqD6FRkmi3v6hak~Qp>Z4
z3!7dhj=_SliRlNUL3F>#F@Ag)6hIg}@K*gSR6rmLTA$w%GQdxbhq=zCb3*ACLLM_B
zZn=3&__aAAIzHENgk^i;6dwW!Orh2zoV*HP@7kpcXJB&-zT3cd*M=4b!9c52<t+)!
zF7r3WVOs!&ye?Z&dIL{j7-W9gv<%C)gb?1pe$)UW9nu4j>;EJt6=l>lEvn#H0JJ2-
zeH}Da@CwYIIXvQ|_!t7|Ci%QaX*;cn7N7W(y}zeEVs7#ApGB#P1`EY|087Kf5*Lnm
z*3g|nbtdQEhl#huupoMThg8<{tl6O#LXI`YiGVs2tVpXA{$Ij2xRk~k$+TT7(3&@I
zxLj8h1fvUg%+Ymb_-x^iTj%ksO+(d-2i0gee$%tk5|_|P<=$=Y*1<G|L_whMH?whZ
zabHV}11lv}8@6^xQ=J=%|2AjniIN`NCvwV2O4_93ISg{UYk5R};z^RaGpv&&v@Y@+
zYBs^kM62s8s3KKqx+XDrH7AjG{XIgYf#OLp)yht9u_GPe-jjugp(A16(O(&O_{gr#
zPR5{MJe<m8iD4U+Z}!tzbtUUA%xn(D+%H@9ka3xa^=gOKa#Xt(BdS=1g@_w0Deiu@
zsWOV;MR>BqUSX0GTbYRkktLZUziLYg4KCD6P;%yfm6fj9<Ze1RG2Ey<_<-c`Fs|mA
zVG4}dP;x^6{41&;Gjut{m~p4u62mW2YhqKDdlD3`AgNO4ZZFKTbfPxp@B$&MHf@|?
zE65W@K92y8(C02C{*qLy42DCbwb(XNP(aelk+)Rv2Uzl1kh!PpaFpz|7yJh}_-jD<
z9-D9U4WT}u0L2oFWllwEOoggzsl!XAS*1+Y(cS{9=~`4O9dteK$K|(KolU(Sd|C4E
z=l_B_c%OjT@xHHSUvg(Kt}6FUxJY$1i-K5Q5C7V3jKQ-CgHIXJ4UOCoC5a`01ItV@
zJQ$$doCVgq1Lk&0VYE>mi;3RW$99t#=rnNVDmo3J`uYa+>Vl}8nsr+Mm<A{20!Quy
zS|%H!>NV#);$@fHdb1Mznl5H;CxWEh(Axr=R3%wWP<nh*YX1>3Ao91&`Y-ZBFlY^>
zl!V2?boT?=GqI`T2-B<#xMH_;d2Ke7G}yl;LIQFBOoTkftSL;^J4BWmeeZm#h&>X*
zWFn3cuMd2N;;rSpf_qJC+2Lo(z>}yIsDzj<tC!P#(FuEMFp{z84T<PiUxJuOTfqgQ
zy$V6%upZlDrfPJ2IU&1bJ2myq4^$X6g$2+DZw3tHKl*}a7KzHW>=62EU;O0qa>l-w
z_rHA}Ps;SVUi`ZJePX}W#F{>#f!!re&NO%hUrJCQ>)$RsIr=v~mi~0$A=hhGf2b@|
z0E5=1Y+X<Uq-2A&td#dPT0kk<DreS1AhgH$`~Ic-$crXl2Z-fn;?5MoxuUM?#P?Ap
zwu-zZl}Hl1?tM}14t{pn`{kLp_q`3Y$?WU7MqKP^R$5$M$aWv?utfq$8`DYo!bh5u
zt&A*N@+dSbf^7q4NrG-D$=L^Tken6$FoglCeb9ogL(({Cq?{ZVt*oGNza&)6lY}%B
z?&5->9BIMtKCl_w;^hY0R%51}Lv01Hu$n_GEznILHPF=BP=z()RgPmr1+vT>|K@UJ
zD9B;MN9kjRRf~|U+H&#`HpZmpDQDqIG4Ts*n;&fwCf>&fHXZM#(U#Vp(0j^paLSD{
zA$L5+0eT7zy7LuUjU{#w?F5j|B^tq6^VcyA8zRwZs3rvGF}D~9Pe;bl_56Et>4R8I
zz6c9S46wl{rWI>TG^aD;oNPEGz*uA!lRcr`V>t})fq~=}Lr92)sq}vIuAIqXLXA7=
zX(tIKyMpG#L>>mAQ`NURXgf)+?@&GLl&>VeFT;v^HTK<i?o^V1oh;#Y)lS>TDv;t*
z9O-nEgwz`4c>=icXTIJ)Bz7;;X?>~J8?J^9`qi^~H=40D*P&mJwiOhp?Od<gv7LB#
zf)yjseAhEm-a4zy`4zHjVm^7d!b;d&D}f_?!qqi4x=RIHjWR1JSmm{q!a+BFCl{47
ze?<?2BLS)!8lN`LQeF6y8;>MxjWa^qqmG~1@zkxqNT`Zwf+jwhT|R`bnts!bQ^}NQ
zb0m<_*sugt7Y8Z39dAxD>$p&^6Ww0T46=j^iRxxU{)p&@k9xwoXOP|bnNhGr^i$rV
z<`}?S)iLU9Wq|JS)_zflcwq<SKw7f`8LF2~i;*{8<#eb=w58&oVzunbWNzId5Z6tk
z^4s;Q9&ME>ny6kaY1Z|f?EAdjb}evqnht{VJlv&kX-Do1zTZCEUpi!0NgHphXbM7h
zM(CHzvx#>q!kd^e73jrPq49wEbDto_`(m?J<S2~$i=pxaB?kecZ2`{xvp`rYMt{=@
z$g$Dyj}N{iazDS1my@J%z3<1@13$b0d_PaXGx;~;_shq4(rBEY@8^?WEuHQcwL2g$
zugKb?>gzFYl&>l6TaXP<JTBXVB*z=R04Yai2`LrX2VfeZ0caeu;vH(Tm`Q0moJFnX
z97BG}AQ*$*whYvUq|?>*ZOA!oqpE=z{PWL?2-c%qu6;+-l@uu%5x<bUW<wMhLQ@%F
z^JL@Y#aVc@w6SdeMPehXJ{_wjBsi3)FvR`j8v0yK)S7@TdRI@xMo94Xrv_qSGjbP1
z62)vk5Xzwhm;;7OspPHXpad3U+{cW>xNyPSGOzTQx#O=AJ5A-thGst89!G&?i<Q?R
z;$M$GwED?|&YE@sFJCKQT4f)GXB#u#k|-39M}e`Z3b<RY(k7>pz0|d)^!i54Ohm@x
z69W$tA-v)!G9;K}gq{G=@F+DcVD!3HOzmz>u=nOUI^CKmwTu1bPWP6W-Tmd(z$i7T
zpQ)cGAho+U=<M$--=X&1FMG39jWNP%kafUf-okm#%q42m<2fLS=)(~MFP{Of)HFze
z;o81#nyRMXz9w<$qYg>R8ixmID7LIVXdb61nul&w43}`M($x;71D5U8kM%JU(wPTH
zqlB=97ecg{G=a$P1F*;yCh3L?*p=!2u~1xBluB4~auTddxq>-Bv5-V#jF`+MhF1MX
zfm0yk9#jj#BR;KsE*E*8J))qKQZ6*2d?m){RJW)1CliN-W*S`ReXL(M8-m3KtT;*<
zNe~MDDG=LpQ@GHKm3xDuNw7`qJoEw~ry*7*K@2^ed752`>E$CRL9sko37C^gz#wi^
z<SsS6+T)_7jff(mdPyGrg7xCa0EOc@xvZj)fQCin@~P`TmfxD?PUQ;Qa<zPe&ZNEv
zz?akv-o#YuBX2P8i-YX+-{~AXTOg1`dSNC#dJGK0;vIBVMR1tS8+BkpU@5v<C64-M
zye2OAHioDk9y_qvBQZ=ePizY;uS*p7;0+NQHlPot-ov4VWL{BGdEQG-pHT2+fUuGF
zT<|-BI0TKld4U=C-CIr%7hlGZQ5qQY<i!6^UbcW9ulJR^q41~~?{!^m5B*|=^dXo4
zZRZH|qs%Cizm9~i^oa_Po|2f#VDCc>D`DUCPAJxk8P>k&eUCUV9`H1;Lo!h)9C#3X
zT10UK>S@mgDhAQmpa`R@+hXIn>aPbY@*N9KZ#<+kZ~UsDk*IOTj|6HxTzP~|V!aB;
zQlCTd>-J(^Eqtg(r4R`{Bi8n;gWh76$4YVx(OSTeR#2{v&}s#yQDr1I#3HF_`|`*s
zp=Zx=yrp>hB+3S?SFIw;iR_A0R|i&sAuopps2PpRtbfsjlbmO#N{R5g1JWG9T@0K?
z|EW9lt1q}0T5gfBObBi`cLh6-Y!rjQ*Y8<!7~Qnkx-8kO*tFi<V(aVzv7=A<5AWm3
z5&ADw+>lF$x5^A($!le~l$Es_5^$SqZK&}m1QrRQo{QM9b=xxQbGvXr6y2-#feU`J
z?1G)DI~Qg4%~{qHHVgH{w0s!4T=~@%^fG}|y=5K`gNAQmU1<sBjlcqDUZV@B3g$=B
zs3Kzh=kqXtLmYYhwHI142Y%sKBFP>n!O1?kvxx}`+Q2==co`#iuz3EYj0h|mu|i4M
z!xax%P0$ztc2i1~OqS2LbZZyxFHSc^UP4(Ltg;cAyS5NuvcvKh0~19vdAWjIl;glh
zu`&P3++t7V%-&k3(Rtt#?^_kpeklv3p35_7A=tmx#p%;h?4h(!zE0HHt~n>A3iX{s
zmAa-cVR?reO;C5Ggrs37C)ef;G+=sPt2MjfkVR$w-rByg!gKK*>d14>5po*Aa$~*5
zw#tGG{q1<o`j0d9vdNi7RImVt#*bwq(K>NdOV20;T<ft+t+s4DOncSMdHi>gS_we@
zFp&L<Fm3nG7FGP^v@4LLN|>zP=;y<R)3l8XKuHwY?hY4qB};F~I<wPX&+8bjwdHt;
zzX<tte6<DNno}3dz$!Vq7fitgoPJzeWoJkv<LMouxdu`hx0_@l+3z%RH;1eq4*5UV
zhWPd@yL)_R=K4ew3HR0oxCEU2saLaV8{|LZf)UVcFXm4JJB1q4&87EOyuxmMw@;+;
z0a(xQO4L!0Fn*m+dv;q!(hIe6U6*Pxb34`HC&<cWoHMXS?brr<0#Isevpr3n6xJ@j
zVw{DHTCT-qDvm`JkQwJ?$ARp#%Add2(yE`EjM~&aWM-YKYhyzg<PG1eHt2NyCH6l<
zpl*D@>)^>%r*YEBt%$IEBdQJ+gsRZil6wb*J?mng#D9A8hv~*vPL-=gjM?AIZMjUf
z@Da^1&8?{i4Xshw-yv+v{mESCHy;uon_u;zEm3Qxum5a&Cbxb@&#^th!G=$?=7d|L
z6%>!GhOde0H^ugbLI&OUC$&Ykn&Ml)Vyal<&;7#Ju;Ev3@fiUXMq!mIwQ!qXY(?R;
zxqL^%r=8|f%#00M5i^DhPh@){S`!g%iY9Mb4malx4{iM`Zhmlm5On6C-@`rP_cd7I
zQMtRsgZuOQot-)Q^8zwQD?I-1QU=q<%sLCfmD&Hy=CJ?!#8QNqww!=@gdl-I3iLjP
zybD1a)xtt3wxCjr)6ape@d<n_qiN6$zUo)y>f(WN;1W7|sEH?G#3WoXRg)4vYY;>3
z_gQFfS&@|3Z|yU*C1H9-*0tG(qFxdFes)AU^s=@qYg9Mma#g~H%&AFB%*-rvgsjKv
zV8qHJS|Ttj*@Ui>$gPFOwT=2`UZ=;_$q1$UcoEG?e8zlp7^6Bgj-%t1TFG~Oke<b=
zQ=cK_;+E`C!$}Su0nIN8=pk~F^rZe(pZVKdv~xXVm5kp~22ULNyaj@B#%*0FYa6x?
zlUAA0T;?KHHHGy!5P+d0?Bo}1kyk|M+z?)kg{4J<RAn{K3p_AE9#0~<5Dia-g?#q2
z>F?gf64zANciZ*&dXK^3eaZdUzfZ|kti$Yw_Z}F+m+0pnHl;pb<=j$6Z_*`yO$5sn
zHTWd>v~%N#Q&A?O0JNX^GDy{9XPW=8zG%<F^fPE7-x0tm2(7VbQaTd?59R|HbS^ip
zRNSDs-xXthP5Nj`CR$uNiVSwaE%Zb=C3x)r^A=Q$|6SzPLoAE7RmIp0o*B5vV%&g&
zws~lW4nQnvVT8g}@x0_Ee_X9CGJZ9^rdVkv%&PD0@#M2{1K<>*?Q<N+V&xOJUk4_f
zJ@k0@xD?RAFg`Kl+@V08Yn-75tdKfuA*VnMASNmjx{GWPpif6IZT>zL&X7&k(1iGr
z%IyoK$tRo(rGNeJN<L8?h-|{8V2aJ5P>O7l+8@E>R!=0Gd?uWMl})i2!NdowVCoh9
zH36*0isAM~BbyFx5o>;!M8H~n>VptU8>Qsf4tbm?eJ)wQ=s4I3xS%<c(Ti<9F6L@9
z%%O=pU~tQh@)l7R6Oi=2{?{nHdWPPajbtZKgk1^{qWmTlcc)#AAmM>wU0qCE=_LQF
z$v7cX?KYVNyY!)#T&98cl`?^sKv}J^$?WqPV`-9DpT%E19@+iIN5Adk^$}yoJE{#z
zDW{6OKGZh4b2!6@e5&r_`z0f3*K2dvLUqE*XE|fB?PN5m^UwJ17xhEscprI)Q8v!k
zOO*1JaTqnKnSuMjP`_2dWBqHdG_~on;UoR4@g)AynZHED2oGKv0ZThC$?DA-u2l5N
z?&}Ax96b`5dUEUA5o_t&pt6nJZze)Zep<dk3@u;kXKrV{(tm=!AF0w^|73&r8iTu`
zNm?V)J*CU~L3CRUzBS*t!?Z+Fr?t|wF2IR?w*I8|!Swffrc*_UwaeeONfp##vNh(6
zK`|YE;-(svHw`U#1D|>hd68c2z0;;N##b0iyMjt2^W0Dz97{M}JOK6VLHzUdNTU{#
z(Yy*bQ&eI0^V11|Ge#MAmV%$4$;H3GWZJMYDP^#q0N`U*Ikk<&S+CuT%C?BA-A|P4
z$TMw?Bq4`cl;`b2gSiDzn@EfziF$@R(8F6uD3QLaQ8)u3Gybz75H9nv9?Y(CT=wLh
zRp0(KuCtec<1i*WcB7sM+B=Jt@va7FcIeyMAiVWkWqht%V}i4oh?VSP%XcRCFi*p6
z%q|23JU_@Jh%?hVy4V_#OHp#OZwfEV4}DeOw|2R-`5~G`es~Y0v6$zRysPzYhw1<f
zguamQsoHA1GQhPM9Bsmn<GonAZELmylnr(p$|<#dS@BD#RAzyy`q;$6$NtL0I(0x;
zaGi`dPNH{bUAHl(_ag#vL;P0IZPohykk=4R@u!+L<%&nug?&PXHOeQmQDQ(R_%b%6
zRGL|0o*LoY!@*9Fw`ebm4ODA0P4X4ZK?G5xKVKf3)!0;WIFRg>P@B%9n49UHfn?OC
z&H@r{?+qtsk86eQ?=o>4o(hmtF$&C6z&1{i=d`A$gDo+0YJp=40|I3diS-R@#iYfh
z&e<Pkz4u_!e`>ki21t0J<x;g2-Cqb9_*4DA%MkDq>(g9GFL2XOSF%H|A@|5g_tYf+
zzBs5ws#-OD<t|XN-PZ>Wh_yHOpX0c>Hs3TzW*!I}It)}ZEnQnHL_qT_?AX}tChRll
z$P?Bo@3vfJuPB0>XcdNos5r{0B^E5yJ(Ss}J`?pk|4Qt-+uc06-M%8NH-j8<b3s2L
z%lRwSXUBa{sWUqUjp_(5onkpdwr@+nqKs9WW0kbc{~6Bo{Bt-Y4A+wuFoq3q!7>*U
zFY|@Xc?P8%-ihYOvS%8j!*Kw%7P?QO)n#I<fEvqp21^H1czm|dsh0jbPT=G)Jb1{a
zghqDopSG(pl_+5MZ-v%ud|Puik@kAa-x=K4iV{9tr`yZWghPTRnta?J1;SVyD>%+x
zpn8EQUZ4UIp-NE}ufD9R>2-mnMCv7-;dcUW0F05hYno_)HGK;3I@wMH+c%kzbiczx
zgg0<ldO#8_U9?Um7!$;wwk*ehOR_8Ab=z~W#+E;#fHemsVO@m9TiTcdg3gYqLEh4)
z#Y2l-jx3pc%M#J#U%#kz|NdQd_LVxK`_h}S!;I3<Ap%W#n`<0k`}wpHbnp{@%HA3f
zrTEb<B1Dt^Y&};G<2VZVyE=*jAOm_mC&~>TP!fqRDT%;$lt4>E*1iyV*o}p1_>8g%
zcq!fslo)t~E#azCsJ_0B$!*5XYdDlo*DM2Vf00urdf&OR6epM+@o3eqnD8vUubCgz
zG`b{MXH5Y{R8Ug!JhDR6r}~n>!0zeY7Y=aR*=&|BRIdu?#3ubn8a`BPD>vq_H1pT)
zJZLp02q6`ZDjAGIUg=R$LztbTEqN7->3O1lTn91CbEVyh5b$d`Bsa}(kZ*GTqh8G)
z{F7*vG+U$tS!o#*KNvj*Dlo6^9BZ*2pn@Qk!V0Q}-T+>#y58meogCvW9VCpCaQ{Ot
zh*hg#7fw1~020IC2>aX&C!t4K%ivux82R5(5gjrM9KY2e-AZRk)~T9T)$X`k^0gde
z9~FbqNwDIk${%vI#WptC!FaZ*E`MIa@G3`sh8BKAg+kFQYE#(~zeOza;m0tp2#$R-
z^Y~+T2%pj_FXdx~wOqb^G+PDiODh&=Q`gGX#$Y-R_IK+c!D5CYZ>;#f(Uy){9Zhgo
zP+>kSeN%B)9X)watW<@4G1mVnN%X9%L*mK<*G(%^!NjT<mc+KAB2)Q&4_aY5fu||C
zSyOxMf(AN&{D^H*3#+TOVU82<`bh%`w2z}Hmb~~Uj%vg1&bNH%8WQ*bWL^@wyb6>t
z6i<`it$8)hJ7YOL@M4rS#+E^AZlWPMi&Cr4kfcgJg+#v1FGn5;(J+dJV;llT&8FN~
z*c!cByTy=5dmJ}Jg9%qm$q_mZOmH?_w|T<7?5}$if{H*y$k~x7_0S&#b6&_<Z>oF;
z?}XcAFP>o)3_(Q7_R80h(axRyF(Yz|4JAjFxf4YXK3bA#P^M)QoJP_p81f{?!4s#{
zc#>N*8banD3Nw&g@<9b&*welwy0u8-m|29lMR21Jb&S|wuJn6`!{<Q$|CnLdoc}Sy
z_;#_?W=XYMB=tuFod*(6{9ZshBlr^V3nL2oN&Bo-@o^jptHYiIldK$l->#c6dN^4t
zPmQR=qusw?w0pU-ygx73)o#@>pqt;{-;4Z3AHvDmN0q~O$r9g5V_o!iQ|RE!r~gL|
zBTW1Mk;9b#Iic&hgBuHeIk>nue1JtDNAR^F_Q7ZP6?H#`qcdd|UkXv(DdZ$&I8xHh
za%XrUAA?iM=|7EcC4GNiESAkChlS&ugN9!dbY_fYCef2U3v{OQm%SjbGDLVe5J;rw
ztyxd>Xr<cnUf1<~oL5bYlEAHqIX{|mIn%IV+~Y|nL}BxfLQH~I{UfA>FySC~PMb_I
zrZI2k0=xj+J2Krf#9ti^L;ZUYtGCS|5hXjy^^>rBcMBdu;NGZ_f%@gY?bYa*fnsZu
zyWQD8kEYMu=)FMD(d@B8=eilLl<v=EjgBi?(H~+HXrR7w&bltbKbrM-@rZ%*3RYvy
z!G(v?tfaIT|A!IN7*^nk|AUu)Ih$Ty2!^3^7_uDnvQ4oT)S*~)AFd*v&=2wLGe|5&
zrBxTmy5W$w7rY6@Ch(`94G&SY2h5q~+o2CaUnsIeaIF-c5#8hI8Wn>g|J}3fMA%($
zJ6ZgdSkM;%6LttyfnL)<mQ0n%WRlpCmz*W7C!d?;BhgPh&>Z-o7fJ`oVeV$oMFnD$
zRKQuhe{!D}VG8O#8MmEeHot`vcCbjhT@MSK)l3VzY%snmUN(U1?G%pH7wak`UcAba
zMkEjx>fNlzEWa{Ao8teFVv;v_jGX5W^6VNp9ucLBN+ND<|1rgO0gyq{;0caM4oHC0
zP*PKfLq_gSPDO>he)|R~4R!GNnWOX!N8%EWK7I`)s(Kg&!v_PhaXW;6>2{-e<MVQd
zl*!?NH~~2uA^|Y~5doeD-U)h4eH57MtS;lwhLA-gJp0FMbDQc60bJ*s^Gic;wU1X3
z>`n1fjq1|?F*P&vIJog5eBH6{F)P6Q!{zxt;ul6YMWKjxj*j(}jkJa1kYd(qf@sw<
z#0?2p640jJQe*n)Ev-))tr<<ijk(4H-UYVwCdn-iLDHO*s;Ao3jQn;H;U88VC^;$*
zD(=s>s=8bs7vcVVI&yhp{cyjGpWy6d*J2y}-M<VonBg)@32M)~_<OD6BpOv<m<}k-
z6dMV~$`C^IEj|R&Z(a_>|B=KTaGB6a`&E7pGyH5m^4+rpAs*62gMm&GMp0!am4J;b
z{Ww5$mYV4Lgy*rw`zAM@1rtTwWpv&!lQ=1sz&)kG_l&vugXU4jpQ%Mi;m*U)Ghsg=
zxFVu|aD~o;NfCpcx#i_xyV;4T(hvZfHl+DY@nk}bhcj(DHOs17!A=|1&T<U7lwi+J
zjDpTB#BNo$3sYCK3CVjw>IM=xJ^U2DD*r~Zf`AXn8G15is<>56`k<8FN<Cp09L*ED
zno&~cUg$)YqCJxEzjtPyr^p|34Vv6d&f$fQD@K-AmSX`C-U2HsV6Zkz0L=%niyFaP
z>v1%l%VzM6{TE=dc$Q)$?!GnqLeECC<LvmolVM#K!DyqoWDgzyZSbVfc!_5m>s9xh
z-aRU3-yGSn=O1A#_cm&C(C>OgrxX(~frl%|*8}`<cE9(@RlVG7p47MprTs<JV)J<%
zTVJEEE4#x4%vdm3UHQG&n#YGj`pz~p<AEm7qCRGZU@xpeK3MlNgph^=!DL)1Gs6Fm
zE;jSaw<E=7c0YMrHU1Dtru)zPCO+Mc_3Fn{*d%+-1u*c@AaHek92n6y-@<h*!3t{R
z;_~6$Cc08#5L<A0*0r~+@|p#1*H=7ff;i^m(cc8f@BynqWvqxcLlk2*nV{sMUj<cc
zCPPsZBzHNEj-N3kbfw#Yv_I&wxVSzI`vl+j59}btAKRq{z^Mb}g!eU@=krM(vs`B=
zO%%Ju$|m1+q=|wQ8GvFzQuackeirQE-C>+i2bx8loAHvp^c<y<ncIsT>ecSaOq#1*
zz&SjP@QSxLWlAmjO1~|0Pt9%+80MA_fgCWaIjA4|Is8nfLorluHeIX%L8Mowj@K4X
z{c+mgO#_Llm0qV|%dH_Kd8u><Pi2QQc<gjc`A=of(y82J)PIKzBm;n%e<8NA-*YNQ
zYD^%SS(7;Mj>wK#dmg0IsOR%;=&215&}7&BOXuEnz)yy;R!T)$PXt=o^Q=)bNH)+i
z=R&<p2UfTb+n*2T%iP3kj;Y;1bJTzGj3N=Hi5Y>UH9(x(mzQ3|iHCczh0m+<9L7i!
z{~x6-!!Zw$>4(xLH!imVq49r|He<uv0z<Lyxz@Xx=C>k-n%cy-&2~=9DPbAc!s#mr
zwLZ(sX%9IEWph8`IYLOsp(7BvkWnK1N-|yszB56^3r0GYC4RHaMAS$|tMM!JW0rVx
zm8<}TFJ)z2FzO0aOVVo29*$KB6Pu%{|I+v&VU%1jARIq04}V&w^iMuN{ny7Mdidm`
ztY;HU;g6V*m-K}Ytcs`@x>-l80t+j8jSAxCb?=fwF8G>p1oZ7F5R?6Bz}lAnlg2Nv
z^;fLI3#rf!-i*8N_l#?=5zmaPFKqTzcT>&{PC`?TTkHMLD9nuO_WDd(|N0E~<}0uL
ze`CHq_-5QU)+aevAD(gloBo+1`<c?w;n?&r<JR;4zr{Zb>z3UqHebPRVA*wB2u^9D
zadZcpmdK2GlJWoc>$Vx64iOOD7@^6a4|I!JS{mrySby?LXz`(+uZ3{w+U<mJ(dpw0
z;jSWq)QRwjR-b2#V`vGBxjyBf+CSyk*y9KHiXr=XrS2``@z=Q0_nT24X+H6nmwNF-
z?%i>xLTDg__a(Av=fs8*EFXGiPEWNcBnnz<rTd$l-p^lU7wz;!RmLACKSz>(?-G5=
zGS#K=NClOPMe2vC*W?@ymU=?vtVh0Rqy18H*RMn@ZkJTnB%#je<tE3AIirC<lzx$$
zXja1Wxh>!!`AIsY<__JelRRZ_ABd5~h;e^a6d3WO$NWvvTO@WJWrqJ0=59f*1xl0M
zjlou?!Nqhczr#LbuMBUS|Grr!H$BBEx}l%YJ<;Eq3RI?8M<dvMZEA<&w-Fjbko!w<
zwm{k8wA6fb-R5T-eJ3Gcu4S#41D$LAy<Fk8@Ob{~_i5Xq+pB)`MW1Rm>9D{;=k4_D
z0vmnCRfp=|9$OXCQA%n#s^p(yur;B*w(ve)goiVC<xD3!#+0;HZp#i~_Ass%VA$<-
zj>pMA9uFH50Kjhd@({nK?WCo%wN@+Q4bd?xRV-YY`~fA%<1yJHhpAQ9hZG^a75q$o
zk#0Z^ENZd7_AZE@){4=6Vw{qF+Uy)0@?J5wn$EnFBW@<zWIjEtt|pEvz&bJ^y%hRh
z8?{xopZ&qv#b;8L=m?Vg?GX(CT=xGa-fI8<CEm&yvvTxEc@RGTc{Z-mG4fDh5S>ey
zd9<j`NoM`Q99cacNwP7e#85Q(UnFui!*L~(Y2;mkec}-387lMSSZcE2;*~Y$Y5Q4=
z9^@{wif<E4Ug<(v7yn=t@R3ilyv*SUiYEr6q5li(P~&1msZcEwbwDcEPR7@7d7vej
z`VEXd*Oig5jk=O}YR4QT5?0%WVWgdnTr|;Z4b|2JA8DhqtU0`HA&cb>gcteaQ=h=+
z;#{a(|B#fPBK{*OL6MbZqugg%D>~fd78j%^8-+bOK|cg_<mNtdcWK?BG0KoOJY|2}
z%sK-$#}DhiJwNV+zaPo(&&GGYy`GT{y-&mpP8>Ka$9voMOqqF8+q&WLpOMk;+`~r(
z6mIQU1Y78lROwq?&`w_*#urF#=>`zXBOEWqq?ZF3WSp_!&#aVG60%v86=1xsj41s{
z%6XDas~~-5Pl8R)0!1n!bP2}U?G<Iy8!ODX`it?b<{^c(Cl6?_20!?lTiUn%o}E-|
zN-;qyMTM4qt*q<ND8OkX$q`B#G`qoksJ!O9fgboe`xL3(#A~R464Xv}{yrzma?fBI
zezbGO|LKUIj^XbP4iNhd+vdiYCLcVI^6}nl@vi4KJgK|eTAWaqth@ZCoqV1e3lY=L
zoxZh*D&a9&cv{wcARXi7$jjy+bimkzh;n&87DEHFwu&ulK}7|>(tFuI>U~C7OHG$%
zR7qrS0G649p<q$(%C?hddNw%xe(t@}U&CNH1)h;~n4Y00j98^0m=D$-8p~~L*`5_`
z>Px`5w(p-#)iQpZ*AxGH(zk>o9Nf2)h*2jb`)P~62pXJkc<RSyM<;CRVxvY~3nrw(
zm-x%~Dyc>UzUwzT<gB3sncIbq-BQj3(URqg>VSC2FL(s2e!C1s2#U0=*NLs{O6>Zh
zsa@%V?ihS)0l%I;R5FqocnOB%EG4VX*8QKP%f`i<vYVZRytU|VQ)(s?N{^3Exw^6*
zI&rEKp!BBV>@9{}l%s_p$%3cizw0zGJda5gj-!eCy+kaU1Hbzr$3AyvKched4sFJg
zcG+E`WDxJ@Mz;&%cR&*p|I4|g#BXW))3`jr+hb8luLhM$0leJ)w$-#{-;&qY9*@y;
ziT1Laa;zT0Sv^Qv^tDS`uB>`5hw(Ul$aoA2&-2Qn;Um_g#hcexf*(r5Ujx(vA@vqO
z0w8Bn>hl3Lm(LtCos1_IwD@|Dh8#RN&@|%@LReWA<|s<goBP%WfORgS&L$H53Nh71
z4u3?!EqAy7qcgwNtK%|(yj<?f#0p6!jv?H3?ps=UXnUiTFdaIFeq>ovRx7A3p8Wb%
zR>ez{B(&7PgVj?=?AisvziS;q=ik~_6xf0c&P*kV0*s)w)=fy}Y!f@!2>EyER}WeV
z4I|nno*rEj1v*j~Pv-!R@0G#L|8g%QBT~DhLJ~3o#Sj1a;97Tf_IM3FCV%i&=wb%r
z8kNV<Lq;)(+Dt!!GCxg#1<R^<HfRF+@Snh?=j8`g0b#m6?mxu5Q9`|%u9jPTte6@*
z#IQ&#<q1;uhoSkxX80MxRT)XtkZsNEYMfZ2y%b%@20o>+e?d#`6>ck_TRUZB?q24M
z4K)+X*~bezpLz!BS^g&gSwg06NW9AZs6fC|QfU?x&9i!W$yJ-O&Vu<(u{%;mrxYcj
zD+>Iv?R9Cn|E~B0Y)xdtY|P-d4|!ihJ^9T|R?k_8q!0=7vsO+sJj-D9;;wYZnPfI^
z?}A?f7>>PZHx<;z++e!?ZA)X1OcwMM0*(Zx^lM~4nN|cKPCC|oCSe}#OUV-f9JiTf
z^RtSN4T?3Q1Al%GTyS-=ZcY?Tcz88}__1G)0lTBG^t~ItMtNEz+8Nii+^o>}fMeDe
z!l>HRc-^^ob60KG(85h5x?!t!yH~CFunc0Z8m?-H`*yo>Lv#-vY^7G)Kg0Lgw}%W?
z#W+|RwH8b+v?2#>VB6X?uim!qrB)N<Gpe(mZLoNnNW|AVVn=-pD3oBAuH>%yrX5$c
z;4{uzxR}zOlzvY)#3QqW15c4vLlP~DxM5v;W*dZ$fp~w}Z}%ph`7)Gp$+m05r5dOg
z723Bo{8$DP`|Wzt9gn^@zjqD`%@ci24GrHNOwbf>*kC%fKfRFQHOJaI4K2tu)<nb}
z;ffm1(=^7Y3Lqq{o)qgaAJXZ)(JhU7n$0uGZcY<rh&?A~%1@`ALgdtM6zmucouJW1
zd}=h@IST$I+TR_8ilj9`?CK*{+9dJYq$`_ks+$P8^YE{J-XXLu(t`$g)yH-T`-9~t
zmadUXHAp5VmW`cdc?-1jex00rXYjnfAB^%zX+GYMe)9zKef=O8<i3o)?p~9~<M6*f
z-mbp2b-F*)ZV&nR#MS|-pBH>_ex~%_A=ZZyeISRwElB0XdcRXT^*|{%!@!%&c!iEy
zuL5w`iY0TFRwQh&pJya&yfj@Ewa8ms6gNff|LcI+D{kiEvz`@L)4zi@Oc%gY(el6e
zBT+#j3HMR0mW%S~+8aiArv~qS5G!UjdZ0n2u0#X#$Cl4Ci)|z_>I!XU#xp-H@Nenh
z(-%Fc$6dW(KY||uzMnK76|iImL1&Tb5c`zjbn!wzdc7S9+;4dxH2P$MOayx+y*z)9
z=9v(M+md<mB2$qy+A(I3dvg{fwQI0=RVuzPp-w9x`XTTmk)_-+EUo|3418*JWJ<?A
zwL#T;$Vi<m&F*0xM37WIe%<<tUyUzmctiqbo$kJg=`*Rir(>&O5>Uc0cTckURWE(y
zXjg>X_1Z6qZfBuQavaRtpO4Qq4sy10$8aI(A4qI%t06b&|F#ul(TJy#ed`PDRjh0{
z{;BZEZ0zOOP6qVp^k{-s9D<$I?P!=v10pU$1^|5k@INA{ir}eUm#{2#fd5CZpdljv
zY5q9meqZ-_kinIY8R#^t(1I0pxx7~wx8HtmPq3gb(MkfQJUXYoCXbSf`|__~$Lo_-
zeZT{Gbs}|DyPByk9p6x&Q>^c*Y^t&kv5u_jzuBRaZqUj@`jvW(sieGZMWIB;oO!|h
zy1;^_1uj1cA%nC;kN5qMa{or+tKq!~_QGUZsp_Dn&pU>pF!Y)w@~jyV^&*)={8^7L
z9l-sG#wr2HsZ0>MNIIl@-R0E&LPnWb%-A(Ztqg5YVU4KhmOS!TA4^T#<Kf`q>Srqy
zygAthyk%b68L%vTrM8s$=k#~86}-M1`}FV#EVn_;8n@Qqg=UK)EMg}v{OMY4vHLfL
z5g2Z}0V5Oe1@XK~#?owCkYB(G=3Le{bcN3Ns5|Z0QP8dC9%bOfY|{f<Sf4c^uk>pJ
zp4i{EXKmt28Aecl`emzIR7z!Vtcif#%M2zUclnHPlPc)D0i)>4;P(S<G$c{oEaY+t
z3+k$;)SMvPKUWIILtJN{`TO=Y9$Iu#sAekKGRh7;(CtEL?8DbtCxy1c46ZJUJ|ys2
zZae2CpV}3IJ;t81`ojjjNYAcevx;J3VzRNo9c<-fX~AkKM!lmb#&LvBd}>`?9hnZ4
zy$18art+|fH;aKnB8c714ga0H@C*!ue^<&*yR+(&M+Kgq4-du%|IQX8)Lez<qZ3bc
z7nF-OxIZH^l3MP<f2`xr3Txx2>$?%A-Ua_4+k?TK=4A0I<(?(t&trPvL5br|SWtGm
z5=A)2{~^x^m681ZgiyZG3*l`-NSJQ*a5%*VjumpSJB08f*tkJ>kmT_c#;a0=1C`*A
z<5oiq!SPhl^$q7<erKb;2M9?M=e?p{`({Z!;A+irlZ8X13Wz5mti4oZVq}<58qDj&
z-$IN5xHCcX?WhsszCT|^7bo?$b9#MVL2KDfO@IAA0C_-$zf!5SQI?w9*4_~_ez`Gl
zS(^EPo;6D|8ip&vK1ebqxZCuS=wlHk#lzcLLSB5Ggl=!Z+cpN_u8klimgH6!rKPD-
z%|h2HQXsrq+J;P>BNJUDVR6C)g9jIu);EU(L}fAeVZ0p*gB5VKkUK?%F{06`^Z*-{
zwcY3yLyysW@iL?$4ZQC{?%je`cdUD)sqM<TMCA0RDR~iy+g!q}HZc%{rYZFnI&es5
zH@Df0g)BV~DxK4kdJ9PYsR)z^Oi;CGt!Kd$Sc=0%$`g9Sjx`p3M(+hvv!2OWgW9`G
z(1J7|oQo@j<(h3|ebuTF%z(&#B~rFjhS!=E*LVv%v*H=Krx8fOm$;NmS3&%oyo^Ma
z=r)?Vl5Acc2||bLg6&jVI$#^2cz=H{KhR|yGVz=|Vjt2kA03iMALc^-Crany(GfXc
z#$n(EsU&=&IZKk9k5v^UIaH!_`g`0h#^_aj|Kj~~AnScj?jecgoqQfylJLZ^nB`@L
zSKH&uIN{46e-`y=>FLhGuro=6KAwgQK-9cpgR7+v(HK~IJ|}z`q^S`m8)aP}@<t?H
z>Rxb(-V028#S>HY*k^ag!lzFUVVLCyt(X%P<k8bd{XI+##Z-}i7wyb>l6NSl^62Cd
zd8{He!Alu3dZ%o3^gXm9Y#FDk-e7$;dDLvOsP%I?WB~S<cD0s6@;XLus@@z{6fx4K
zAS%mGdQ}n+aSPzh=~XA^FUDS2(=KrBQSk4Kk@FYk-H2HtAclWR{K^|2sE7aY>5~4&
zBl7aQscxtj?H+EGdoMpsLX%0pV7=sik0CJqElZfBoY2HtUZYNe$?xO^O{t>9;Hv9f
z5*`)Lv!t?SLFDTj5=UcUX&w(Ar<=FEO4!;|4@woyd+`rB+B5YXq1Kh~jz{c}Tr%oI
zs4D&EPf3unql2+tOnEZ;W7E~sBI`<Ka_>rt6JPEmoHs;LV2I8Z@)^<RWXxIpaCvS$
zsUI%S&79<)d|sIjBJwWT%5=6(e7~wu!+5eKSNN|{)Z>xUM>`^<(c5twL_K+<>KB5n
zQN+g9CI>WOWV)d8&L+z&OoO;rhp*8~;-ir7n?W?mr^5wEUNB_~?LQ}y$hK**xxu$I
zqBpWRxWLI${j;~#;@mt|BHqYUCG?I4A)N)Gc3XaOWT@T#9Aqgc0+wvF3vlZ+-<l|z
zJeI#5gP8lt5!~uf5Q6L#WFhMEyxfp%#FB70>cYGWy@h_bJRgMukr$U81tM!SQXufd
zRJq3YtGRYZglru@{Z9cujSYx3DN|H44}We3Qi}K3JJ&oOq(Y{tzC};<Eeh>RG<n@&
zCsUp=;^KmP(0;zARvu6l1`MA`&)KyY9`3#<7Qefg8S|!hhR5Q?9PcDAi@%yyMd@cO
zUXWMQ^;@8G-9Rb?(-2DdejrE~%vl<AP6~TREO`{9Jn8iTx4k1wyAoF}&5n|{rLUBD
zJPeta>V$r<Jf_+ZW}0c4)zR%=fSuNi^Re2x<I9()FW$a9TKb<Y`28g1lT5Hl(04w2
zJx&!^JIHrA!Yb&uW2}>k#!|5`(fvV4qDe;|X*Ke%Lc)1^ND`{N;TBYjW3w<+Ta+e@
z9hQZR#~%+tRau<9rml8};kNH&AK^p>Y*5j1b&IBz@4208%E8DMELG<`k!YS&QIe$|
ztjcjFSaPJA-?J6Rywljk)Wg>MlFgfzTYoM*gfvxJkIAHHoW}JBN&NnxI6f6PF0cq0
zlnI<vgk5@h5rPt8FFWRUk{e<7$M-zB4WgULeUL6Dio_Ae;97J18T<#;yVBU5`o6ZA
z%LJQep|WBVM})?~k1P=Zj}Ae=aY(Yj|2v}Poraa6DPJ}QH7h_~7GobZ*=9Md2|UVq
zPJ)E`T&OZ~J1U2W`b&fybk8m=9QBSM^Kevo5c%C(X0u(YwJOoBziIVkZrVW&%MPh&
zj3GzWj>FnkqrPv;mH2l!Q6redez9>Q(ESf#l(Ap3;XN?57-Pf9UJ=-PEfLzm9^lF7
zZBuo{djlB+gid3nh&FYtmSYseG@(nDvZV0l)Jgd;g7x<?i>4{{Zu_>tQDTk~!%$*d
zxB4(hZqlZfjgW#!Kl^)dq3oIQhKiu@mUc$CtV%*njT&8*f7Sv{o`u~j67x6<Y08vm
zotn@Hgiy)ndTeAXyK`4=WR&N;moVk!Bq<<C?daw#sHa`I(m#|lebvq3<m)fLMAXoc
z>LANa;UE$l2Zx9o?|4IF7Ji%vi{UMM;&0U#e_OVZC>gr#;etkMMED_L)LW2SwwfqR
zj%kp)8-Sgda=fcP{2oFmewJTXCN6`H)lqiTFic_|zvh0yh4u|sEKzSiCIpJ4%vh8f
zP6}poM9$~+z!6~}<PabXq8?dq9}OeVTZMBV6h>vyTI(uc0ip-E=V8Fq#5pPYP!3o+
z`l2ptb}3)zLljG3ytY`H>8$}PayfP;1PNdTmo&L$et!QRfdid(eniYB5BdO1e?#nr
zgQKGZ9T6fa$5X(BVL<AatRvbWXuiIfHwJ8Ic0>%E#wiVqg=4^id?l#ZIE{lu@)p~V
zm1E!m9(n~2_1r7iN(>zX+ke3oZ1o*iVDp+Qu!)aNkUDAw!w%AxV(%E(AO=spiH&0M
z)EgTblgEJ7b%<dg6?DhyDN1$5?5U0sB}TwnOke~?ws<&9Q1oy@qHPF>(CCzNxHg-R
z=leJQWO*d!GC9~gah?!)IRdS!DLb8|WGu-o5@Ux6y*$yG+P*4M5dnEzL}E7<gXdAo
zk~#I*lai>VbM7o&uq8|6+Uquq5A%XXeyA8=k0o%ku@5OrA{utKcs4yJeiGcVM3Bed
zG0AZ;nr2D2e-v6)11*m(rh!(?GgFS_Rm?^$j9L{@mO%C21!p{h*Bq|%70(i-*v;cA
zc|1uZ{Qw<PK@xT&*{($8mG6ufRfYZV3CWdw9qt#sZD|V61S?hq9vGEq$~6!WvAgh%
zr$TTq0D)PtYrXv_P87(*JmOHrhqkPK<b=j?*lX5;-iC<#>>`_mfmlqpr4nlDLm6ML
znfJ7*h7f9}NCZHc$rn$OoRHg`!w#9&%SVZWGk3^RW`62_hKqUVC>4@cmS2B};>vfA
zh9QEJsD@!OZ;&FvO#};taDl`{vpQfGrRXJ)ZeV0OjSDNtQso$syjx^e|B%oyTno{x
z1788YI|Z9luoW;|!M1fvfFjQbErsi9&VPe_N_#AJN7K-&@tme<63nu+|0r!esoF3#
zXE6bw@0idx@I>#8SGp~<C?mgTO7}LBfI7-49UyYl#{)rp?q!k_F1Ea|;Zaf`+{X1D
z2&AJ~A7y~*&FA;gJx%=6i%w7Bs+Vw4r>qM#pNafVXFN-LUlkLA$wVvr_*A1!lF^jQ
z+qP5nSx7tw_29IvPTT6Vt)zZlRR#v&3QS<S%B9qMq3G%KFX#|$*NfuXR3v`g54Xg1
zU<fg;&w3$0uBGacw=2+lBWuQ>O$3kEum%T(3*D53lCmXLT{c#p&i&^E2r(K(Ts_I+
zP^XSP)FOz;SIIYGim=O6AdhnXs`o}1(POb%Jm@7SzOgmx0S;B|JW#v0U`q;rzLIO%
z5o59m0zo9<nKBi~izQ1z`24V91N-O>6AR0Lr5ckMr0NSUTZPJ!TvU`P5~1LIlsJZo
z!crQ0#f$*14Yk@^oIYN4L4fv~TkWz1AEsb9H>P0QYU!cs=)+u~UZru6-8yx&Q%941
zR!5g!*9)z1u4tTXl+|VRfl*G+m|-t80~2xFg+k!W8MQP|s#Zq_M@I+B?&zpL6F{ZO
zES*pOLRjQ+UykVt#+rx}=(9p<XFvO;o?XQX3dV_}2`pa#6PEAQaLNjOc@}h69t=<~
zR36w^lU8}kI}!%V00PDMaO3=c?7jPU<hGG8x<C7`z)^DUNZD>_#?E7RzTD&}qp?@9
zXGY&hw(ox4d>J%}?uJDYGy%4zz1jc$9#jD!$ZnEgck3|@k#jOulf<J?DAc={3`kRi
z?HE5jjq-A0x;af*DvI^Qb)_HH`ZjN1B5_k1GFf|!**)=P4geu3MXFXmgOxoK)Y9&5
z*JNV=8)9M|CzV-Q({z@t$ch#+3=7F_tXRxfT=ti$uUb&i`l<~pU%&a?pv5${=ekzy
zTa+p<l_BUvv=?RFY+%SUX|3HsY4FT1j)FUUvgP!vwnt%ozgb}IdcLYVu1Z*LIsJP)
z7DHKdJGrOGp%3wtdK@39pbo*TdBG1BHf{T>2lyzK=Axj*n#4v2xbDnlbg!B1VTv*D
zEE^b_Fp0&yOb?ze33~M*cnA6BO)h)uo?~9KMM`LNi&B~cafr^emLdG;$T&fyjAl*;
z4~{S*X3wO17l$6C4oCaB@m@SO9i3=C_6;y9_ntC2VB5){d@THD_Kjx7dJTdhH~X;r
ze9$dEIC9u7%z8m70rIm+RW>Jyh&(SbpEpAUd~In!s3{jpQS+Y}GPj_7P9%ER@Cb_J
zfGiGp5{!E{P!`}LPs@~)QqNRm^**YJ-q|`okQ<9<@KH?<(NDgYj9fd&Rmv}jZMVX+
zEJ30&voI2Yn1iE-W1OWctupukXFRE&U|Xlc0k+JHALLUxZ%>wK+k;gLyLqj@<-x9A
z=fGLJd;NkEb!Sd$oeAApHpctTVQ!p0%UsyeIx;D_c&$7Q4vFXn(N|Obe^&2hZLBjk
zN8cy>26P3oJKhU5c?nYxKE_-DA#}(}#Y$uMXPsSqD~)}e_fTefQVRx`DAi|-#TdJm
zR8ud?tY_l06YBvBr#{mnQ{w7AfxfL^dM_ZCSs_v)Gn&h#P@wOjIgPmLb-Gstjc#=h
zU{i&ec26rhF_8s664ayg)UpueVhMp}_*RrqiLrs*ZUbBUHd+Wt;&nz-9=VDig;;UP
zg)zUun0?Eo<jNIjK%3yJgz}UeOUB4+dnWM7HOe}u+3l}R<GU~lSC=z0X)3LT+Viu3
zlixexEZ#ollMt-kzF1L!<Dji{#Ijgao;{s?o?l&}s=HQx%+$Pq2Z_iQe)dOq<~#e<
zw^~Mc7V{O4OPb()*1x`2*OxddUo6%1j)ArtIgX0J*}3u!*K97~>Qh9C?xV<zwL`D=
zj;<k#ta10P`6$_P1lWC_{wcM0ra_y&6`up;h-e0!Hdre(3ITc8TyEcC^D33NPw@Vi
zR3m4PWECp)tSZF2VQHRFb#RxU?>*~?XQkKVhi37VCK}tXzI$bYLy>3<av!|0cSh!F
zKx)=?E4_duhBFoe%{Ma(v9pW2j1?AxuD*LUA^en`+P_>^_AXOmfx#{|*sI^?K*XoG
z6yMa~_x<6IdXf6+pQeBGsy_YcgT6Wg3UqyFeC0<*xSG2ku0(vDv*^@R-2M;{prsqj
zRIxrKR|35Mc#KC53uLn&t>p@~$*I>Ps#pfBLr0~@s+q`g=pG0Q1^66;CK$7`Oo$Q!
z$XqW4*6lna>?4<ubP7QYyG2dZhGn$$s2TxWa<W|XJCVTBf0GII8;AW~$!!QbSP5<m
zf@-pnfoUcnYk}Fu*_xzWDtgOK$+c#-d`}nL+>Ag`Ar_M|Q@lIIhZxbv%>zK<F=CLX
zpo}!@kQZ!f**<(LKow%jpIK;Bu$(wtUsBXn<S}#&`_bdnOWf()2z}6S5Ls05b+Fm;
zl)MFYE$PQ<^jkx<jEN}CSj42H#d-pTV7ank1;(XZv$6fapc$51Em$Nnsfsd!-J@hy
zh+CFbu|fSvTn~Aue6qpeN0`#}E{z09X$+|IwG)Z@p&;A_(YY2fxPqOUX`acNKm%rK
zb=8x~pr`@LlS4*7q)gG6DtccL5O1ifd1@T20Mef0mElCJbR=@_=j6Eh?p4q@APxa=
zAtj#DSZj>*7_|UG0ZkHdXA)Q15s}`qn8anUKEI;bA=bn}3VO}E-q&W_RNhHZJ@#NL
zbB#7}mMLB^FBePDP-Y*?3=dR&M{&y+Ov%dQ7;n_T-j(6LaE8F+*<ChDq^%1I>KpMy
z3UhO6ULj<YhZ>BrFz_1@hg+C;GuhXMssgVtzE6Sz6JG#t7FkOugQR>(yX#xm+m70^
ziiMxLT7NLDDNJknB5(qM&b7AfU=$7w#J5e8*Xu!6%Uw6R8p+&n##za^x0%>-#x-FK
z2hwk9te=q(oPq`;`i`x}=G5${&HPt?{ba{Mfpy)kJP7Xb(v-EdVv`n83NX=_pl&!F
zg-8-s0O*Xirs35ImATM9+n=7vHmd-1@?6I59A`=;CQ!D1G@!t=?z!8>4L^<FTQ%W%
zwnm^`cu0aeIkM1G(z0GgXNhJwJVbKyY246CcyGOD^Kejr7SsPUYz(~OYagCE4{a-V
z49G-mo56}&S9LGO#;AT0u&px<9ecQs5qN)tUt;(dyOR@wS~3{VioXl^!?F#|iDJg|
zA+1u$g@d2q7Wm_A@guEH!PihH%$QegY5;xZoL^ny?1qi~C6Iu%;T6@A7x6Twg<7LN
zYEqk-i+Ud7>$8j7QAmYEzty%FKx9pr#&$l)qr|r6uHN^mLqoA`tF79v$z_#7pTMez
zxduV{A>N}6^<NHB6=56fN3_4MKdDpJhvSbl8JBf$K4fD+4l#OB;fIturWmv=x~B=@
zbA6GEYzijd;AvDgHN$|P8V7gOi~u$AX5$S}5jk?41qFIx0|JSCo?y&Di#25yo^6m+
z+=Z`E@d&qNZ+I5#69v~M=vrhMMT|M!rlC>cJbUdzFrZ4Qik3_gDIj;XR5VFg?Cfi}
zkpehAV|xo8&tn+FLF4I}j9NEOs8O!X%Pc~_T&~uB-RBzf4tf#^I>c}`bB?wYPv_x~
z2X4|e-kn;ctL!5tv8uibXEeIKqeUF*qD>%+2~`}+(N2&{^O>paneP?Cvt8Lne_h8O
zur}Dq6URnM=8B2Ra5_kg0}L&dNU7oxs2=&;Gc=~Iyp!{ALH+@_7X$Bs$7nkPx(C2K
z7@1wDgTpS<<EIAB`v!e{z>A?^jPO*8OEgm?=5v>}#hQz|_H2kO`aL)wc)g+iHc7;t
zB<fB$6<1|ZG>K3q^+5+*?51~3n)UvA^mL-n=p9QE{cjgl4UVMRx<<apFn0x)R*7k%
zwT|OL<he0sq$j(t5nN}A6_enVWh2G(RxMb@3aY>mYf=lt)z_R%sB#e74zgO$=A*TI
z`)1pB%+mq$<QeX}J)Z+M5|Y22kZ&b!kGm0E<Xw<tj#eNeoDUfMJjs{d=)R2WqNeLG
zs?F<FA*6h3Ke>k~j`FW*qx{=!qx>7vehKm~si@LJo$0qer&Xtm9?bTE10ipPG9D4Y
z5YtxuA_W3^N7ttrQzm<xRh_@LV}Dg>rpib<-Z``cz~+|oMo|K9yvjiXet#y7`CmVW
zSaDJ-0&z;NjW<|h@XZ8PF;kR>WEu3Ey_9ZRF2j4jbjUxQn#Khf-nV+C3i<W?u>HV-
z>V<ucjF)rro<(BC3Ph3DA9I>%5&cWb6OAAiQ7Wqj)EBM00eB`cck0bXr@d)|{pQlf
z>3)sJXkM@t7p1h}6s5vzTPh=+F8RV07q>3X;Neol?qmngKq{(AS+DF8ff4@^47YBd
z?~xJ27?L4Z#%}ouYds7LRVI6cE0f(rmdR5NE~&QzMFo>R8G>&x9tpdc8S-R9sH*U<
zNThkGm`BD8AsKcB4m@YIWT9s%&FF$n-4v!(^winl8*q@WpSTPQ<DuK$#zQw`8t)A@
zHIJR)6}pbyE@G(R8O)em5|MJHn01YI$7n*hswHAD!~tv-=-|vgx}wMxBR^;=AZ*`p
ziEMgCc$#CO6gcEl6RBwR@^01<xJ?rF5v(UTv40BMGx!tC=n$TUq=v}$W0MS$&R9Zz
zDp|26A|#!@Z7!||iU>;{V;GIKhux=^42)r~KWZi%5}EBRSvNbX@?#Fe_qhS11Fg?y
zqZj8+j5je3o9AyYhLMATZh~Y_Vn@h%2LuqR?g`Kt=cwrv@#L1RC&qi))Ot5B51a}H
zEL3&obeCZ{sOxPP%)}O49?x%WrScH2Aw`)sn~M{7z=zm-IJLuoL3UMtVYB<WCs+of
zr9XB(eEOEHpGlMdOk{G&b6Y$eZslDN2HSVwS8WGHiTpB~khenVe_lh>2_WT#VDha{
z@XLel1}^R~_QDwTIGEbN#~3r8KxDLmxpi4|`^F`?%!nuq2zNRM%npr%S_?yE&E7Vu
z*(*`hw(6i0FoT1>5TAhl6Pzh*%m$VLrHU;Ecy&}QWyJ!raYw-g@2a-LMS^V)^c?Pk
zZre~bCbqDWcl9qUnhg4EC$V%lXaHyP4MZe8tUSBpzVAa?ytN{$k<wg~mH*Zp1)RG7
zfg;iJl$;aEvqi#c&y1D9>t^8aU_8{Qx1tHdxJH_};*es#!DmiP)o6XqJJ+(KTed!$
z3{r~{|9aD1TxLgAO4k~}aSRuD6db{`qfORyH+J(OWS&E~V;ZIItAwHz=Dtk^&GEL?
zpS$+nsVrY69`@06+>iz&I4WuIp>Ni%d9WR69oP%pb-A+j4t%%m121No%b}aJS>WBv
zbKytPh{D7^Z}{gzF}$kqPgn`es#Sg!1(Ufz|JAJvHJr&3%H3P9H%0QY$b~eO&6-F)
zC~C-raM>_Qj3{=Pug{Cis(ju^Hiw2MFCkVYwl5-hKGv}kg(R2r2&aPa-Otc}#WS&K
zkwW?2PfFD12|?$Wr7Jj%HbFcov&u8ZQuXalc#r~YCd$m9luaIX7=Y*%+6a9&yg^7W
zsEp6`I!#>tkagCajlfu6AaG~v?I)JRg5gfUXcL70cF>qbgcEJ_Bc<eu;mMGSDmKBg
zo%6&iW5Y-)Vm>$iZP%WSa)K!qOojwMp>*&xhJx{Mv>*Si=u0#RXPSO_+Z`dclhytG
zA9lQnLdsv+w%^qQMFMQ{v|9epDsEy=F5o*LjABl{tO}cQ30in=Q>*Et!?P$UjWHf+
zoTfJS4C$RO`Ra4aMcK#;=iL+T&>*&wQV0)lSUU*n1EDd1`wf+8r?7iHF9nVp^xC{L
zkwb0o=22bw_9dScjJ#UXEMtk6tGZ9wtED@oXtc!Jff7yO5~gqErI3oGG+Oe^<>kz5
z7V^$ctNbvBNTPMGb(am|`vr?@<(PZ>afy33`l#wP8lnRLMd1=IL3p=+g!Y2a<T7=J
zMV@(gJTo6?{=wsT0&;yp9oMC}Be5WN41AI_dkQ}M(z3bUN+IAZ5@}wDlsmt1gEc`%
zC*Xu9WpC-Kde-)&%=FGym3zK?MHDR-OzFNzR;Dvn^rdgVpE`5*UO~3D?w-=G<h}h0
z0&{?`n~M;h3LQRe(ORrLsL|s)b0wEqKc^L5Sr+&1`|sZltI+qX`mPNf?nIHqcRcQ2
zF?ht1W8K+FAL<0^cn4QE?$=n}-SK!BkOFWEI<14x%FY^mM8l8pm}N?nnL?6d_@Y12
z#%qpQ{Gfj*)RWG5R;81ywol(b`si9Mzhnv%gh5&bp_WAQv`iGum?&j`x%tQ1p)fum
zVIT1z9V+8-)nlD)fIzJ(t89&L=nKxOqFm!M$3wVud+Z~NOrnxJDHpsm@l|kXT~O%^
zLhmZuX;V#D)zvR$K$%XPvpp<rW-#K6+)XQY<EL!*hL2g!vKVUZeOaM3!slSyVrs)Z
ztrF(XY{k0TW#%aamLdrV#AY8=K{c&SHC1(e&I!%dy;Vqq<*bKgbmCtIqa#^VFclEr
zJh)Va?YIuM+RqyaKJlpyBdY5C28@<TuK22!;TiH{P$`{w2-ku+xU!bgq927p9n9w>
z6OCE=!BWlzq4r8|=gzQ~V!nNvK_owRGJ#-c{BOCX@;|PsA3|o;JueRNm<kOB+(p~=
z*1I=t>{ys0XP^>QtXQ$)?C#7&woUK2T24(2_8IWtXTO4ff<{Mq_B@VFxT;Aai&-H~
zz0$}N2)~+;lE;4z);0~`3xiN^S95HLLThUHo&9-J5#4t4V0A?mzTePRnI8??X}QNf
zrBa)A%FqsvG0=Ew2I=h7m|BR`SXYH`mRS#(3uaiUqLQf)746Vt>2<A%o_|8kBd{Yf
z$O&V!_LAwJ3=f>u-qhS}2)uN&Wwe;{QpPc2y~9yJhV9_PV`lg5x0e^gc>d};%L2oH
z*TEB#`JPL(1M;6rU&4i&4GxP<e}`Fh&>>tztkSe!aCv(uIdP-o`nmn;)oWsYtqY2E
zC35EwfePk8CGy_ImlhGL40bV>x1WH<x+#m<VkTbwqO~Z=oyiCvDC^zu{3Usv$+BRT
zn{#t0&0ZZ$@`IWJ^5uhRw;vEy3`n1(Iz6X_0;%=T80tE<RM-0<I|Pbe&TSM{-6w-f
z*Gc8z02kd5H2l)l_9166Tb;?6zL>x?ZP0gpO;nPj7f1agT=SGCv`E&q68BX<`tr2{
zg3saeBXTSX7&)RDNtjK(W(d$4<)4!$hw=AgGRfon;GeKp?|QElhPkM&IG*Wy@05IN
zZY9G8AU0^A*f*ZqZUhsAdso#olr9HRs*p|N))U=<e#K9i0EZa6H}A;RdzOoXag5kq
z!>quS{y|6%1&pa86zN@5CREFUXgKKJuZ!1L?_a+<zj=M}l6+-G;l7x0N^bm`R$ff5
zschrsF)?>TkM_+~IfdF2G$WT8S5<|546{o_W<0KR&&J@f;L2qF#)0%>+gs<5Rh0`U
z>+Du=5NnAoZ+vjk)0L*SNwd(HTKyh&^}exXYHYz5QD9k1+`nh1r_WB|(tmdP%yOQI
z^YJzJXf^1Nf@5_IJtgFwjj)C+y$yF_=P6uOpT*>EbvzHy`++vHocWVB-p32RGD$rT
zX2htbHV6a!6&dOI{Wpi36CT%rGcsq~%qJ3Qibax^F14Q9vVdzTg!}}rDU5hmK;4^w
zW9_PW=jk6r!fl5QVc-31GAm@2w0F>w^rpC+v{}r|ZF}bCb@u-C`Nf;pr)k&ThEheA
z#kt^Fe^!#ARMB;8vDE(HRl74O&^*{Gk&8qucB|?>0CK-Vum35X_E*;%AW5p_;e|-G
zv=FSo<b);_5OVnhA@wLM_6GP+djiMVmj9~?+U2ZBIY!ex6z_enyK*SD+nwuf=A5do
ztm{FPU6a<Uo+C8`L2Q3@x}Fzo>dGX|c>-Zk6+_~Y`OeO*;?`<_v4>>cRNz)Dt<$Gt
zdg#6ak*=nv(T&jsmN_bnEiW(liYIIVwTXGQkX2Sa6HL@+PqKB4>$apf`mZWe4IZku
z?{1(%ICxv!t3p~&rU#h_nNGWR{^s4qyW=0Vq!K45<a=i34zX3L;E^JCOW~?1!}==>
z0Q!I~cjm1#{bnY55CXV_T3?(=4Dzv_7>5vR?(NdC=AmszAxJlg>Os7|D3R+l;o0rP
zmGYVklV6n){lFfOg3)C6i|yd3HQ-WH_h97!D}z4u|6z$2Duo8!NJmGX7AOPtKL@yC
zxQrw})cpdT)h?HeTwcGrzWfx7gl)VBEb5>VN3^8*d8w8cTtWugVNBr0*Iuj}7C|=#
zxn7j#c56&Oum0owiqKL6RGIp&2V$(MHD6<XhMiVyzTI=ZwwL={?PECcjz-@HG5P{I
z_(To8JmZQ}C5rp7pVc~din&rMk(!ftY2N_nq#zDzqthx{AEZ^-jmu2ShBRW0n2!n6
zNX4<aeW!QSKN{sVR3b|L^zx6M_4rR!fl*s_+Graik!36jDd-)(TR#mWll-Twp?}Av
z|L>9}2(l2chfl8t`h#OrePhkK+%BSf8xW{cVp$<vtSV?G_0|njSv)hI1JB5@it=7V
z`n^ReCS~UHPq?NV+|6%Xq+;Ln?#b*92jbvrQq!&5Vt>h3@Qi%JrNZzJd>N8KVW^nq
zFt3Ox2+#jc<G6SU^_ERtz%Z^ry3#c?a~>qeYMq<HZ8xv3peITG?f1`t<^1CF-#_og
zk;jYq`)4uV-**^AEf@l_2x*q_8e<1E;Rjsp-(kdMjX3T)8^(B!UjL)le@GHG#55$D
z2iL=ReM7F3O*)Mv`s&jm(FfJW@SnPl@l;>!ozHy$@2l16BLYJ<-*<xxiFK_)L@(Z6
z|NWcuzr6kicEotq>62{4pF_KHAB1WI;Y4;gV|&&xvuEV(m)8R=?DuJY$mU(pdUPGV
zS5l#-j?h4aVx$2Tm+uuq<jGrwHK-7LPtG2EAKMVdFBU`d3IxU67GCNBeX5bR7W#hF
zHzSkMQrb@ue-C1{n3`qpdj;m(G8G<*Xm9P@<S4W$7Cj4lEs(m~(9x265-$QMy6q}4
z-iy_FOR~adK1#^ic8E&>I=T;4r0cku=7SD_FQL-1DaNaJK)#Ph-2n2W?ws%MNl|cE
zB|#YRa+tL@d0Gl3vK@mqw|!ivI9Kq-E0;JnkeXrmiZjbXWq-pAh|C&cWw0;M0cgaS
z4(Fkg{e?Su#skBz^#>N#mluX*x3SaG;3^43R<en(56Zp7mlu1VeNm`8Q4CG#RsXEv
z!)KnE+o=;GLC5>)AK_~_!i_?~ZAbYjp5(_n!S{aU|3b1a;b9s`?d(TJ;idPsqIDG1
zqxz)wE;ZmJADFh;neR>C3h^W4a1SSK_6xL{VM)y-(K{<Lzi_9?v(#Mx0gFziG?!SZ
zB^Gzt9W7#Ve${2I2@az}<PJ$_J~)uB>Kgo(O#*yIW?acy;S5h1qiMHuN6^Ge6Drfw
z02U@AB2qN5)yA2+V=N=jpFc;1`tv{h;SU5VoyIKU>E?^@*6&`t=pXVw&)<AQXasT(
z=IX?eVXyqo<%In8`rX?quYLU~pos%dfZX7DA^U1*s+It4C_6Eqd*uhPpo9u4wu$M=
z_+km*<Qbr00<P6uFA)qFHn|>pro&k7-s&AeFLgo^e#^*QepQGvuPPB0OlpzH6#Kxz
zD$EJUZgW3A1LoWgGrO9zZmTnLsl4R<hE!-M_H-I(fUk{x<$A|0G9_y&`a}~Elz!gZ
z^NNA6zIp3Bz;HRNIA(+qGB-sj)nCdiP6A5+>{e>w)y8NTVqr`ZpyrAqCUFNpoI=$D
zRlWTIZLfi&iTSnxja^5dG@21wDlvsxJ~oQw^s~<b`-gHG6DWz{n7qvaJ=E}vXoL^b
zu?Br?jkR=UONruKGMci9rn@+=z@Zv>lO<ndtUxUolz(lMk_}(O*C-?C>qip|N$6q$
zCD&G(d=@E9_|H|k<|QLnuirrI3~=b0{Zp(zC>om!h1VEWapk9kyp}>inqu9%*$n9_
z!GM$4be4#yKOv6;mnqGb#RNViOGaa6YKv<2D$iMbO2{jHBIi7U^0)d~%;Hir@sNKY
zaJZW#Bcg~I)-IZp$nVs<m>?Dls#eapDrjMf_nJKj986O%to;Oi!nja|n)Ju!+BUpS
zFW}epz#7{7)F{NUfN9)3XVMaL6)o{rZ{R;6D2>n|bqN_>-`t)r=c3BgsphLxNt0wf
zWgj(d)&~Uc1PJK2rKi}SQm25}dBGIs*E_=XWCEhyj<8dxBULI)2sGLL$&fX!Sg|(!
z2Y<F(S?7I9j^9tw@u0Hf1AE-R66B5*WB08r{DjJnAFcrTJ|)O^EJA)iWylX*h<wlL
z!n+qEKST-a2QNtea3#t2+?QR;k{@PQ9;r0>6DUspxaG<BEKt5jiSj+sb@wvmyA~?n
zrBwOO#maXsSH3G;b}U(bh@$0tV8VW+=aEa7KYH=<r%}FqM^xYGqy3ARheuIh+h1(8
zn72hoG+WzJ7Dja3lq?4f2r{TAuR<LyUsw;{)g2DBu!Tk*0JQo-FG@BcvB;h&qt?kq
zj2Q*X+(sZc=e&3e^p69ImQ{@wOb<m@lqYnSSUDej$54?6$qKAT+O`4viflCoG)1yA
z0aOLD`1pfX8|@8UR}KystqW~{wpJy(Q8n>1E5v~Qw<vCgVq=I^w`w6?=~b(t;(L%H
zR>pb+(c4vk#DFyy0=Et<<Iu$nR(`L?u-eEcsG9SX)kAKW9(~)5$vlNAqvob)59-<X
zLs1tJUS?Gp`CZh)J8b1JCb!r3x;c~Jix(~KZ)m=Q(aC*Vs|`hGqEt4r9-jw-5z3k<
zVQqHzq~IPX677C^&>^Dk2s9y#MoY~ePSFUj8Cc7yUg-5B*C?7d+z?E6+hXzCbJDPu
z8C$PM8ow#Sw`P^=^?(trBF`LCs}_S5f_&ac!kciZCv(fz?hFnXZOdw^+!Fen80V2P
z+ZYE*j1C(MbWpGeYE^z-CW|GHAV-+)*t~0Z(`~~LwS%`cl4({4rVY7A^m>?-gadq2
zTHLbOv1O;^N-x~%CWc&N_BsTgLb|SHan{p$c6$2EWL4YD=^Q-JU`0gj+`XZ>L{*CB
zjr2Bv`Y)I$+Gb32G&mHXYP+hNcThFAshQ2X4gL>R2kk7yrvdI#olDq3=?D%mwfcrZ
z&Qzv=<`5>#wny-$YPQGnu4=Z+IS_&EnbUnoH^)E8p*jWfAZ}O9cCT(&%{Ig>tJ%Wc
zw3=<0V1#Yo!|LaGE^5-1VPk;70NFD42-yy2)Lc(^OzBLDq*S4)q}w|4?>d;YRqqYE
z;F{ffHzjZ=cy;a4=Z=JX7d84&75V_V1lu0E#33s4hf)IWo>m3h<0e<Zc3&x0usyu0
z(SGhqec5D_!(^IDiV_9UR{%&6*7k>qEW@R;;X1CtCuLvdx%IU_zq;H(7vO!pT^kUp
z1MvEJ`uc!N6!EQ(k|qTg)dB+39an7-Q?s8$wK2^v^&MR~T?}(;s+R`GkcR5!A5d=G
zZ<PaSxWh5oLsElr0y2#?TfMOVdwcB~?I|i)hOGdbuz8l^muT6eStb;Ez)Vnw-xE%=
ztvOd>FIv9vV&zVs4eW9sKdkC<+1s<l^kbnWqa{nb6E?Ips5q^6?8@-9#`zf(JFMu9
z-{0QEd{PUpJ6eSloZK?IecUqUc3FFa`>Mv?vqVeeJHZ82`7V!xQ?2O>V1;}7z+l?l
z|HOg!p`1w$V=~9~7;2tf)jJc%h}G3KgC{VmcSiNjKb3mN<4^4Mwu565Y3O<UOoK+*
zv%^uev9PCAIZ1uOt(s@Bj~=PpF`k{CK0`~!snhnBYCiq9!QHYf5;0UQh4mIv0XJT0
z0uVO4DbiBAcHh<lb05l??R*E?sO>Kg!4dCpEmWMdD?DOA>xwxUmbi*9Pk73Wqqe4-
zOb(P`bUVgQPNTe>m<~@<mWpCMah>XiwNcC)C%{HWWl^w9C2NnNen5WOfoGV9NY(1J
zqAHjR3N^<W?ZoKKT}^g5sgyMOSC*}I>TyL2IrL1BeOc(3uejVTK7wZJcZ1Io!4$JQ
z-x&2Cc6R5kA;z^~9Z=;jN|l$xBY}v!MD5|WrGVU_-pygZCS|?ouOGG9a;g+7vX|ul
z9{<<B{$qOb=i}oao=^Y%Z~uDyU#IXNzd8By$v^BL|9WzAeEh@LZ@#*@di^(k@{b>~
zGQGvW{&D;Rd;Pb-PEJn#{OcViTay5Irlz8p;x@koH_9EZb_D<a^rPZ6Y@fRc<ibda
z4}92n7X)`)?h}v$ce5HjMJv$2K`=kf4w`TLu*C%qABO6_pS-^Nlkk5tWgbT7w?}k-
z!#x;1-$u{3L2dMW8$I7f)##`i9X;O~ZS;J*cNu2%d>cLAej%Q3C_^>;-v;vHMvAJO
z-+sxyZ&G7d#LlBgl$p8_w=B>hrJ)Jf=mqMnRhof7nECpH%`P8CO+d?-Ysvc|h>0D`
zFBY4{EUq3HN~1IYPRThbSj2N~k}y#GeZYW#$|kw<S|d11=6GY#tV;S^c*3r^CL0qP
za;EeYk?8_zbH^nkaw*CrCI$P^a(8BhH~v_@LVMVt-ck$%Y0g876S<iWCuHnn&I`c!
zYZi$teh_`r#-J5v29`QZ%Hwieu4uwzuGY?D43F9nw8c~Duu@h#NNAoHf<{Xwy?LQH
zVY2lPk2ueha=|l{J)n2ZZYFC|2xa{(%_5ppyYYtApAQ%mxj9v=p^T332g8-}x&MbG
zB8hFi$A5dS#ncFo=^)LagdCT8yhO9q`W9**=JVf@r6>z|>X$Bi0ly8|%`C3GiWEs0
zm5RK0PEwwgYDhi<PyG4)ZwH>TVS>*dSr7)DEMLrl|8}yDQ9)wS!(8x8H6<T&OYK4}
zLB;utkHH`Ca+o*})ZtI1n5|WK2@~^vJuTn=Ha~9EyzE@Zj`c7@S(rs3%HC`SL(c+q
zY6W>~J}`N*`(2%E*(=bMV_!i#{S*p<Y^ytI_uXbif4th0;j%@+7F??09sq^?)=!2>
z3MC4XmWkqdQUUF~{lMJS{Ss@%g;LKJK(X8p)?@}V+OZppWeRE~fM-9;X+ho2L?TUT
zKyD<o?oe>ULdvi2@q#ARian2>L!q-`8O?gFu!AdLL$5^KWmpT4kp*9|tck~l$NvkB
zZdukZ-+n7COyhM%Q&Z47FT{##bZ2p+e>pJ<bIdet^VK6)cPIds^6=G9b)WmvK8bdV
zg0CWGnN!{Gq1L_Xt;j{Tm-{gpknv2x)#QxMnC&#tw5(tKX6v{#aLN<{c+h(0_JDT2
z)GK`iu@S{Ayi`yRrWLcePD9_*SV;00$o_W0K&%;7TzhbtRrZmldBWuB?Z1Hz(wy6~
zViuphe|>)O=JjdXMHilOX~bF`cm&&8l;n<LTFbz)i8nldNnU5NELfGdx;d1lZwD*A
zhCA}|fl4XvU6Q$&^<NyQcV3D+5({$2NM5j&mXX2PK@zWqgn=p~sf$FK7b4}--eLW9
z{>Tst%2T>HI8H*RP7ebI8h;8)61VFa{nb+3O_i9Il1+J-R22ZBTeb$b$^*m5bXya!
zl>n7H{I1!o_kX$gR)#3;JW=C}spu?X`SQ$+@TtK&6&Y8e7*>NS0N}P?y!s=NB&Ir$
zn3Gp5U%D5b2*3h8hz96CLhXvV5WU8zq0rZT)+qw~5=Ia_^e$$*QS(Pc=tmLO4_381
zTq=K1xQ7V;=!P2*$ut!5u4B;ccs6lbswK-5kI>#=oP>Q+PA=ytEXD!0RIy@3!DA*#
zFfI3$PCR)cTQ<ZF8S2Wgi(Y$o_l3uGT(~cng~4}6kiL3%v;4iOF=`hN{4)6Bp>fIs
zauPhHt0zov0GxT}8<sKJS8X68ny|}v!KwrEeqBFsZGQA>%I{G_{cDG*BolGBz3(Z@
z`QftsBNR?|a{G|;h9%bz#e*%VVs~^H3ueBtAO~pBI4+o!_7XA3*t@Rtt4s0~c6YEP
z<%Liv!CZ)x@?O`aW&!Wo$99oEGZVVFE7un>oz0<6oJ|E@7Az)4WAf>g#NS|lKh2W(
z55NO^nsXbQRPnu*T*Ia7+@Jz_&m;$51J94n6#e3|3O_<ddP2St3vP=PYDC2Sp#2>1
z$eNC<X$Wg7W%4?sv!vf|q|U;)&&ZbvT@VI;oW)$~f64XrH(;7AGb1wg8)&&&+N;E+
z7DEDcIGTa9`b|I_)L^Pnbxn8{+ZxJMu1@;~5D)5N1JPr0#>mZ*N4Hm=wN(`Qx6J!#
z5SuaZ+hDXb%eWe<O7p(6cd{j+*9J2BS??05lp^Al0|4lltBX2@i~4Y@1=eubLXq>_
z!gp8<z&8R`>hl>qv+z3D;t&Tza;pqI4OP!gI5^BVhG=JKwvo05CjwyvMmsIUZeRtM
z?u<e1f(JEO8xFhk9mi*MztsnaFafnU8^DkqHe68MLkNE}_G=(&xyZ`|oon4@47Onp
zF;@0wCkW+<ywJ!)pA0|ha(Gy*JuD#MYH8MVH$XamxTx4eMZxxK5Nc7fH38@O?|=K-
zfNPT%P&<x85iN);ccx2PFks0sWYy{r(C0}7X|C@-JoaA0VTXjjhI@Sn836~I=OIPM
z<pZVYc#y;#50Q@J{*!P#K<bT$O1N>aX*L2)<Dn@vT$+pkximD9#<0-4;G`LcOqDS(
zaw0q}#%>`e50wJr(Gp)gZn}$mO>*&2sVyELp~dht7DHpW!sEAgJ4pAOp5g#WDGr*7
z;!p`F29d+?AhNI&6M<o72ag&H&pt39=YYqM^sZ?4GCM<UAorobse0b3$g(*CZAFh~
z(yPCrgeI}~?wTBwi!c!P!;~mE0ny3$Y}0wZyKY$e-OpA)Fh=}tOaEx#e>?;Kp&j#|
zjyX6U&B2|mG6&0AnrN%=1Y!rAtC*RxP<TzaLw<gB**i*9Fvx8|6M4FgrM31j!zf!;
zmMX>4JRmFkXbm2%!6DY*hcpQ-%amqQO>DqqT=URr+>ob)1XiDeEd`}5glm@>|EXkE
zx=_cZ+=CGf`n^A}A#>FrLXp^rg)?h)Ahh%(40JF^O*yBQ4EemP2A@}xr;VsglSJHw
zX*PWZMsK}di%H5dV<hE8Aqr#8^Ou7@SXv@y1<I!A8PiWiu9-4e1X!p9p&5p=>i@Pb
z>9ABwZf9&sS6q|<kxJKi8625UfgxCn(%BD62y}DMlbie0JH*@SV^B53!YWLs>?4<I
z6IOPMY$cip<d#=5*Brxly@Aa2AZGuoI@i3qhDZDG%qC|LW*P_xID9I6^T;!kom^BB
z9<47gc5_p~Z|z+ror{Y8o&1H$00Yq*n$ZR7eU7iM{_^HTBNXVUE-$wFv0VFuzdc->
zeFG$eulJ3ww}Yh@AON-wupBV8fW0|GszYu`qj1$s5rvK>Hve2d)7YR^t2Dkn%)-JP
zP^wkzN5}g{o5G&8JnZeiOO@9?vRxgDkgbn5pLEPeWb8fD)QVoQ;_X(0P(S(J=mhk@
zg-AR{KtYN!BQKy5aLx+Q-5B1$=+X$y6ra-hoM&9ENknrx;|W(=9qhpe6F=sayBN9(
zYlb%?z!~T_qNJ3XX9Av}5J`fb?D*?u-(8}29?y1xkMm}enwPxbvMAy8zm)O9cvb5u
zy%O0xDK&YxN~oHP0+R)ZtVLF=++fJn#a{@oxy{Xh<cJKoq?jp|@{Gk`3@H=3*<JUQ
z&$>KiYXC5Bdi=VtL*BCdmNUeq?W*GhwJS(c`tjS0t|(7*9|7~Oe_%;qN<Z?nOi5Oz
zGfcjjix|1kmU$a%Rq6E=mxV?1*e!lLx$n1Cb=#)8h({YZJE%i0;v1Ic3Eh@qt{#3;
zz1bAi6jf|qCSd6mF;Vul+Mykakd{mY>})H?=}1jAVQMnOiMjVwbK4~lo1#qG70yG|
z`mWn4TXAsWJ)=_cMK;YvJk|8^>{oUYQ<}xo8hzY8i+;vk_j}$6ybS<ez#lWCaBl~U
z#@?=57s-4(pA#l^<e)w)SbPD;>e@}>a*+x5^Xrc+DphYm@?oOMjVVYTmx;Yka5mt{
zU>+C>A<#Nu97Cz%a^A-$LcF;JF8ioOKy-?zbQ0DF5A<&nGAk9~3cPWmr4YRl0~B`<
z=CtA>0bhNQVS+o2zEuT3J2)nttv=&@EMTg|DYr?Mkm^AkyT1UbTq+_<D7JdX_+qK#
zgz(c|HW&&`(rD>TDP>x;rAgu!jkk!21Th6!`Z%zjn@Kc0apbg#YFoEyLYRt9Px?Hz
z^p##JEt%@o&(?%1D|)JBA<6~9$QaH|V4~e}5bS9j_iIg$5U58kf~!nz?p=UfN)==^
z#;CrcU@{k(?iZiDuGaOx0<>DX%VT*`ZSj&XmUf3}!Ay2pA2Yf)`d-{5&ojc(T&+Fy
z^iV~yB6VN^Y(k|uE{YqO-XJS^-aFc{#%99RGYRKzD)N(4a!#_+k&UhiWWtSaI?|Jp
zqU!5_mXF+de-5^PoFh76VMoo#vLc-{h5R5>!zLyos6)&oL-XP{aXd8pa%1TUmyjsA
z4g#O%1ojKeyzb?hBnh3dB-jh=!O8$OH`-gJ$-U@MKoe!-2_&5Z9Js%ta~HLNor6k&
zo1~6-X<08P-5rh)o?v>nLTH1_pw&RFFHzW7^v$v<_bki?bxa7&^91<ofhCA`EW~3s
zYmfC0F3R-YSApNM^)qQ)-$W*tJV#$&EmL3#fI$d=?K_(A*sTq1XP4Q8ycJ6S^ZFx~
znkTssOuiKg{yZgLDMaCK23FJB5%RdQhlKlihI%OtSL1PKz>Bfk%t1__`pZnSjtH@V
z137PgX$G{;VwuRMa7}L=5w}H;>Tk@!25%quD=4D#jhc8L4?VWkP)oXEReov1>`hES
zfVEy}DZj`IrcBD{%*y>kQ5{W`Fgn-gC{JjFWi)`9)f-I}TkwdatXP2NHyT)wY;bu@
zvQI_F;RUsJDJM3pnAmjqrM5#cv7svmPUlN-*LX@yj&UFvnVd!&nH<+fCTC=FTHDCv
z>@oPr<cv&?Yo9)oGjM?YicF$TYOtE@d(;{>onL@EGseLn*whtdnpwFvx9bfk-b`pp
zL9+!TFQzY^KM%q1p&@cZ0^~w5a_VUzdtb#}=(DGU;zby`wHX8M-|l1xwKF=@j2bP*
zA?JUYGDTXg)wcOsXr8i(^U3gn-JOLiCc=ixYXs~=u$^WfF)Cd}s@`ZPs)!URGnMNM
z#n;nkc00&1J6)WTxHSH+q|9Tg*a@yQDCthB`GvxTzN-QPw4vlf2_=KTjO!o=#U8kl
z0Wb>Z)td)?Xw3Y3gTtq-a-Gt>hR_Vn?8D1|Y46^L#1;qNpS!Sk#<U^|W8~Rf*B0Xn
znm21G8Cc>{Eg71&&fi{y##QUFZbU8;u~_@tXzHz`xi$JxBFmX!{53+oZS4DK6X|NB
zx?ofn1h-LL;I&a*u&s^if>B*Cstd4v`s#wwCNeTPBa;)<MkZ%uaz-X+WOBON$mBdl
zCg(wIBB4_Y+lc9=mNP(mAF$Nj78%feF5;a-Y9R2jHKGQz)*XwA#556+%Qdb$GZr98
zQ&i7S$j>5U7@VMqi4>jLL@>=uF5+W((&1x1#_Ei*I%BNP1I6krsYFagE}=bi$0J0V
zZhj(>I~r*XT0!7tg&erj*jUe5d{tjx@5O`?H7tY1F@wnSDI%jFb8hm?)>qftsexF}
zdxOGn>dP8zAoHzywfm$Qj1$CaI81n`U>p#S?R~$KLS}%lb8e*ZpGsD&A^A}yPFj*9
zjUNS<B%%^;iEyU)a*jb?S(zjg?4^OX?gRs<Gohac53q|8V^`B2*^H8}cZ3R{gv(Ga
z7MqxxUD&ER+qB6J>U^M07TXR|%%0+Q2L$#|t97L&XlsX1t&yG8Yh)J{8|lcL@3d`$
zdnB9sxt%p`WFIMaSIryQ8!i2@>uJdDMHNRv)p3B7HI3Xu?#3?KIC7A^FuE!ZN}z|)
z&ymO0(REJ13?8i5+F|USRbgaTbr{(XJ$F-!k)2dyWUzXS?4}|kyQ#^@j?e(k<{NM`
z8UhS0-(lwbs~vB@9rt}7(&DWZS&fuJ%A5bz90i=Z|AA^zQVSGDQ|&)9DkiU+fy3vJ
z-sz{3uV|wA9dyaGwIalPgU_6p3R3!-N8y@Fa&*hqN0VUJY1@2)b#$2>RRu?C1jjL4
zkWcpro*iv*7u<>6+*$uS=#%}lx}=6FU$gaY#_|EU`KC6S<${$-yHzoE5-SI34$Y`U
zP&>kt{xYhz%@|SimStG_D-xOHv8gqUn+)UV&9$Y95+QEO+?DJpL^=rdcovD&`X!@3
zqsCo>)uu)p{tm;!Eo8z3K78Yg$R7xm<O6WL899azPd<d39vtXUy=T&0xpaA+qRBzE
z3tGVg+cbARAfBPl`j}>lpE$k6DS`brxqh=}3TJ2Oj_n}a?(ZO8S=dkkjaywyG7qE)
zn2g~5Z>+xENFj4k%y=BL3>?Jm)S*CB1I59j?C)*(py!DclV*Pr&8)LN(`SQa_3jCm
z8l1tklZdq;8U{4Um(<g4x_Va3remzn=Q8s&A7sv`DhmchV(-bzWrxdjII~bAs|lBC
z2fE7T1Cu<xb9AK76E7Uw+1O4tn`~^`+1R#i+qNdQHL*9g?Tu|GH^1+_@B7Dep`Whq
zGkv<BIa5`iS~~P6bGaz4$@oJSfM_Wn(Q8Zm`pM#2IG!-!i)*~3Lf|fP24;yqtJS11
zERcaxk&_(F_6cVX)g4#;Q8&>#QiV8)_hVFXo`ry?03%6csHnQdiaL}X<{qaTA$+x>
zsaj(rdauG0s&qYhRwj|`>~aU|kOSAg&W2Ke{r1N1Yg&@-O^@~3JOhW0xzNN^0FRDY
zYu!A<!lKZGvNI+%W0q-tOKd#a>btLL;ysX#ImO*^o2mM@fM*C(Q9-1*3V9K2TzCpK
zk!bHj$lS+YEj{I}8B&B~TP+g}stem_dlbf}6B?J~QJ-6vR^@uyrL7frn6@7#Xu^yV
zc)w7Sj4EMyXFHN$Rs4>zG;g#E1$C^HTtfyHrT9`@XM)XJ{{+A>vT&M++SF*Ty}krX
zDJJ72Yhq?Zpuhm2=PZ=_G7E#iaH^0ClqxT7vL|S=?Wl2n8v5`=-)epZen80g<^1#~
zcdLZu|5Lk5{DOXf_J|Bu7n<}MFv1s%m-RXi@9sDAP;d0w)*IxsoLgMOy+<sQ_gs{;
zfCwju&Ab?sacXH}U&1xbc2-(-7KDb`+0~Qm66|d^W`u=+SYcA&t{cK4y^#U2h~$KB
zphiXLNzZaxi8RmQz<>)OA>As?fQG32m>xTIO2!ah+tPj6rHtF|58q*HkoHe~`)+h?
zrPxZjd5HMlHLkrIqw)PZuvT5w0d@HH-(RL3S^Bb;E1%XP-&_9V4hws_t`ECi%g<w-
zVZYNOE6=cAGK&GMu8ZpD48CZ>ym)MU{AR7wzi$YU?Zf_M;-d~Lww6wZjRE)$wHdPL
zUH1EjC^^I6C8(Zgrp@xKaWibpYxI<ZLFqGm`OZSf=1g8NPODT&a>u9>M)F+sGd>xE
zL!G?3Z})eP=f;<7(+kZ5fJ-S{!r5;e;gafMHY-GtHE3A^)(v=HtPQWS-U4VBFF!a?
z(YU>{PY&P9r<4899Z(TuG@g5N!V7Tqtbnxbx^ZuL<j0)AU{}&OWGwvqQKb=rz(6t5
zmmQJYKY{|t7$7W(V;>R+ashnMbIIG{{?h|cPxw4_N4r6uNQ5)YnwY?**@l@}vGIO$
z4Qx7i5}T%9_{P_>4FdmZ{Mj@y#m0rY5aHujA+HF@7!FB-43P*>?#%lb<b_8W8J<nB
zqP=kif6J5X93%wkJi<G3io}nDh#(>R!XR67nu`eQ!vbV(KE|$}sq_mm<%fUH80FSL
z#7XM@R3akJBa|1<Em53Sk24eC1+0C>h<X59s1%b+ZEA<ccz`h}9^d4FP4y6m_RigA
z;%jMc=-n=c?a<Ha@w<UHH~MVZN*I2(`=<VJ-}KY$n*)A#;obFo5B3FZCL8KU6}+Iq
zh{dM8i>4s^HkS+GLO^>L9Q&RObFQ9YM&9`UrqNng&nPYa?{x0Be4kM3|4wK8EEBV)
zX{a}krs?~%*tm?=_gVh#sG10}shVK^Z(-3X9+v;V!1FT3)7+XR-^eq4O%cuNIfToL
zXHzvhKljZT#Q^HX<QIozJdG&3fNZ97LEoRdwRFkau9%GbP;U;?IXvbQ4|IIylW*D8
z)2C`ysad`oY*5{|pqV%27X916)+37}Q!J||ut^>u^iA8>lt>c4^?vk<oJ+?zR`=g?
zT7K_gbZQ9jd++jMQXy+&QbQiU`R@t-x0!+LeX|V=nwbCDZ(RMq>w0`->DL1Y9gnLQ
z9_5yc$xp-QRf&37zu|_}ad!D5a<^_}TOvdy7+JzW{L>CsE~q<%4KHE@w7m|dDk!!C
zrA}8f>*69YaAd>LNCl;1FXzfKRQgsUQ8g#NUDfrJG)gQbkzl1WKyJ1`@E--vsrq&p
zAE2|X>L(t*HN+HA?_O}Hn9oyrDC|Tkp(4$kZW4c`jOhV#R3>_9u*~Yi|7p-@FzO`p
zn3@stv=GJVl3N<EV?s`j1>5fb(*VB4V$!9fg+i6Uj~ATuc#tsZ<Eu68;1<k@q+Oqj
zlmA>IFY3`3tz;7fUjonHKoS-`sOA~yF7@mv?Nt*28D}Q{t7NCC#9dvU)%OVNyw%Qn
z+zCaza8JEXA~*qGog8>3y{Gcj+23US8hT0^-VE7UY@q_M81IxH#UpE+mot1my-LHX
z-QLpn^>}&p!Ad|Ty%gXIOq&@n@HTS;fjg{|X|(C#`@DSr*xm+wNA!Ui`}<5-U_LEm
z(G(+kjKTx=3X(_Hbe`7hx9yRUHo1-o*nBjs3I+-<)&pKiH1kzVrsi2#HR@ZnB!d=~
zK?<0X4~rY_*ERXae`(HH_w6Y;l1T9`)%qd!{#4f%<E;}KB!R2!0jSG~+<~A;+l+=E
zVrGBZj<}Q@52t-lbj12z__!KNm%{S0{#&tUg;nmA8cFzab(^kz*ib*;hYvle$DkGP
zGO05Wf&=D>W;4JB7`jPAnVkHI97H_DkKm-!qV#kIV43?u1$r*D`Cp?ynvif=u`kN4
zvg)oZar7W^=HhgSJW1(tMnm$$^3}?mzCP(TdY0vrpsi;A-kN#00{TuL2JQWe|6rGL
z(63~*7`l8_Um*#N7q}Z1dtgikL#XxD2ef~It#VZha8CEwO@P8LJcivsB#e-z(t1#;
zW=1!3G;%9!+*&g(P8==N*_sg#=6t|?!Y0XYe^+dfoZ4SW2K=JPN{gUbag{Qk>M;uW
zN17F{1sFtEynUVy+rmyDtK@fgsuBFIyhxoaY%c5Pu5T(5<E|QESJS;CIu$H|eQ^g0
zhjsG0xCY+j+F^AL0vU>y?mw?MOT5sSDV!AbOp#y$h!Pr=nwd@KDgT1ijD&sJ@fCS0
zAp(5doGpL7l$!ay?eO0Pqg;h-NseWUmS%*nYGD(7vb>Lb{D@#uIt(bNNG_EoSv*L2
zW5#m0tJMYHN4eF^8SA4O@;*xYl%aV)O7mo|DLX}OS&Wf(RI@McC725Kh<f?kp0w-J
z?TK21fG<LO=$aXnR>R+LCbm$y0g_;VphV7@vih<}p+Uk!B>TmTywMCzf}{FzbI_H9
zRBF!nc0!(zX0G5sGDp5k!=CD{R0{kO;~0wjzg|wc|9LqtK8;@zi!;G<r6}Oq_0gAk
zeGfnTk*&~I-f;(;%YLzJ$5+vjoU8ppBEdtFuyZpA25^!P;?RT@^>WvWD3-{CYRp~u
z#E~ii=dyv`uI5sxcNl2~NYpG^J!gZefpE*9tJd$o0}-*cu<>oZ(?!ag1fpQwL#caK
zhqWb8KC}=0ar1p0e$2?qr5K7nCcba)f4wgI$;f|te|t3VPI|sB^y0qGethn;Q~B||
zgnjJm$;-vY`8~f*s<ErpehtZg-UzFfv^+2K$NK5leqpYRj*jN~@h&ipGP7a~{t*03
zEGsyNPJ*1gb~32^?5-+H>`+IFUf6vS(m%O`Zo?#xf-6BHt1;A5?E^0vw(qz@Pq5c1
zKvS0*44!~b0HFPmfyz0>0gut>H(Fn&gTLJ%Dn3-Ow3V1#4i}(ig7#94A-$_3c~xZz
znP0LvJa29T;@Bo3u{Vm>0V%Tp1_Yt1_h_XVO0_=)Me6f#zHlb9P*to+;69!3?qf~J
z9gW~19liF>a}0*sb-k!+j{9VC+QMr!lrgodS<R;SfX0Og>#>zFTO*3(jL$VP=s++t
zUvIfGMabNg$b5B-2o{WQ==MYz8UURps280gSwLYBo@`N_tB6mdnyQRO?i`Kaw_Ci}
zYLahh4P4~<q@ENrs2FB1<nTeR1;pr0@f9bu?Y#oUWJ|8E-)_=rfoBFHSoq$!C<0bD
z_)fv2M$lQ-Bvy>fnx3mzas}hZK8Oy*TJw(Ub9;6@ga-x-AfLmrlw0o>zt+BD;z)-D
zZQ}4%7#$-dvS*s_?D-J#RWy>@p6m7Wwg7Heo9Xs|RiJhMZTiM*bRlrqc!&f{lu0y}
z*;V|I#~@JzvQRfV1vH3YcybxRb&hcji$ilNGC9bqoDlWqee=z1NUf+f3)5}>#Cfgl
zdYqGnd32!&2u<Hi$z{vpDnvA5X>FlXYA>j>{-sKNXhO}B!NMN&QxM}Pxw)Yr{79qv
zhD#ZHmvep3m(7_LiD5IROf3j_tw?_%5+TpKzRk%J154t>N@7hbH48rIU7vgj<XURd
z1urBs+p^nu^vPD0^%My}eV!0qz+Vew9g&O9r*l~(A~x1)7%OI8EXi0+(o`AwFx7rT
zAU%m5zl~+3rHEFHNpQux<^VGRwREOJUNChw@z2ZL2o<_fr;NqcpxGHsKpV?pj&Buq
z(EfV`4yR{Y7nacK&JNk}$uUn`p_K;&Arx*_4w%~>z(Qondaw{b9;Bp)y76vclRT5p
zf~g|-awWY>rG5yZRW_!g`+$^^8xeb33JNJDvQ$Ncll@=i*#Nt9%yLfv@wCL<AtaYM
zK#<xaN&e)KceQhzDuuhdbYdGH#~t#75nhL-2z7Mj@<fCWQ4=2fNwwF53t~#glrc_*
zq2vZw%Yg7#A|_HfP~3ryF8I%@h-=`DBT_{d-7*=qXqgaFK&f*dj0%!q3h}Qb6N5*8
zH`w5M{o@{klBbIUNDsN#hj%&u&Iua%8M`FRNtYYWUAXpR4XA8%I`3%<(p8apRpJ~|
zf>+!6PKhbFuJO&L(<ClcpX7Qi4Uq8HYGVS=PlM!}^&myD?H<W}Cjyr6%q4Xj>Jpz_
ztj4}C8E2&iJ9kxI?=-h(U{W84#|N$_BsFNT!G4!{VSDGYyv<L{ve?;F5wPaj+uV}X
z;KV@FdI|PJ(8rET@0-OTq`@_MsCLNQr`|RC{N{jZc}S~)bBw%BoIhH7cz+)4PuTF9
z`LQea&v0H@Y6@btHa$NCCf!I935`T-=&nTj{|uUA6>__iS_LfkFFQ6);aSZR@FX-R
z=U`nAY2N$j=)rHq$Q#gsYI=_rNEE%OkQ{cx6NJsW&sQ>@sfYGij-HP3;JLjdkH&_Z
zH~dh12(-X113t*MCefDx2;WV~umzrAd%`C$a&P+cU;p_UJ`O)x+33FVf!K&?2v}rQ
z*inq+P}{z7xqwpFd77SbC^TnVE2FoG?jB~4Z^dI8od4ZvK)M!f-0!F37XR5#!TCBQ
z^e_T3-09<Hw4Eh9SJwQUlqpXb1o21;RWnEeZrN+=0i|0a>#h+oR;S>j--x4k?K~Ig
zVpZ+pghDazB{cCgQj0?qB%`&$S(#X`gv~b6f}@`UxKoZQ$?Ad#V1S`|wdp?o(~R};
zcutk4%ng(4dwC1*FKJ4K)0>T@sPUb_DGdO<)4sr3aH<Ec*wRYb<mOsjCYLs;C)Lvb
zj^A&7-7?~<ecnQs5f5N1OfF_t26NMCBm}Z0;}LhPwPqv^U)(w<9Uo)UqXQV%1RL~U
z)yPhbt@O&uYTBT6F(#yb%8L9!o>Hr_GO-?H%4?AZx-z!&L?tpkItr5WY7|^vs9sHu
zpiq*9rM{gZGo@MKl-G1}?26yvc7R0z)4HZ#LIzzK?&<0}YH@y*c?FAgFgfYA5g4rk
zVzZ*ND2AxWL-t}-9nxo*&Zds;-Mw_(@B&jf=dmeTsz%g>95rW>X(qAMN4pEh|9lrc
zY-y}U?O8xF5E|{b<b!(Feh|B|l{w+gI^P2v{@5d4JW&k(-P`Xe?;Llf{1w1<?5@AK
z^0ZRfwNHBF<H+%le(=JA0a7yA<DR8Sjb*wqp#DH>MkF@e&FvxCw9{Ri-YP-iqjD_y
zQ!eQ&TQn>gy4%yqNB4^0n6#*6Hhy6mHm3UHGj=jnXyeh@)0#jIOPg+d)q-4cn%Vm2
zix2=uJNNV;2L(VOz;xjQ0*ev2@njH~papskif?|z*VraP91L0>03I=Mi1ZK^x8PcC
z5=z-;q1py=1qQ#6h;N)PmY?U*A-uQar@Wb{u9rl!1D5+1{5PpMo8Ug<GcjF0H{@p<
z45vI=r&A3vV_GRE*dio{9d%aQW_?Yw$KxhUJ3%2?N*aWu9n`&?<QV@c=d+LJo&R4$
z(kxrQjgvs3-qdsB;E2$|?U<p8f?!C~>m52Jw}RHe=C>heIuQ&X!H@jQu_-vtYwLSM
zWOZ`cp3Ir`vrBtSsku7Ezzru3X^PeFs%?9QZMj{EJjn`~_%cZwcS5@Mph_}j$rtV_
z1En!`ojl>`yO6m_5<PhoIjJY>U<<?e_%K>i#$%0k>cBtaY5xY7uqx8)iH`4&j^_Qo
z)^CuN?(}-<`I|-E9|Smm|NVtPX*g67okjnS#SD}XZA`~x<cQzF*aAxooK;V<^+>(O
znEz66LF8IRy0GGBHh$xQ&^tdoY8sq-8QDRboX9C<o569uxKPZ>W8RCzfQ-9AbD&VF
ziev=AHUOEG9Un32vrUCe(sbu1H?euN!AVRu<DpZcz6OKbQJd(drCkK^M?TQef(^}Q
z{=?7dP0`??*dUWo8C=mueXnmp&$I(i2KwlhrGVrN$(py8+;BYj?a+U!iyEnZZ&D)J
zY|e9Ufwz|(z8gFO{ZYq{kZPvQY=!kJ|LlL!P<+%*&Bb2B>ZvEu7-Bcb$j90l=B1~B
z+KLf1S_oDh*vr~0dKPf&XCz=k^<No4)+^cGx(v@gK+acdTbmFFQJ~edM&IrlKa1re
z*JI7>cM7CoP2EVs%}}Lze>gcIgy`%pw-nnC_sd?=I|co<OPFWR**^<J#(@pNQ&$I`
z7LS`QUFmLbS6Fv@oiYfFT5~Bw0d-zxg&SBiW5~bxlt)qcJD)+E?C~M~j$6E{AC8c(
zymb6CeSL!#`xP@$p!{Tie8&5vLt(D>_!w0xgQoB}#PD_ZCm=6ReL#&U@WCY~<hGma
zjJu)R*w{yW$<5fO#f_(-TNh7bJK=%ge+@6p+4^0e^b%&?e$6ex-ZUj=V5oI@XZw%l
zu|jUkio)Pq`j&kACND_d0De^y1gLR$UWFW&MQ~(@HyHlQ+tvXAFs;@N%-x6cGM&$k
zpi_P~yxQMOII<r1TQcuF^?<dQwVAGYhmcYC%v88>Y;8kb{1KELPOC8Y4g{w!&#Qq=
zdD7oZMnO%kyj{}GE!-DzPlqU&@j(c`jP-FsgF#utg4Y@xQFCqkx*ri(ROWqjBUU_e
zp5I{PggoJu82G{ZRauQylc~De9$~}5;<*At-(Yx(f>r}IhJh;N@)mquCTB<!CmA|g
z33tgrljOel+6!=`>gkm%PZpj7bNh-}s*F*mBLu*1*eBiuq;;*tK+0TP@8Ya-^0Clt
zC##7>N^Jlvtd-29h7@zVz7o5>%7{4NqEvGrcz~?kH}d#(>s%MzAO?Fbq%PI|$vv+f
zwUwOoKnmx|O*2YTq1m|a5XB+sHcGmm?+`YQ<6kvW#En0312=sJ&G?uSUTk3iQ!@h5
zl6Lu_xwhi!aCrTS%sx7I0`KpUfrGnsz{GU%btN4pdjl#`SaGZ;PNXS4|L>S>ke)*&
zp>92<_aYPGaG*iAaGLeq{;A9UsTpU$jvmH0@+nZi)<mS<^IZ^ZQ1cZ^AB!}Bo{`q2
zUMzD^?++lMsf&fEX2KbM!We2)+e!17z@bl_SZX3zLSh0Q^Tg;(>`>?Z*AVq5uaTSI
z^1cL<yt#@RJktuxKsneuvR0pg4kyjOV<Dn@u{zZwm505*uXF8N9r!T({Gc(<m3Ngr
zdS6Em+ta_dw7W0dKLGOqE*;roETznV>&tadb>fh1D*R6lz9{&FeJ1P4<vQxf68>_P
zF3{MC@1p5&ndM`-K4iM5u*0qM?%`Ya_@vk$&2GMU%A{><y|n8O?LRjpYPNLrKK*tJ
z(SicP5{QJy8LfEm5|@IC4O#meK62#pdpA)DM!5YY={^>Ec<$P%%EP(iY8}>wvo_wQ
zkTIySXKMvU#2aiE?!#Cd4(Bu?FGn<TDFri|#bq8>WH%p*U&QVn!&ZovaUwJ*lM_gY
z6#~--lmZ=tzd_k184QBAS}N@=47?A9M3@C>x^_ydGho}bXCoZWKrqbY7SUvxX;NB#
z4H31Mj+hiTK-y&I5Ed=ebE)f_&YVMdZc=3<CeJ?Wq*iUi=Xd{uO|mLi7attAH-6bt
zfw;yv=*3dNc8y$2xv$UaNC211(S4ogbN-T{QEh?Km#5I$p#p%|%Vb-sK1)kxzeW(I
zGP+r6y&at2Pzj<C(U4i%>-JKmqPU0*n&Qo8KUSN_IK2v3;e4}n9<?l`tXIFtJs;96
z;%<bi+$Rht8^Cg!1kb<X#AkNX*~>dmdd5vp#C?zXCaL5zNMmu-y|@UN>%QqQLRHKo
z3XVGei?aQlP|;GO(*(%!+z^7j5mYN9_(nRY?F5LL-G74i416L6En)o~HJV8Ym{PAx
zYcQMFx=_GHdhniA%^KUDrrT-)L!6fAfz5&Kcu8A0?Um-08*@^5#^|G<*CS}ecWF31
z3>HJR50ZISeOF(*zLptznHgtzV;So%6+(L-RPrj;hHkyLtx^v)QiJ17yoL$Y?3;GR
z(qRl6C`FP&iYRH6JcQjD(qzeWBt{h!LUE6hf5FKOA5H#hQhj&93CMn(CTFnttFT*g
zey{rdd>V`8hjis=kT2KbZ@GS!u)`P5UvR}k?50;cC>tED{=V`w6`-Jh(Q^fC?pbT_
zHLTLz!z!l1dk<exo#{ZzmbP6PggG4WX*lrfj<!5wiUZorx=f*PODyZqT9cJ-xh5Ag
zzp>Wl{_a|kO!~DQy}oY2QHd!wZiK7hK3BK0m2r`%p>(Q$fVDoTc7Bc&D7wsj5Lft(
zbB!q?2kk9e+e9D)?x$AM^826KdlqkZ^m&Xg@z!<zwc5cH4`rH2f?KRQy?79(PkGl<
zHOrbpNMIRQ>k3J@pf_fGUu6#=#$JadfSb8G2g_-s!sJlrPZGnRW-5EODZ?Ksadx$6
zR#{;*Bnd<mxOpv2q%39ahW9(=Q(Xzz%E%=9M<Bl!j)~nBlpG{sV2vOEERefgRPa<K
ziDF5CH_vxhrfed9CI2l_zvcDza{^Jqn8BFHE|cI5uOjs^70MKvNAq;}82cdwYMfgf
z%}II${~-N2LH5D@LX;8?GuOQ(h<m>D-*2l*!t=<?x#e_>7Gjj4iA8*lMlX!=8HC|T
zjDH-M*N9p-5;@t4UjuNn<C1390jG9O?$vVA7|}xA#FBs{qvOPD78AzONQyJ`%A{jA
z1RiV7jIA|%;rL_jtnETD$}wa_Yex2V%61a+MN|d)NzR&4O1bwImgU{KIO5jCK)RhD
zd#h`A2vCufHdBXE|431z9$a)8aC^`)lp$xLKhh^t<tmFXr5(h}%J0b!M?xbV>mf*~
zce#ZMg(OZq$?7F&rvK5@Kly+jZ<szb$$;MT7B(=^i7rOV2@cQk8OWYbZ|gSQJnbT!
z$d04LRLR&rRIBf<h^b@Ah8R#`c|*Qr+o$_rOE6gJH3o}9cc%B;a5vMS_lD#KA-A@a
zT?)gvWd9V~P+kX<?rhpT(*f5&53_G?7o)`IRcFtK^4^7v5K&;rfN%Q6#&C-w$*50P
z%YRBM=bEKhw<xgvj;(`X?NY^M?fFXaFu_Fp>!s(OAiM%H<P>509`xbmwBuqDS?v<=
z+?*5hQ&}#a=<mBQOJ!M`FQ>ly4(Vi9ZHCn*;^PK%g1vR`5}BWJHPpbm)PexVqDYKB
zOYdO>nV=p-n1BKN?q?+%zREkJ5ILA7IG!;3k99WK-T#N7!eg*2#PFg@{d}NH9Esi|
z@2;w`Y#wS2=?>8gLAL>PkV?Zr4FQ$h`J)@mfn;2~Bx9_!Qv-}O-l2=cZG9qKK!7oj
zc!t<ZxP^d29-;v8x0EnHi4+gmFRoH&NDP9aI8GAiw^U_D@DbYQsSh#6=x1Amrr)9K
zi0P_@Iv~B(yU;`3DCjM@7jiRi!0;m#^kTd>_jDSjWhm}d`)W}V_(UG1`OVTJO+JkY
zTgl6Opwwjx7COPch{ZyNpyYo%o8=vW=@RnSYCd8?yv5pw1(pFfX^n)xeIk}pE<>BU
z?y^4&yM@f%wF#LPJ={8=b`fo=h=o0)q72OfdbSLBcs9kOF<^frTdg+EOEZA4h5)e!
z<L_2B0cB`%C+->>a2rh-tNMa6Oa2pmL>!?547~N-S1Mj4e4VMK!_vpuQ~g1rNG!0|
zBS_hH#wN0X^HbM`CzIXsRxZwV5;`zRR|o6{N}Vfhi!&Z^>p?A~4os<M_vWx5{f1+R
zrJDiP%)!RGijRsFwhHe6PtWd#*fP>-mHCgUiyM3nC@n7hM?jXNQ@Lv)*IzGdW>Xc%
z%sLa3#A7QWTgzm>Kb26yz0?g@nJi_mC2pnG_l^>YI7(W~5~mmo`K}o{5v}wO%X1=2
z!pWocA8{E<q^_Rw5cZ(LJmOwg!$1hHF5|QP2f7Y!{I0-D+=wPaAT>4@{6Kw>QM%$t
zp@ymT;QiyUwy@!MbgUpW*#dOT!M17QPx>S6tBEf!k}WtB6?q~`v8XdMz_^Biqurpl
z?VROfUTwP(C7xVyYMGV$#Lb^3b^ppJ1>Th`yM%BYS!??G%al#)&h3fg4My13wU@wY
zG}C*+P0NSC_X#)yxMD8?cCG-Y6b6f1{I1>A5QRGz*RNu}Ln4bzDuk$uq~9g{QPBz1
zG{uI4fAirev6n_}z+OT&Fu+=Blyb-xVM3H-rEXtVkIa6zBkvU7G=-P3Ft%sS_|0}r
z`Jr@GU>$BxPxk1=``vqs){LlJ=zYjft0{G95U%LToQkxi0+zDDTWcJo1g43v8lfhS
zzACe5dap<>8ih*1)sGo}-34z1pz#*Blr?h4DNCaB*6)8uAIXJ}Sk}5BHSY=OwYr)N
z|Mu*h%hZ4NhR3!<@n4;{MpRmh0jf7R0;;c$*HE#>k?Ecz6Dah4^&wAiu|3rP3{|zq
zbBqPAfxT)g`Mt<2gKltZUkF|?4zk-&(&N8>-?__$ZBBbSF+pHTD@9PvvGTCzSvA;a
ztvF1H3cvC|_;ba+sowZ=sqO$Hq)K(OdbSm<o|y|}z|VhCKCzGshYO5054|Kh<}X8q
zwy|gTBLf8FHo7BVPzBIJpf>6I(*n#g8xor~%HRxoEULA=2v@i|L(Q1*;Y0%p0Ior)
zUvi;0Eyqnk>x5Z1IOUj9P?>Q#7GFraUlS52i*l<oRf(Q;^V4u@E!XrrZWed4FJYA*
z)D(W_6u}|ky3=`LHszt(i_l)Cq75$O?xS0hE=R0pDB<Dey2BnJR~{FHvFGb@Ci?Hu
zX7t~_R*?6WG|4IkZ(75z%htd#*ymE~KR@iZYP1nN|14ZfCRWb<2pd@;&<3(zvk4qW
z6hG2m@|iPZ&MLNB!Z9Xzc2t{x4&GoHO966^jpBDTg6N(&31BvuU8qwv4`<$HoI2ZN
zM-`8Rk;t9eV_MBT?&{RsC=Ffta_^!mA5tXTof+giTJU(i)Ls-f61dT8V2&-oXx~q=
zPxu3y1no&$z2@x0E|Hj_wF_5hJdTFBTpu_ozDSr9Iz`0reC#(rR=8w^oeGPhXQ{d!
zf}XTdl^kKElGA+1I8>w))7u`9H)0O-yB)Ba{Y3k^{wl0$sWF|Ef>0!WyUJm^J~=ZD
zU17W!tXWFku$`}PBj_J0$gyw?6_#%@shsuL33<@icbpxc!FQk5J@6Thadq@Ek2g8T
zNECW*d9aEd`Homn^TZdQ0zM-K4+q<>E3sb+G>`1l;cIWfvKH(;Mgr<V;5kU2T=4C=
zddlwf>rc)GJPfv#bu<T;>4M-1fT$@`rFEKQOj+0*O+nbY!Q;9{CEX>Q5bR<sH!p^@
zNVvMgp~hft^G6*a7jG3<BY%Pgp*Tiz88)uXRmEClG~U$fLz(=Fzp+(ke$7!qV|Us@
zZf#V2Cie!^EpM$F{Nc+Fb^A->F*VGSBsC4zl{kRu1CU^xZ5ng!&X4|UFyU92F}neX
z&TlI*eLE|EY8=f?ml)=vy8y6o>-hT#fnUU)<||8+sE8@KvItUJoe$huV3NrMgbGNQ
zFp4O$LA&TJi!XmiOyLyeZ;Ef#u&t#bSRaoei6XEKj=c`T_y#RxdpdX3HsA!N$DTG3
zQb07e7*IGqZPKyUr{Zf}W>cq<OEmwC3BdG!zpm!n+)7?hiP7SI;C4>1#ev~xW0uNg
zpR7_g?#r*+58ZOivPFC7l1}|sr0;-J4-y8l^L^n2)gJd2iKM<0E<S#a6q&%95k2Em
zgVmjQ%dJFWSS7;K1W@+*2o?W}LdYgLT*5&$)>N-Vh31ClWNO$$rLGpaCb)TCO87mc
zd#@qxs$!|#_mwS4Hqzw4x$U~Oxn@O0|MzsZ)H4htz+o>6eVXBR@PGGQEUPsi|LmXJ
z3EW&SQ^cp@3>$e}#_2jxUDtT^W4Ryo5z-7<NVExK=G^X<83C~Ps&20xqPl<n1ZsrR
z-exKPIA_;YL-rHAZ_AUdK5cqv8#V)WH#)#Jcebf9hz$=zj-wOK(z(Wd;!XQnac-qc
z`ui5|H`-aRM>=T*Vn86)s?);6gv=xwg&1b>I#<TDCyOdZ1k$fm2HQ&S&Gy)SdHo*g
zKNLxCCwDp&MLS^+Fc|*}+^oC}k<FH?O^#kTEm(M6J1$!P>gZxHwQ0`4y4J%(23YgU
z(@b|8tP0WTC1Ppml}R;z2$b^k=YGCz$NHsbe!a$glvl@V9&y_6=hIOTa8Ct*9SNye
zC&1v%ejauW4XLq4RkFjSMhV#zdo}NA3cI1R?!5&o;N)<vs8B?-HHlhoZg^3KUpUI?
z`n<4~{2W2A2in@zWPN|#3fr!9J{mzRa-k|d*|w^Oq5W$W)T?2SmdcBYt<F-==oR{@
z$Z(N0*{C)&I_=lySy6UhC1pjDlJ>D;5sr70E`@}66~)m5{xrIs#oNKsgW6mKN%Tex
zFL}jidMCDJhBvgT=U4+Rt6DZEY(ZUssSVsQc&J=itVeDv*Ja?xs|+9rjk2`UK7!wE
z)z+{gFT&7Abn%wS%S0*R96S`rhv&Yd8&s7fhkCgc%40$&?A>Z&B|E%&64!D&05KJ<
z{P`P~mhau2wze!evzA+hXfbTeifvG$1$ei8K8>r^^`7Pl5>zY}prO&hzw?{DJ;`cw
zl=k^jSoAjndW@OR@LOrvV%DAaZ|kLP_HXEU#ldWE4-Xf_lD^=1nS`Ejrl_TV7%4v)
zU0gq<)P7{Evtk>o7*N&z+~&73T4Z&ovp|sFt+m3$kYQEw=&Rw1P8Yq?njBQ)Hus(7
zUg{0Mc=ELK4$N;4Xv3q6snNHv!WWW-?fj97;J@0px*UM)GQ~@LsRCM}MVh{b;jC{!
z`_=tHejb#z?p1Z5<1#boChLh4h3p~$H0Tjri2QKK+lra<OvkG8yt3)p;0Yx=W!8r^
zafAHq@%52)jJo0`<&J#<xG3`>Et9lQWmZ;{?yfcT`#0;aCx+8vCh)|Z%K;o6Oa~07
z3L2=@OQuK}CmGbXl1&uqLkF|zRWjcz#>Q081517;D19;6<tRz<Yf60%-aWRw9`mlM
z9TJng2JmU_xY}b`&ICytxGzKsuip%97l4kg6QY{E-W;Hs%r6ma#d0X2DT(%=OJ+2v
zv6P~!oejaqYu_~bGZqz8SkIK>j_tq??SycUm};_tq(G{~_IrN-rcz2SDo{pC!0ak5
zOL7$F42M(%qaGktn#3h4y0jpL|IrV(d4Yn6mwo3>(e=rvxUe2)Rty#j=)2V$&NFpP
z{?%a{6k5`PZ=F}96YcX0g}*bkTDpHF&AM6-St2A33df?`c0~)sTnwmc6xwLmWAbIs
zl?GCDXxU6Xq+JBxsP!9>UOzEFklILyJkDKZ(EtAJxwN;{INsW6p5^|=!VO~8y$VQn
zT9;WvvsLBxPWe*|s$}zk5+6FLa>#<qVBo%)%li4}VA{2Dn`v?Kfg=kn4Onnr7ZQ#@
zR`zz!uo%_cloB5(jM`qn1DXLYNoG^|Y0!AGXA*Yr<kVly=<*QR?<%D$xT|ycgR9cF
zn=L<{)nmxk-D_-b4cAf+r7f7}Zyi*5MX)8(b2a`7K}vA7x#AoWWN<Mmql$F}x7|F{
zL%oxyD?8*Qxs2tE;aToQo8bYM5u+GYRP-u5UT1J0l-t#{L`JeRDip+BjRq&hI8*Uz
zlRk@Bn&%z1?QS~F7`GzG3=YR(0I?;>EN}&cFh?o@vKmzHfo=L-|3GU)n!R}GMXjxQ
z|KqSbCc-MCqc7I-@-XaBo6=vJ;8K#vHZsvCJsw$aPUQ3p<@^5&x?5hlwHE&r=ajhe
zELE0VrRx64j>be;J;x(@!OBfz+_tDMzqA7C`Kw?<(cX}T1F|&62<hfg)txLY%2=W+
zhXiZ6;-Tw(nF9K$==j_nqXsmswusMl@YVih4TOlJp!mGc2uQ+4zm_^PZZfm)UpA{1
z`Bix0yDG!SJ9^+p=xC=iScfyk9_eg5Ee{ykub{~AOgL8qJg~TS-0obtpm#zIz;nGY
ztiDU8z|ZCpb3^5Wj+Jv<oz`QPk1T}-2{ePUxzuShD+YjOAH7Vp74IkLSh$Us*^w8S
zBNB$%D{=h`XcgW(;E*SA3ERTly(75*>$11GnP)s7>nu7y%O|u%r(zkJ^+QL?Cvp-$
zKy?g4*#uXR<O6tU4b+Q2bk(<6EO{OI6{GfAZ+vqW2P5zGIe;A=d&O&oz~!fM1#Cc_
z@TpQT5W>C}Ofp9F`ee=7o?`=BP4Xh=u(I)*Lj6wmY@cqivH<p(?=#1#l=Gj{`y8%{
zO_J1m_1sYmP1NLwqb4!AOJ?PML;oPdhLmnv1(IE<9|+T#p={5*ml-6wj2m3A7iIuv
zw30J!!Rdh2t{BogxOBUCO+$y`F|1sMuOdsWix{Tk4ZTm0DASqbcHM1ke2b4|2*Ne4
zcZO6^N>~>;N73V+W>gBJY69aMymcY&Zn4XWH8u(}RWjyDM)f~E_qhgIB!SHs*1kJG
zPK16c)=6C57I<3no3~XBv?X8uz0k4FU?ub!hQq1re_eO=xFoKcxB`1$fGS75qe$_Q
znyJ<%@m?7rRbj4hrg4%*nh7@zcHn?x76a&X`8{nOJREeiq}la&0%ajJ;?1sleAXXZ
zKf9`-W|+}A{9@7dzC9;LhhZerxDn=^lxG+9TDFS$M)c+6%tK71(ycCs#iqFDc|niJ
zl$g|s3tJaIB=nn~NMa${4cK{Wgn6o;u9IwK7YKLAY{1zuWnO3sH?LH=oBv5}s4|>G
z_1D9HHjey|CAR7JC=ZS{?~mO7YUSb=)U$Z*tMp@WFH;p+lj>ooxTet_%x(4!ab9G`
z#l5opN^?|Ypcx~rSn*a@W0j&KJ&de4kamo8n>`V`wc#a-ntNRQ4sODfufWO=I;>o=
z+BYdoBLDi}&;1x*`J~CbJ5Qey-L0oJQ$QVW+=#!<1RvS9gXdDC(IZy7DNG-oXO&G_
zVg&H}eZD{Se9*nWy}#TI_5A+4eu+Bzy4`E(`5HL-?fdjTcm?<xznk{^dO4c@3gPjC
z0ZCSz-O~eH@v1sG<Vs}8mFCW7Yq>_xWLqix3@REgZTW&q=&r=d-MszfE2*2J7;)c4
z@*QAYkli-I*GM7AN*A=i<-6J^1<R{bhfol1Mj>ygDsbd_ym&W{)x+)cnGs=1qBUbp
z%jZie+hs0M@s?=q2kX_$+)t`1x64GaU>uc`cq+0In~A(*_YIp9vc1CjsWP#Xfl1fB
z^{E|&b}a`;hLi<XquE6jQzw_!X4!U|`^o$L{p}9b8~}8F$>_ES?rzBD)f)$ax@G8Z
zDj@-fdP|WQV{zL5q83%{;q^ynQ-ij}`8mdC)#ha7qaMu(30c8dBPBZDxwPNr6w!Za
zi1!p3r}o=aM&bS=aW=7d>Pq6@FYcc9_sgiWwQ0m9QzJiZ=O5k&<o%ORQ?>N8Y(^bm
z)7)yTfWoY{xg<8j7`ti4tU*I=R)bp~4tcPn7&+#FOqQ2CtI6UYb4wYKB0xh(m`KBf
zn_Qjk8nC(>>9T)xRX<xaIDZvq+AJ9*GTptd>mnFMW$gyiO52bolu#I>g7x>A6{Cgl
zM6E_rm?i!$X$nu(u9rxG<SyjQ?H6K_!A&0OakO5-l(P$h40htt_quOm8=dNE$5^CS
z$9(uWJHs<H3*-*T+QUG%SSLc11x#k3j@qEzjY)+%B;oV$k7<mhKmbxCo2$3RXw%NC
zCiZQ%Fw<~6M3quI3$ip{y|!q(XdNrqNz7Z`y-HqgOLB|aurz^~KZoDMCqi3n+a+G9
z_!sb)OgYC5Q$@8FUz;<YYnQ&?k{|b23@@@HU#NSj_1PG7#c!EnV|@ntE$u<4Z$8;c
zcsi^`fb+m*t$t4Y1>w%Sx{p$78!7%$rN73H{BI2F=_$z1I{RR2!glO=ko0~o63$+r
zKv(Jh#a2PFl&Vd-Iv0v#sMfY@lFI<##W5vzXFs3aXZ7sgqV0q)RiYVxC$Ou<59W#A
z>&X4#F=TAO$BoFC*cC{9V^Qn@38!&O);`y#x$q{kIpD)aV3Q6FA#Te9kevl}^R`3y
z5>xa#zK$SH6vmJX885pL{-`Y~%)3zJF;?z2&x2U*LBQ8qE;G93wy^U3_$Pn+7;?tj
z@z1aHnp^wfZl(lht;>^YRJW;^_E*8exHg=IkdH1CLak*GbXeEe)rt&rX9W!IR91eR
z3Qa5Y0%9{9TG^6lxk*)r>hDs<3L8`C^%;D&ZdW+1dbF|T^7>6KKzQ}Y>eozY=s)3V
z$XwUgbO3I_b7|<%F-KPn2GF;)u8G|vtux+dUbXQS(yh@^i$*N&)l=9l!}uEKDdnc7
zmV4Kd?0A0q5ar)a3T6B`A2&x@5(vIGrPs~P4#zHF%@+nCYm=om;(0d!yOV~VRUPa1
zPS`fza)WzzoDW&T@{508Bz{tRe5J^>E-!wa&lguc?w@;Zh+lEv7faZ7%qJ1@ETG{l
zOt7)^=>Gdj`cE)^cL3q_eu)<}Js8bxi99sV!)Nc)PkE%bcfJjF+`rfXpWUBEEy!VK
zBTlt8_hS1G@il~t#m4Kw{(c-eu=zzl&9}lk{v!1}VgovN3U(}YD9G2+?*e$#K(;kE
zRBUf{j|=x&X2nhJ6<$nU%hLDxSaj6r${2}LQm{bVG6ouNz|zQ#er*A2tVWs8UCkNm
ztsplmXKchM;=rr{*Sco(YO(@1)vune&DKNKszBqHjdX%eE63=}DlIM3z}n_V2?<in
zbiK##`sZQAFG!;?TrA?ZL$_Ra2EaopHk^qR|LinE<$^%LlwX-B&A&w2)X~<`q+fLB
zOgz^I7*0rJ>@~N6O9?@9I#4Q&GjU{tdrzbm;v*zkbH@#b8LGTwkUT$1aB;MeMQ+mt
znV#w6djfA!=2R3y6lox{s1RNcG9FCGYSou40PMvlr)C+_X$fmGQ@Y}wjsehxRJy!%
zXewik(#K_PaqIhQuwbvmcpYsy9hbZFp<etlS2UHiT@A87RnzjC#YVJQvm#SnRJD9q
z&>m<GE-oAr&^#wWtH3&!$A5NmFWV7>s+2tthQ~bMESg0*HJYuK#My0UY{8=K;2721
zw4UW4PNDK!$V`9WQzVxLw-geweN5{0^pJ4sPz63FN5S=rqDhIu7!Wyq2UHdR>c9rX
z3@-C;jA$feWg!6`L3$aO<DkI*G>xixwg9PkY#@d9$1$IHdxJo*!?i-gkSmL(mQ_Q0
z4V={)L})Mtm*$TOLGOn<v@9MZw=umz1iZ$SY@Ii&3{>n(X<pABI$HjDv61ODvbLE<
z;(tB7)z)&4x1pB}m(+S_&3%^_Wt0rahY}^bbJv|hBito>8;!)se9BwJWdo7(mri%W
z(c?|}*O^L=^MLfl?{&3B&=PYH^~s+LHqLn_ajKkh?i*)E+4W=mQeoKD`4>gok?Cvn
zA9AUXa8U*b>bBQI-=~hc8)EfAQjjI#2H`5!`T9r*7=0rneqXPvfy+Nbw&e?=j)~z`
z?Zj1RS6r+6mY-$7rvs@QF5aluMzglQc~1vl8XC`8o!Q?_E57D!K3#A`FmhhM1@}!@
z{iq+ysF3IHP&fAFbd$&J>>Y<q8{M9bav{}E1nBy~{6r{{>oP00`9PWMDH}GK)P?L1
zzmjPL+w@&Wit>f2GgYaF5re5Uib0wT7*gmoOl-O9Swd>0v}D|4uYBC_Ybp`?^Qx3{
zPHB~*^zlttdX(OADyfji?L1g7$n;ukIn{K8>*C4p;)rT}geZd=qS=s@7f%aTu1Nj;
z8>!krUO%Cn8Z<c44KF2Nh^=vwy5*@sv_KBzQdBERSGD6y68+i6tg<Mluooa72z^Z?
zTP0?{7QV_IoxWeKQ!a?)48ECuI)+otA=mzI#|px;kB<xHNfyIJ-^iw$DU!@fZ0Kgb
zCoJAW*rt3mcj3Pyhl%bE^3Nwxjxhc2B1Q8~45bc@4Loi_ae|=l&Toa*IVq2!vuBmJ
z%YHgtAfkLt!fg7>9*L!hXopAJ^*SVVYFcXoCZR2&jnnXa0~5Ga8^u4?m%MWbyymGn
z(Ra=(S!)mJeVz}`RlH_g$KQcYXP}RJ;JaXOjCLAyR@IG*6&l-Ygex;q6=Q4Ks2HPG
zGzwO(js{@Xn_&pC2$>{ce_-@IobOWtq0e(SulW2MT(;!tAsq1l<-vK3?y5^sQZ|{V
z57~KMVG2TR2ab_Rg!l^GkFD9VISp5rk{WXhSyqK9f>qA5mQT<TktgE#{Hrh@`(bWm
z<vX7@W=9;ghV@)R(Kh+-z5UOdJo`s)h+Y^&RDRuh)W;|bjrz=-9V-07Dgv8MR<&mn
z?(GRs<&W>DB4r%1#XB`S{A+x2ZE%>kce8SS26^-5Nx2M3S{;*_LeP^cDgSQcwx8Q8
z?iwfiEw5CKOdht8dYa^oG`O)3JR!#(e)qoIc3^T^oiirIbnv&Ax7PR!S;E2nVrUPe
z0w&N^)4ROu>3wqXy{zBd$SeB1-ahwGeq&{EzpRhe9unyRvhj(&?k_re^z^zvsd!%=
zN;@?-%Kbh(-_bojroXYW)|wi{2<<bY7-@$si#5k(Y|}W$(nbnpuNzJ9#Ewa^iew~6
z)H#LV0;2iiwZ=r-@CApjrfQW@9WGYGyYia+@$D~Tl8QJPdC!MnA2FJI+((w=H^QT=
zXU&Cg%kxYpZPLrwxh2!Dy1^+{xtd{`il*Q3LE^)+;BSp+wT^y-*55ytLtlk8v(P~}
zS%gIaF@SR0R>YUMXZGqc^Mvr%#+r4K*dbX@3J9w6P0z9$?5^`oI))sw>sTc-EWd#>
zP2qHi1MY0xm;Dr(hkf3eOF;szVW6xR^BXPKT`<?;>6kr4UPG~&kH^1QM>Gs`V-0$>
zxaDQwDRV)nh)##HGncTuUa14sh!vY%Z1ckx^U(JPnug>NA&s=P%&>x85Kq|%uPihd
zG6d^4n2_MDG<hi5oD-CZ<Xx%@7#d4N4b8ySz5xfG8Jc!=*b;#9cHjjJz>-0|Ejr-~
zLMN-W`M+D4z$=1_fKgUDv@E<<0{U=Plx%ZN4vASLOc+%bI?N6$O_or0`+C4Fsi=Xs
zY}D{8R84YJ_y>flHT(EtDC}o44J`<>wPug>kw3QK{9`Z$o6Yu<ILFXRlX;axtN-uX
zZN7A)`NuAG2X*85*MwW&`q2^skV5M<!uqk23%4)uNj!76&j^8KVVDCkE-J8&XnVc$
zagUj0I2>br1ocol+4$TP&^kO6b4{3vcFv}!2^We))oQG@wMM4H*oyj^-sSc`%K$=Q
z#?=xVG1APXklC8t)$qj{qSfeCHo9<`ck%|%n-%=xBvLN8o0gQl?Qr5QUoVrY3dh=x
zW4ov8U|%(f?5g@3UyXn%=Z+c`156^5?F0&}D)OY<tLN{lBD`U*{{w#JecDZ1_Z7KH
zhH9^{RUsAEBM`G{jC+iC#X<EoWJ1f9fJJ4Tw~sRu?JOERM?mgW?BhVw)scc*A#emS
zQz20hjZ-eT)9rxcuM?LWz!lUUm+*3}iLR1;<HPthjzLFqcXy%{ba2*Q@VC@VPCn7b
zZ1;Od(aR$$%B0fu!6MEE#QgMWCVFTUU@4Fjn$j>OyG3=Mujz;Kx-2g<1pH--8ZmTV
z{bqvNg}~N9%4)|Ai4`p>r`n>YSGp4^p}Ge<rH3NDf#cY;HRo#UUJ<_4x+oVW4iS~3
zjag(o^sG}?%vsKM$O?``VS>YTmU&|i;U?YF?EZYwpgk8tNng&)_S8QOA9y>mIaL!(
z>hA_f+U@hTYm*ZSq(?ZuIdLCc8G+FyZtdyf;mvuUYDCcz$yPC0dW|v*u|T{<@;Bg?
zudQl&lSUlgV%W^_Z*uvyMBng`QAhtUlw7rM?H<KpG$5MY=0+vKlC#uj#2hF}0ZB`d
zjMr1uTvg?7+{uw9Od&0!K2<qr%ha9Oz2qQwI(^}izbPt?#aw>k?xub!KqeBReH6de
zv3@iHA4R6FRog7m<Fa-{ot#5gaIsXemXiL;Jj5d+sgb4gVQBT<WE2L2!t}OtvHwRO
zb?<pid0^Acp+H`5hH8!Gnt6g5mBOl!uRA(tbc1?{5slKT5atDMuubc<k-T}$>R{>E
zhcJgPyRdxR3aV-gT(|$BIC%Gw*~cG!eH*$N$kqq#o(46zv`=6J$8s?v?z2t!CLfGG
z(1jP&TC?7p&Ar~;xwNy_Hn;b{H(?tC%9gh&EO?IF5s#jzDb68@aalf?4^7X1p^Jxd
z8^cEYFLz245ynIQTLKsI6&OK=d5Qhj@`qr2Yiw-(Q^b6e+Bnv4t!yxl`JPhX_y_rg
zLpwWbfEofAeBy+I+)ID`Vrm(+1z?7BCgD2gU#bf|Z)T-)FAWV7P}`kR_n6&y9<eLA
z?-t%}$pJ2TIK!Kt8UFkbVQ3AT_Haeh_+@O5VC&y&2$ySp#-ADea2vjM=$aL@ryb9d
zHR}?R`+2m>KgQ{YY@?k8FfY@|TWIwE`~;nYz<k0qO+IFkV7#Ll+<Tp-S|E9<`FM8(
z?HC~85XuDJKm=T&)bi}Pa=uH`Q#%+G)ut;)R$c+oihaf!B@EDXcwFso52RCuSoGUE
z@sbq*bzX|Vf9W<nO9)@{S5<+5_5r0VNuC+{k2FN`t5{$q+$4Tye|L}y&z@Gfs($&u
zsSEh5{QZN!jWp7~%{55ut6h3nx`FD`p2!&VQ}KXv(r&=p_^;*m6GtWPculD4ez)hH
zjq);d%#1Y&2HmSN&&b_Ae$v)S&DmoX#FQ7Wcz%ASPM=2^oxn8Y=L7t-@Y_E>c~Y#4
zOYp}T(4fZ|bodQnuV^)7xIN)Fq<_Nee@pU5tS5Z}Uzb#gkG=8PT9FAHQG>ugW(b2m
z{y6s%z5b0K>Ock&k!QOeYnom=zdhdhHw<gM$)}FOYtjB8JGRp;AoN2j0~FcgAX)XL
z=%6HK@obZrYs_Z4D)}e=drPgc&QpkH@~`T|O%a=nZq<KwZ$~7SR^e-F8=+;@B$j9F
zzpxP%v}_vRjCtRM7gW{WlsRrtnh%=f!G1A(k6;tAacTZ<0B!*=`&;^cSa@Lxr5S_i
zyI~cvv9bM6Y_9+AI5YaMSJmxFcp=rtD}2q;PJSJX``bk4jRvk^SXuSb|LisWXYcfV
zio|jp`2X2f#w!47uK#E9+ekMK@_+Ljg|HA700Xz4ohRtykmSDk?^Vk)Si;*2cyAq)
zK5@7Bs4TTp{(BkXrWuD`P!BrNypVPPmH(9f#WGW_7q29+c`WcidCrA|XuT%?N6Fg#
zuTm{k$2v#}_};!>lDBJVv5pr6)dQ@I5HemR{2KC>%b&R;JMvXYlsS^PGe8xle2&#4
z0vj&2MIj`*2=Q4I40U8-<|ZWC1x+}0HghO6@&$!`nLPf`mP}znfRGm~+8U{Vx!xHX
z!H*v}D8cG5rd%A@Bd~Wbe_<H7o~b@-xFu$$=MkS*m!}>OZX*z`Bf@neqUpn<e*GV|
z-YGDXri&JiZQHgrv2EM7ZBA_4&cvA5ww~BdCU$c2z2`r7|3!E2Ue&vAy1Q!kuC-T1
zM$w$2&Namw=9RY+&G-NEf!;jBZgv@4UiY{1hB)KRWQT^EI4gX?<G`|r590D!{8b$6
z@PzEyWHvY5gF(SRR|cu;c>~M=2~)T3VmR&p#3eq809|rcXmrCKXg;}{IlKOZ<;-o5
zOLZTm1M^IPc7F=Y+$$DRDDaOw&io1KpL3)kW<Y_AWP*%mpp2rUjG&>6q@oPc_zS*U
zo?se~cQlmYy2`)b2Ffrz%gDgAz|n+A6^;2sskx+BA3@ab(9%(GlF)~RK|xebA5Oi%
zR6fxB(7JVk%%+6ElwGhK(3rsc#T%_1ZyqCqze1!zJUuO#q;>>RUVTO%JSK|Y&M2HB
zJ_3bEBVe$+r29$wB^VQ2z`-Lg*||zQWJN4_Me+j^xUvLniN>}u>9}4@41x%qf)Ew(
zV>{l7;(@8YUqQIuBa`&sHcfU%enzHQ{j^7L3(v~w`#zGbJ~`abHc5?J$DauBToLkh
zloIu_!I(*rf;(X>M6UG8%xOE<z>YRU!bi2a-gKC+><i266<&k^;X1zmlet~syga{k
z6Xjqsc9;8~FYU*x61RK^wM1SBg@}WMd-|8H#NOiXY#f{kz88SvwGq{`VHe&6pDm6x
z)iYCy&%c(!O%Xxd2|iyKT8<PSOB<1nh{Damksn)=(1z;ypH-UAS|YM@u^+Mpwoe1`
zCUHvjSQteeuo7dfsZlk?L?1&f{QY8+;L3<tNb-D{=tY5WFgRVvW*~jzhOfGNuVR21
z*P5Y#;5kOlgLZR725bKE@MAB~+s!txj7*)kN=UIsSO`KeXMk{nDN2Mm#TC(^$BD+T
z2+VInN3f5pqqDO^k34MmI?|KNM$=$&I@lbt6C@+B`WPJ1QbiN3->^uw*mB9!i&qro
z%&v>KO_#peUJ)Va20>hopHEfn>Dq8P)u5T7aeDRtpv+QWlaiA>u(BW&4}h#~TY;A>
z0YKI<x(&cfT!A={{{!&^W9{Fk1Y-gA&-7aQ#sFeqj%B5jRP-Qut;g%J#)MvIbr}gg
zz(0GYpm>_q&VHGVy%X!poF$a2U=q!FLoc^y6p|c;B>ju&oujHA{j1GLN(u(0D8(dZ
zE$j)Tjkez_anVWJCPFFcx-b$s+tTXpBw{x2j}`lkm~fbO%#6&GsIJV(!dTdartT-N
z%7X)QpwlcV%<kpN*+tmXOZfRkViWaO(0_^}<KZD_Jyhl7{ktueRtUZis=W~m6y_k4
z5`A)DkJyq3!8J{e-Xt)!@qfxWSeH0$BppP>_Y~Kiy8g-6A0DFPY4oRFP@b{IT|Th*
z834Y4T=&<q>N!3xw~=e(J$sTUT^joc$LNoYRT_MfeQ_9TbY(RDkv8_Ow19Ke?4yG3
zNvz^&=Dx)38~3xLhV(#c%t#CNYuf_x9&v9lOO=oczL;tctN#u5Xa*a>k5F?pGFw&}
zu~*BwT%)_8YE)iMhT^j10W03}`!n-*3*`7HLj2(9`B0uN%9jqA?6a>CDbV$Uq7JSw
z{#N-H^0Y%mD4|x}jTN;=g(Wd{La6P0HTR4Iv_{dgYB!}>5FFC5^D6mg3Y|#3B!Q}=
z`T=-WPPns8&NAUeIENSkFU=SU)Gzd-4uiQ55FUgwbltS=H<Y7oDAQcJ*3vKqmz{y<
zeL;>fgo?ga!9dDBWdTas17MMa6>vr%MZVv=>_a4WSzAcaOWWa^CBzt&E%1LNMd%ig
zqS=N>eg+JTGZoE0KXC2;g-1AsNNVGMeEvICw!k$`<Oo<-3B%_9)Fk^i^ezhIBH`!h
z=N3D|z{qBh-Hh%SIOxH8_fR2{h6W&{;khL89=}NZ+MHnE6`#1~3qlL$N++H%D}{Gr
z_`*hXVj!+&8|r{_V(66vc8zrLa&CT+8can*J5f$8+`ClEtc`To3GmdBxU<<V3tfpj
zi->NDM?Se34Al4uYGqEOJw7D)C+bJnwUUswo!wp)JewjIWMSKcL)O_4NN6dK_~cTc
z+WI`C={gR2O;2{3V<L?3Xu!L*#xWw*KwNQ4FKjm#2uq24Nqg;$MV^Gh>yAzmKOM${
zmzt*6wF+@#)UH_G&BU4NE#%c9TlDIlb6tcS-)y^A?e|DbxIQ5)xD+_3m16Z=32#D)
zpu>}r4F5=h4xDaSOHbrT?kPY0E^F0kDeXpnJL~ohOn!JrbO2o!IeA<>or~_O%5Ocx
zS0w(9FGan|wwPx5dsq9@S4i&AZ5d8PV;2dB2>`$2W#*>y%7P0ACGw1B@==rGGA=$j
zIeP{tcQD)7RM?+@Gp2T@pB~eWx1ue6y!~`9KQC_TdI{BdjQ_`5b#N)>*=lmVa%&&k
z_nWxHV1GU`W;>d0?nw3tXMt#1$(UuZfz%d8tbyx!@`z!5&@i+Pon&5BMFn|vi8QPQ
zgWQE%2agZp$H2MwOs=g5=!qT?X_(l;XKrt=aP)83%3tZBO_u}((`ijyDFljn4d4{8
zIwa-9WD%rI*oM~TJV!Cg=8G^Ek7dpzRmM6dGJnml&=00oTWQh+HSm8{H+TAX07z}a
ze1SoJ7w!2TN<z<04dwqP9Jz*~mgE*jbjg}pE;_gbX6!IGgQ_Py%dMzBFS&HiRg16w
zVs`6$bjX@hxEk7GM|{lIn^M1&BpuJAk>~3C5#5`r<!t9Zhq|T7oZN9JGmu5IV2as0
zj>c_y>BD_%f+*=z{KqWu&C<jR_^0&9VktwAE`0;~B)H*WGtHB*3CF7xrIsx*U?q)i
zxyur%118r19Z@SF(&!k2(GIjk^Z;y>t2`8v0H|9Gu^QjAuN~hq>bRzo4lntuGXkY6
z7Rn!YbIEl8&M<ObyMc0|7S2g5h}IIZ@)i~$=cf9}xJrPk^u`gX4%#~3uycVjYtGhT
ziY+H>gW1;81#zb~>x!K1jgNlr7acdZ0XTN@o<zynavk^b`faaYDRyZ{*OOw-BtLrN
z9csrxG^nz0w7C8~uV%2z*YalTKHh{YUrVqng{P@;)?uucnShA2j3IfKt?wYJ;q(HW
z`fu`B%iAP}q-ea$IIG0E5q3-JscFx(dS`09_8#M(wbILglJ*dSj~OoWcQd!5h)#V3
z{OvE@Ll_t+rhMw^loXh5>v%0GQK=}jcldBHehEV*Cs%i`KON6Z2}V#2bCjauwpp~i
zG<U9G<dL8S&t$7@N^J~_N^zUph7p}@Y=|AErBHlb*R-+VR+{e9CV3%_o2e)BK8?6L
zZfXG<x#%H0t`pApN)lV{=C4M2I#}n~17dp$%m9{TpxKlX65YUEL>E>ssf&$%PUyw>
zMs&df&@_$J&C@tnB~w!&XHqJd@HJa;Y1IW$>v9#A(dQIun<(u3>KZa*`Lv1&6=mn3
zd!T1b-w5a2*$m;j{_J+y)jGkU^o~Bl&s>@)NQ6ujPpDMy$H{<q&YS99k)0D0w*e{b
z`a0fXyjUeEqGNgH>FB0si^o-Kl*M=g6NX3Q8&AURzc}BohygFCW6&c<cmMt|6>^QD
zs&D5R&z#vYJcs0;GmkKhjFVaNKhngZ=a7rJ`_CyrDL;CgR-|E2q~y*7<l_}Gzs+7;
zOfK#e7o|KnrZ+{zl(d2U@lh@!BW*`JELPMmE4i=y?c#BwHIu|FRcS~*)tW<o_x<%b
z94$Zvne;KlY}w1!i$BRZ+Dj;)$V@m`K-{z05+ATDq5SrdC|j@TEHU)7^L`@mb*Avy
z6G~Y7BcHrc-Lr!vjJy++SjpevJ5xmmZs~S^=|F^KQvc5<G+nu@@6|b}Vff6LTb_nt
z&Db{lDfiHD$DSZi@n+EKqFRepy&-=7Z>1qHBCEJU%*>9#=krFBgMRNLYgLo1l<DR}
z^t7G3T7u{!_vka28uw@E!e6r@UnXVV5^CrWN={!fnqO%ImL(LBBJ>TCDedlL5<Dy!
zWt*UmD${}Uj3EpKH?n9Dxzr)-lTrsX<q-bm_r#%8{NAnori02@HiRXhO9RekQK_Kg
z0aP|szc3vQeCe>-u$st4D?LX&>wEG4pme)6S3wK!+{0L`qf}-W$7vkOFpPoR^&8O!
zdqc9|z_x3Q6r@m7<t_18)~$s%XvvibG7HN#W<X9zAstZ(2DMzzGEGyc|8W`_J%+0)
zbWHmL279!d5Pgm>xtRWk-dW1knoMbuxY@nuoDVpe^KcoKK<LVKBJ$4VSk%81>#Qz|
z)y<TscTlPYQadBQ`nPI84!$l^3Tw)rkF*qXOIKNnHq?|UCx6(n1O}p7D?^9Y6p9Sy
zHC<hZ(A`!;sjPH^2^9aV23}$@`VB`=^1|2J*NrpGJDbrvG%1jOF?gue7zCv&cHoM&
z{gia5K>cfTHQX1DWP@6OpGxYQl0d*4ir&xq8KBjF+c!%_3TTh8k5AVht0yf;A1>cr
zUImgqdAq#b{MPpm4D3#{Ps()tzh<rxf+lrHgzXV?7<=!H(MFYklMgbeGS=w54Cu>B
zQl5X?WKyv~DmEY|7gZQiugdIgvKq13Nw5?pr&aI%7GgX!4ES2i|N2)B9SkK*Yj{-P
z`T4wzSpW6@x!$$<Wd!E~30te(nCN3>7PFOzrWU3gs+Oi=Mg^Pfy981olSbeK`G}D6
z%PGR3V>Yx(Y4L1cNzP#)@$#;sr(DoSV8jc*uCq_<hva3y=?-y#pk)Rh4u#hrW%T@g
zn|JgESOp08kq=|2N;U@CgOl{Ca<OWHdQe1kOAA({bdnLg%c)r|E6Tetn;&T^&C85c
zZ`^uA9lOTxdT1xG?>LMchq_GMHD%`XKs_qC-9@J|;O?=+-HHo@H~8Ckb0xdWR1UCW
zrt^$REo@E?eKuvsD(j3hGK{KB^<THMNY~J-$FJUMV_|D6URR3vKR2VH&x|zhmK&TZ
z;J*tjpBS>rEZ#=uEW4-ek5Iht)2qui(cf^WU~(qL;zv6$KNoJ`nb$5Cj;13=qTWld
ziXNU+P2W1EN6Vlo^fDWv@LY_cOKIj^lM5KTgrZ|&t_HMRI5}0C&^`Kg6pU}7@IX)I
zRNTnYBKdyeea?PI^}NORe!a%e<`YiJT!KsA-ica=X_GeMoeO+{^0DS46a89QC_X}A
z%==c0zk_76P_yW!S=?{52!#zs<{ZR0YfQDNew0wy*?LNaD9n@?3~a_lcRE=C&W^t8
zKp+B46W+TDHeX-?xDWO((haZyFZLYC3jURQjRr-S2JvX}*AQRMsDTAyz4TC5K=$~3
zwV>^8Ky3)SEA;Ar7}f1@Z7omw<ALMeb_?+bZNcLFh5sp13xhFq_%<621PbuN@Yn#g
z*k=vuBUr2SZ4N{0A!})<8poOo$$nN<PSVi%D*uXiW=eE%oji04^Af&8)2CNKsvXvy
zhzz3yM_JUW*p)w`N^G-UEz?TRzg5<0JAzY@!k{&<wcUV+^{-8^><w&sw@Ak<bJr-y
zobl4~#}A%W0ac2#|N8es!a3ozjQO$Ndp};E@nxxHu?^;O7^;S4nz^@mMHOy<n;tZE
zb(k`0Ut|O(PzpI~M0fVr@zq03TUEJzel+^SGh`*i89_b@Cp0Rz^ZrYz?FkHnHoKVM
z7UcdM0^JejW`F@_t-yfwEeJ~soBs#9Hv<E#Hh`}13UXs1AuUgUu9oZq-CF}5{)7IX
z=kyQubA!|)U*owM?t?4FI1S#6T12mKMlEuVjBA`wsM)Z6{^iB3Z4T-UKaGSBYk3RY
zDK*gZ`^o}-5tVY9??9mzxG2>K(W+`a1kFWp+=epH6*NE~`zO4i+&h`FUgcg(p2G49
z*|~BfLcWWepv3>4grtqaIGWA+DpJDNt58>;#=VNaH8lpIWg11htVhJV{gWk4w{(;$
zlU*SzPLi`6`DI>;E<aRNUWnLS^m_PhPgU9RwX3aL7e~kIl))42lleEmVDsQOso2P8
zOF3j|4_;l7{oLLWWHoKt9rbQIW-eCgU9Llns0@Ci-3xX!R<xG@b}&4jllE;J6wvXQ
z-R39aHXk>ghniy^>S7mtm-4CQ)wu{!kg3*vMUTq<Y1f0_sm4-2gyE9t9j}9RHX7-$
zwR$m3bGdz`&Ge76tTLE6q~ZQ}<B#(ALSU-emAAZSlL?im^n^~*N``fo%mTMd{)9@Y
zJ0`i5r1YJfh-dxd3vIWIw|6M~P83y3>uTp}u6@(B%RNHxG9vH(F~%}mvF}%26e3vp
zWD^@b^hq`cvuy;&V@Km5F5!hM*ai|9yt*ymTTCl)9O94s*V3PwY&bIfXnD++mC->R
z4QPGcBMyWlLMo84P?(g)!?={U+%k(wJAMn8RWY<ro_Q?8X)3KWH<^|^+JdhMJISHk
z8jOzFEvwGEw);yky-K7s_^oZ<Qg7_^vX$NJZ?~_ni^Y27`;%ZN8qE%{wU5<u11)4r
zIM8Z=-Vf>Bje1Tf=GN=o!^!ky#)DyKu&&POePFdywd8NUIwOj^dyihpX(5DmWwBH<
zJ%A#W084j<nv1Z`QT%RqLh^p?+cb8DL21K#-e$-WY|{1cB_C=!`5qZ2?qiy}8s+XX
zgO--xTsYw#F6YN_+=hohT_^2QxWl-bhnn^_QxFKCyANirs&Lruz3r?AvW_IbrF*hg
zjvA9qq1kKogM}QruKhC(Uhn)Iy)*Lf>soLrDO+vmv55_7l_yu<G<Cve?B74EjhVqD
zxAIRJcPcGpKOJp@K-NxGF|B}fz+%Rc2`__Y7jYZw(+us5TYo~QD^0{s+Xs!8(h`0*
zjZ8fvHqDUx4A<_0LHfBH`AawgsKWAo`6FhUXllp&yj%UYZ#BMfZP7x@`*~H5(%KyR
z_*k=xbCqz5bXHl(vLyw1eQ>G01F7K04jNrIMKsA^uxyTjj%24waO_WY9r9b^^Mf7z
z>95Wqe)k0>>eda>Wu?ilO2VgZHy(U&TFbkjwSzAR%HS5&1-na;=Sf;&Hz|&Llu+|?
zbSPJLS~}A<`e#W_`*PTFmuHPS5%L+%7u^rnR)9nf^%&GUK8BNq{Jii&tP(Oy>Y&Nu
zB)$YyG4yzcg4lvWt@Yts{e>cCe)$>8ps>A0x?hvdq?DBunH3%5pA3V;`l;N`*s-R{
zS+)8sFWKL-E~M&9DEyw~oO<Ikja$eG?k%1yPD7FKjH9VHtAiEox=_DJ4z$xJ#`wmk
zSg$~q+&Q#D?O8d7*Ei(AT3Z=oPjcDY#t_ph=%DSAK5Jlq&pK(nmtxSZf@b=inm7q+
z8*eI)9B<vVbo#ntL>?#V{4y1ikZ!?ndQ?OU6TtcXCgOvFz&NcH`}qA4I{NL+|MeU|
z@XfaJ{rKy?Jh}HX-ZS{BozE`Fn=yN7mfgB?Ip8rfyi+UB2?bnH_e#Oqu`Wyd{9vzA
z+?v0K@wicIOrY_1m3Jj_g`q_mX*P~b=O2$HXG0Kc((wKr-Cj*Fj!C~-8O_s6WcI*j
z20-8*nw;G;F|+<2(W4-d-9>W<)42kSrVT&^Xe|o^vU!WKd8Jt*crB|{qQcH3+$Vf9
z3&S5ri3)7B`Q<(`4}om88C1wc4mRvG3j<`Cy>`bR52o|SJK`VUW|K2zwb@Xz-U?Z1
z*Qmdu>b0<E8u1?yj2dk47a)RkK6Cm8S~r0pVK-30F%gP*Za0u&5IJw!4GNIn6REK1
zTVVXI3)`MyFN&_C#bf9de6vw;k1iyg$n7g<v#cn*@EDF4dL7zx!7v-hPm1~uSUv-D
z$~u;L&=EM1d9l$Rf_UrOFT>BH2PerFK8&!BLxZPqn7JaV8Buer@5{XdK4~M?X;4yd
z?{c!EBgR4fTeXnty8o<pPr=Sk|6B9Ji%=F;%5X`-nQjHPQ8N+GziG@QwSm}(yB>o{
zxFGH?4ViZT1eIU;G%$YZL=+rU!wgq3&zZ?>idxZ3P%$$QIWjr9GBnzKl3JTfa*LK~
zLdVN((ZHZu7(w<`71RXQS!C~Be%nLdA+Qlv*%bxeV6)%WKO^caIhz_A8xC{sN^$XH
zB3L=c8S~{}Zh2dtBciRLGF^lzNj#f^Na-e9ZGmA=53BTxuRQU$qmk!J9{46Joe~p{
zt2wJoxeX8RV{iXoQj5AC&(P&I+gwo+G8>z>Vvq_ux&f2@3tZW)c03k~MPRyU8Qbg4
zc3dAli+tJc70t6{_++0=R!&w0avLT*mR&IOrkEK7fMz>Mhn=$`xnG(9%SD6)en4|b
zX(ET+_gRUC1i(exY7rqtAJAO8Ae;T9c~*8sR<z``Y@Fh~JW#_`C01G-*DkxSbrZBg
zp^XhEZ==_{kUxCGIo)FAbXF%9-Ge*0XpoJO0<qED?z&d(AU0L}okqYQ_cRgtE}w1(
z*j_ZxZvB2(FT3K3ZMBM!Dz~Hj)6@(o<Fod*TWpnVveV`oASSwMwNm=3b@Y&R<gs7e
ze_f)?&f93tv+9)l<=bh$D6F@={jl{|oNE;$8+~UfTKdRg=Wy077cGBpr=9amM0e$J
zQ6sVt0C~rojn?IW<G5(7M|o@2FLy!9fX^k@ZUrfiX%CQJ2+v-T@HsCQcx*odAwcL#
z`Ndi(7Kd%#W`opNYl)j;wAsWJ+Yr_Haf`%qs}(L=BOyD5jcL&PVO{$7Ih}`VU*=)|
zB2k!jr_aD1WS@Kvi76-?3Bmza7%Lnp{OJZy7^_pj5X#6A;6NX0g!%GGgn<rv_bl`R
z8g4Ug^RzDfQaXp;VRn}qt_1h>uf(xj#BhKTIb#m(@wuN{JtYeLAZlcTxXgcf$wp0q
zzjCXWn=6s4)9fyIl$Y2Graq0DO2C+*^pV7LIzb7yS#>~(<R}Sg#x(a6V$~QJj#ZXi
zt9Gi-GXRIbUORP(fIY(cC$Cv>GskoZn7ec(=|$<cr~;;z;0*Bm`iT*7*~B>mUOo-J
zKHh<ju`PPE{%?r5ls7YE$BdCj4|EyS6ONJM1G+~LZ{UIQy`q&;TPi-|zcl4;!)738
zT}@_teno8(9F2mxw`l@2Ti*iAyK~D2>git#zx(=Qzl#0XK(mOuUTyyYH_gDj0)Z!f
zcK^d(ADtlneE{VV_T68QBK+_ApQa4}P~HuW@qg`||M~oYkpDgaxbfh5`K;Sp^Pb>B
zbFYrOCqlPZPzl{t+`YJ=-Pe;?PtFf|LU+~Nxn5IcpglcZe0;usmQo-`jI5^}g@XNx
z1$|baodJT+h^Jq`TRY1TuHPq7*E?l`{nEK3Ej-}BHjC;cc73T`Kbu3&fDww<s&)ji
z;^%z`#B|NE^7rO~kH8$AoMYxS<K2(sRUZWb*C|x6)kfp8b^mzI&s?(eD-qQ*0zit<
zU&nP;jh%fV+{A3V?GM+Ip-u1gF2=^-2~ptafE=klj`H!}5i2)OExlY7T+yOvf@Y*-
z9f||<Q2Q9*Gx67L`#?>;!#&Dar(!&b0{F>$EMKh?*8Ui>$f1uz_Un-cFr?Je&N|#?
zvPQLcrVMOt8EX$r6S012FWuYAmDwkPAW*bLj;rH1x(-9~%n#pD@~i0os3$prKSUJr
z<By=!Gf`hOPGwQ0h|!eYr`V>2`rE}{8g&d0h#BBlxEgE2+(Mk^jH`{wwChpMBwJj&
z+_^=<DXBLV*H4mQ0E;a0hUSjpb%nC;HTjXe<tw#9OfgM<Kzcwr+YY~Qmyk3cENk8P
zxfOkeiy?{nxR;HHmWyBKXK<eH3E_@@;Q-zSJ~u4y@CK(mJ<{)n!ip|hk@{NELtV8C
zy>Y#+?@=;^iBg(tFk<?&<XGJPK$FDVKQ^yV(O=urH?id=XkoQ9eO-1ZcNJT&dXXhT
zY&a76xK{svJQFare6wX4yFADk(wa})fr?q4#jGNO$!@oyiwM7gy1V0Ae)?f5DEeu!
zsL`Lqan+`1qkNPnQAv1Z>+@x=cxTYr9wiD;iAq-aX63NCV#^)lh0Xl_;c1emHCQzV
zW(CtlcpdjjSJKkpD~K=S))E-DPXfv`-pT3lPX6~hp}k;9t5MY=x%cDo#&mZWF~4n2
zH(tNU<rY_h5GyWQlMt(q_V1B`OfiPFf=u|V_5W|zan)9m>Gsi1R8%4bTWzOU;$Nk7
zkda(MQ>mGSCbzk5dVZER%Lc4`A-XpG;6#2*hN;aCJI9dCSTj~dD-gc9Je~Qt0^Y?J
zA?IhjMQzDpbo7oXI@RSAP;Df$3#1<z;{jE^wcX8}RPR&Ka-iu-7=;j@b%KXRo;)d3
z1+O!wx&O8&AIi~1X(qK8i#IVhBC!3rb1>N{bBEjjz)j&5sFh{S*_4uVx@Yjb&j9~J
z8DOceWu`Zf@yv=-{Z%+2NxDCy)wJq8Z7ACHPp<@@hR&FH;@MNE&e>N&-{@K{8#OLL
z&XHxu$ipQGy=R*Qtk&?13XWq1kqrZQHA>LXE~FP`Jf}HcjYD~q6z(db_R>PP504Mf
z=io?^G5SN14k2cE7FL}B&vqK*eATw*`>JOQz|a4<dU>IwuJHHzFhG5Y-^u;BI@Gw2
zXZ%lD_U&nFr=HQ^J2~&;O+}ynda2i+?<?x>mxUoEr9Yo-G}U7P=}m7b!Le#WxucQy
zanpR+=0@J%QdJxWafDTML{onL(6g7yjMxxOGazCgxnUnx)aORea7o2KWqXc1{5evd
z4$-Kl5Ze*ZT$^M#6w`z&C9OIxH-`E?X!lt=CAdVPU~_t0(^uo6?+>T6F|EO;);3uH
z0K>9b*_B<8TG1%_W!EgyhP28w0g(P~0*VA%`XESFu^d4zYAOz&j<odw2rNrA%a0!P
zjPhALo0oP`YH&0`Z>a<Q*t(?}_2yO%gR@gr@6`kCBVhv0#|18X_&q!MUJXsM`kOK}
zA2Ds0k2BF3AjX_l!+xVOYU*bBRAF}a0d_2hY2_Z<gg?#X{<g+6nwh`>YMfsMTPO--
zjmr(eP?>zP@%pqfHcJ)?(tEW8)35BPk#Cn=l1Y#WiZpc$P*Vc|y1cOn=n@gMV}0Jb
z^)U6CFD+xIuq1%M-UdSkNv&L(%RU^k=WAdd`lY+%^<@axkE9;5)?VwArl$AmF#wkR
zYd=asC$|f_ebGQIMfO?;%DT@cRkOjhTu8oA;I)Gy|54^Kof@5Ix<I~5F~M1gxCy!K
zwdN@34o2NgTOtiA=S-0^WZ&m!EOQ}>I|+E5G(aMIla~_4yg(dK3Gluh;N1P@_j$%>
z)WQfZrbcz)tMl!iXD2KS(Di%nkq_VeKnL^h!st<2P3913lpqoqG~XGY+59`-Bd@ma
z?){7Nj8#axfC3quEVuR61gSq#Ef0pfbu%Zho3Jou8=37OfKf}0%1?J0bN|kKPP+-G
zsw@Vcx5R#rx<J^@<IeCV>0hc)$i=w1=A2K_S4ApJdlgtn<mnre&lx^r5DMD(0kwq|
zx$0<Py*085vF;HhvKlThz8r-_VQz&gW@~7?dGZ&5I|X1TaT=R^l&Rj%)IYy=wi=Z!
zl3aLvv)P+?-!+h_yOio`y}QouLVW}z^t5$)4&@ZF53((>&<(K#u9m#O=hI`?KLMb}
z<n{DmlT_aTFGUJ4yYPbw+fokC0vYoshB%FlnZ7Cqh6-XgVRgZ!UqT(p1Fy{cg-Yb3
zK1$lk&i@thhHKY>J;p=)T~u{OT$8_`yeZBQWb^BxOaz-`yMHb{Z<74jy2F)huB-(Q
zR)=_S0)ivAk=>0pv(g3XIgQJEeSALTr9(R;3H_xNbR4x8t@^Vl1&UhYIJB7ChpB`r
zHB?wYOgS}wd<o*JrzWGTQ`=do@%K`O<2a3h5_5$TC?*9mX=xBQ;YZ%l5ZUJSb$O<;
zk2F|X#QE^y@O`bv=n1L;b#{Y3{z-Sw@YFcqEm}Hw@#d~Zh4yzLYVC_~uZiTPgvD+y
zUZntEiYik1*u*WIMUJFf;Y97&m6T!?Yff+gnErEpFe1i4^%*~Q#4(a1o^_8A^jD<A
zF>ycb?IkvkdN-bvDhmaV26H6WL)G6eP1nw66ZPZAQ4o>1(S1Rg2l&hbp8@1@*sMJk
zQ1&lrIXF4mAW46PAL;dnIX(vJmkqqV+W@?8$0y)(%$y3CU~>qX{F8GHo~<jJn}k>Y
z4(2|(Y2UtCZD=*wDBl!gxbB@asTb8yC%;>JUtyLWd7;(luB{THO$QW7rIPk#ax1G!
z)#|xw6ly4a+_!Kr-Cr1;ic-Im96>Pa82k$nAu}dm(gvR0x!}?YmW2zE&`~4rOI?6f
za8o*BdBX``F5p~*k{wvmHiI-gG<-{HZ$>%~PcKJlUFBbMTO6z9O7M(`9a%JR#65^>
zx~!#HNaEV7?0fpg@tozTfyvv%VyuNv`P=^-F@VwD(sM7XzJUAhicWjeSisxgFo?(y
z1v-w@gC^Mg0p_pLFv$Q;=1Xx=>9eW*ZPOW+tJMg@w~JS^8{MG2w%Y6&rGN65CW>C9
ziz7w#UOifG(EYs1PT5X1?D+3N_g5sQnD~p#LyRw4fG>yeEdNaVN51aVOA~abCK|R}
zMMAIwKdG73qvm5US_GcdsKCAvwRrux$H`7N*dKngQz7YxLw)`D5;`p_RauYBy%qVj
zBC7RZfQ?c<#;hZ9-;A<izI=!`Qq|SkT-AMqFQ%$DGi$1gIJ^b^Q7fucx;NVRoC(z}
zJneLKIdzA?5w$;a@T@Civ$uRku>~WDG>k5GRHYGc{d?x01q7<{yUSNr*D2}bPFypv
z9om?<V-Xoqj4(~_NyH&Ee5ldra7&&F$j1!-mUNMGo)L$tYdmEEW0~5My3e7DBu_X7
zB!qH}5Z#;`ZzH+hf|hFQX3Ue;HEe3`p%>T`j%&{<hOdJr@Gs2C`3r|SR|#M>Mgp7E
z?kPsHI%iwVDcWnFz`hp)HK~$AG`gB~PIWP+R}a@XaP=gthRzxCd9{mO?=<C=l;g_d
z1S1ypimBwjBiHwti%`AH^Thk24#qDP|0~+ZXP`EQVB>af?82W!prkXzXTCt1YQp$@
zoxQ9V%Qj@F5t|F=Mf%j?_OG~P)oZexwm`O$1bu!Jm6F+U28+kfi0D(PA6D<cl++hx
zHhURrO1wAW;(FV^PjfLG1WcWp!2r3U?OZNC?gS$IzxW<(&t-ECEMTwUs$l3qvLXnM
zQgh3AGI_BWY7~}xk9#(ENe^R%E1?u@mF1wIq9>w8g^THuFzd{GtsXB3Cok&mkZ^eP
zO9I{9D<{XAnVv59Gy~5W=AP25_^rMy%nNk_=)s1OgGpC0z}I@mI;>*FCa)XR8664~
zeam}775YliVM0^)gK5Sl6;PNIdKo_b?{m+D4DKXBk|XGpL1UcS<VY`jGzAnDNo)ud
zp_jS*i?c!e@DOC$DU}ASn7v^^SbxpZGnd$OY?Y7~Q;&-*vZ95*lVp3Y`o`N?5e#+v
zAP-J#wpkX{Z1KNhcr7^h?+0GQx?i^9Gaa_mEXYbSW(PtJj}9E_vdSJbN-~N$H7;}u
zT(<gXz!rBWUi^oY#4SYUW~9RIBEcss4NEy8c+(^@{K;#5nSTA=<_;L9GSU)9Ni8-i
zOB?;WB9Tb}FlX<0r>$7jcH&pl@p#*NTz~CaO%{6_&f$vz$JNM*sl4&^CY4u<Mo4(p
zP<}eV(hw61QLQ2F+;O31JG&&s75bW1XQ2?U7^1<kk89y>onUDZD<U&J#KBe&zz?eW
z!=<3z$%7X*x}D755B<1S(0Ou<p~wDZ?^G8IJcf}_#i}mN!kA4aB??mQtnH*MullTD
zJ1la2HuvHAx$+L0*+Sp;<$_OKQo695BP%^(r5DgJB!G_+PpyxgqzU#|lXQyH^>7EV
z@++npzsaXEHX%Yq@5%2&aM-s-6we=~kiFcX?;9+(j@RA7s*2eKowA8Wg^Gh;sJ%cS
zAxR}IzORp27+vlgWA0vPal)`4qgHDAoFa3$E<WoLbz-hF-PsBh#&M$ETijma0BO$^
z*$~ptSe91S8xiS#pu{<=d`kzTNw2D{Y_9IRY%3W95EMHhuS`8|LnMJZiX6MFxz#qD
z^qmyDj2RQ%yxopJ_8AX6;i=uaM+wxjHXL3|Np2`$6+H+1M5G(D-KMIs!>OpASzVz)
z-%Q<leoRH>7=<aC&=_|ttC<&(GLI&U{({NXac|d86a}B88A;aau@ph<oF$zqUYuc_
zQO)zM5Ln2|{4ac>;2(mAdAqH)@H8&1bLwXkhhrnng??f%x>|T47%jWwCq9(0{M2Jz
z)HM8wz2jlQ*lP(H&4iS+pfX^7OH5KB0;V*e#_-KNWAI+!`!*if;Z)Ww#gS96gb5gd
zn|1zHe5B@p3lwS4CvIrRhVHAUAyJ6qVQmmRw+?ELRMe40!o!ri4)zQ;g?@KPbyx3x
zUjZa$zn-p(#S7cD4uMl~kSdBJV0tje2_LskmE?wt0{nN%lq5q81$a}Cvm$L2X#t8-
z)dJBu<9*!x-BGIs7o@I|YHIys9SR0m43IAYKUOv`<s%jikc@@F(rlLA54%I{Oq!jO
zD=kvm0lr}Ds10=nISgHQ_b#p^?OUEGP##hMVrqoK52&=4{CQyB)VYLJIK`enEP)L!
z=&STJh69)-pYbHtikZbn5FuxU`f)1EL_755cd+w8v%hJ9{hx1L?lQgsv3h`s-gDIz
zc|@GmdvCwm#sy!U_LN<nwyeJ`+G(+R?T!#Y<r;snb*#S$Fs$C;ss8ICJ9)I3${kBx
z4cg1)aY@1L_|nSXBmtWkjTzaP>38X%e|XU-E6UZNAeyYa`e5uj*nLtgWm9H`p3~ef
zCv}o>JR$Yvq})2?M%qa`qTwf2Z}Ob*Y*j9?Q8x<r5Ujsr;M5je#FTNBr7qVc8Oh+(
zM}P}{S-5+=6RR?`-O!Z2^)U%G#@41$4Gl~x`ZGRiZl14j$=GN^rPQrkrT$i&Q?C<q
zoYQ4pR(pziZw_mtr7Fi&kfRgudQF5j?uL8vYU!i37Ozwk^)zMwz#wJ`@{Uw%4d^#5
zkDdy19~@@lmGM<%|Gg_28BYqWKPdlzREx+pCWuWu@Nwh0Eug_ew7PA!ol+=ZjEknZ
zmLdz?w&LOTipKsnr0v>`X-P9wTZzAZSQ{`Dwlbr=IKyu@jkBZex=(O}kIQa*Dj$|8
zXBst#lzBW;F+&~CL=qiSezWV&ida-8G&X)*JbTT*_yjl62_{>X8L@aIp!CZ@z=}Dl
zE);3u_lZ$^{V4hobL6gs9a$Dy!%1$@b5;uob4{)&vt0~n2;PK**f};V*Y<|k-AD#@
z&Oo^@xV5bILU&8^MQ-JKoi0D;Kr1a+k$*^7-H0u}b#Pxm2l`61ANQGbb4CsRe4>MQ
z*bxqpFp8+OXMqXDU!Frs6G_t61CME|SOjL^FdJMqK~QjP_fil-#if_T0exoP?(5jp
zn=vSLJ5GLu$Fq`O_zGI&f7^ab^_w=P`gzyQb4*qkCT+NP^4mmP)FVSUT<qH6|E;xr
z{96SBSAd=|<O*MQXh!AD^96o&aK%%<UWRh3ao~twODc+F@>a9@bdajdm(&&fx6Nc0
z>jAsqprxi?318SljD>o=sEqN~Pr7a)9SV#&=R{U-+_yw#G_Dz%L_zH~76fvaMJ-uk
zefxYHj`U5Z2m?|4&w$4%ZZ$N*@&<>J4+|wM-1n<^otZ@3c&j*fQgAsDO(G^WCf=X*
zil87rcfust$!1AT3Kr2L8HNqpSn>{AE)_DN{!c0^Ix^Vk`zv@X;0E{>fKQHp`vpkQ
zC1*6?2#Qa(<qMEu{q8RF>?RRkBh*cO0EY0Zy%^Gi&3oe7^2EJ+3E?DslzT+$suMBB
z#alYYyAVAiCyW^l%wnd!RBK%n|9^i#Fdl5T8X%UgT2bpS^^u3rGDn<xgKcTLfxhZG
zSNj&db4@k{1-rinO@qg9`$~>{77ZF<%=20{&60u7!y2PvTP)3FwhLnzsK|ax1sxy}
zB$P?Em^_}7QCB5in>P}{sxwHm(!QD$JA8&plhw(Hn9E2oZ6xcOV-k^-N^WIYG(1@Z
zYXP>elI%nyiFsC>RJ&5i6)0c%I!DP7i-ngI&}7c|j=q#1-C$|74cgl89xrah<jl={
z>Ts5Ow8(!;TZYH29T(MHz~g!G)VA<Z(X!k}TlC}euRFiFZ4@>1Y)lzH@)<nhYf#d0
zCVdgai`7Kh^Iua-pE65Uj`j<JyFuAcyL2`+SS=c`_DLlC<o9$Ll&b6kCuelUeWq;@
z^D`D^8iNX<lO?6Ahi4Yah3c<i_yv2sawoU@TpmoyB%$T6Q_{@SxrWREV@O|@nGiyB
zP&2jg1c6L+<Pw|w)!}h05wzbO;*10raq=a2?+9S2-Q}_fYwl>N@nK)le^UoCR*A8k
zn?|=zl-fL94;wNwgoL0W-kRjqI7F~z@KQ2pv#CLR?K}l5XfdUg76XvUH-m4v4`7T$
zP^pqYJGthhn6C6hv;yN@mFN|RkJ20eu1kCtB9_e{9*z`o|6OVjd0BtXDWL6gZn=du
z-iW=MqMfUF(6EdRoCZ2I0=KZ2sTL*N%`u-wwLMo|3#)aG4e_Npxf+MD(~109KdioA
z=lb%z1!!hu>jERiGMM`hFe;#_CigjaP*=w%t*0T`tVqRqUfc_Zy@Z4_vIl4K+u~Ax
zWR!=THOx=>Ca^ZpW7LOQMqeB(G#*(;P!hNi<5FMwx!2A8mT&dT>3nbMr34vnCRIHj
zHK}T?rRM9Qae|MKpN|<zlk2fVHIqf>8T!(WJkbZZV@kSJkarY3pB4CtKzBD3hVfKC
zg{vc(FHix!r}@1p2^C*!7e$CwT472?eQSnzPL?m#G^2X0&wfqNW(NS%uhcnp8%)u<
zFEM^iT`t?TV<@}h%G}uuj+3JBPc8fm1m8t?&c=meiBUs(RVhs`zzqj;V9Zu;Mz_3@
z4Z|AJ0+@2=z26J)HBL#ay1}od4&pec%0uEcVQs2lk^e&wnONGQ5-79L??c3%blAF#
zf12`mqIGD&o98WkW~+59yJr3V(AU$eP&&KPjUj~6>`EO{V&%H8b%oE8<JR>9fnM=L
zi+XY&Tj$>;H%(l2+<_1uPa##@dcRbFb+NE+yq$i5<B|w=NoelZA(nz#8+>#1i<qud
zH8xOs78p(9;>%L2SaC5x-DcN9!^Zd(0rq+7DS^k>Z7RT}Fv^v@<o`NIi;q{8A&%zz
z53q^dQ435hwyN$AECp9i2A)^nOE)w-L*T581Jn7jw+uB8otY7^UN@yju~rM?&fKr>
zKLsp9X-!jC-GB9dOv^3xda-&?pHrn^urpT8S|GSOJ)vW78d}@o<1)Tb9ZZI*=k!iN
zBq+m?6z$9{lnyr+z@{c4k3L2rfIEwBo6KHMshNN$8WATQ@3xqDG{?t;0e9g7mu8rn
zYZeM-(s%q9PqVcNFEKtvWP!S6sX<3m!Vc?a%{&_DJ_<_O3_?*5m2bV7p&Po#U*v7X
zm%DjNDoCo0v3R<yz*?{m9P;UwLLGe`ronY34M!w;OUK7hzhQo8WE}-t%>0to{7=6O
zrSOE{?$A`D(C~jJ#l)_a=fN<Ao!(iPv!A!%X=&%1m{n6LpW-|Xf}V>#xz>g8kGUCo
zDNnjJtosIUhqR}?R%-99q-cptq#TnG=Nve52Maf-W;B4nQ>Po(1TZ_+P1L558F6Ep
zrS@GLvC*&Nk6)}22_SQd5LnA{0QqMy=s7G(7J$nKx%RZsBnF^oY!Uq^OG2PGsHjl0
zVq;qNrQ_&4R=875fS0Z_6cb{I?xMl|t%r*ASX<#;2BOupg7hpUM=r+y6Wqzo%@E*;
z&W2DS($JoOq99qdEboop0wfJQ!}3&ss*#0^-b+p`U2W*&KiwqqH%bY@o4V`ThPBSd
zRe2$X&l0^ZRUzjvIBjTr7=<lmdz3~4vZ|xldeR|kmwjJzt0Jfymfo+D5e$3wvXO(N
zMV_j{L5wozEL&v)hBzDVf=N9rXy*^x=HTY6*$!3}!e8ZEKRmdMb6~-yf8xT}!xJa%
zT|I71kIi|@Bp+)lZy~cdgBGy{VE%$c?JLa$@_TcFzKdi&-M{a&pSDiD$@~Vb8j`}=
z&eoiT$xYx4N_N;q1!{>kL1TZP{^G#Mj@njAeyx9fk(w0}a<$_m0DJZ<oYcl?k*cC1
zZ?|++<jjdnGQ*}eI%{q*2VaIx?MMk&$<G^SGXZLT)0HQvG5y^kU100TX4uE}??)Ya
zP~jkcMAkEnak(h>muQi#^QpRj($b?d?{rDu9#Yb0UMj9O(@7<wDMk;P;jpU#Jg$h|
zZ7e1wMxot9T%_z!nN^jg>#`_wUCcQJu+8Vf+@Awx@xU(#UE>$r&vj^Jbr!7Iir%(=
zh@>2vNW&>(BHHCium=7mt$q0A;1b&T!48G;8SeF2OF(xM++BYa4KO*Ma1DWF=xKj*
z(=R#&$^21$s!%$Zv|Vz6TPa7pq$&|E+Q89)lQGrJ0C*6DQ8C-OX*}~?%qiL~;xxJ2
zIAa&jQ8Ha{St6AX77^G~ygMdTO14<y%|B@dEFIQFB*&BCp2)G~qnHRH&buoeho@*4
zV%5+!mLnIjdL=gb!ZGaZ&Q|zYYXjw526i>Z0C76^j9?d;JD+kP!aOL$W0joWiw@)2
z{wtFmY=SS+?sTN5K{(*pho4sQD%u5r>A=<}g(BH(Eb-Flnmg!1c~@d+lDP~ZTO@R4
z!RDBewS2L+B*KyLU-`fi%pzkArjPt#wQ90YG_uppR`V)y>`<lK>YRn&!@nfMvyI#{
zK9+q|#><W%Cuo;SKfg|)(Yqp?k5W5Q;~E~{0%cfKjN}NWqtH}Ti*qk2VbjQ%h}Ttx
zntuNsd;K>qcUT*hQlSQGJc^!TV(^t{0SHSMy0tHu!qB^fb#%VH;V74GKx`b5sQdIW
zj#vB&<P-z;xF&Hs?ASTOisw%C(8GW>2C)E3S{O-B(hd3qq}0`Xu@%e1X*F;7v`7Ht
zrSD8`-JvOl&ykEEgWYMFKr9!^YzdET-*~lKW`*u~b+4S%OPo+LZT$Oczp6h`wbrGi
ztz$w@sDs(~+_Ltd*;K4B7dtxn%LVLI)=Pn_pi#CYW3x&pDH#RUap-($!11xxU$(+Y
zv4x;B%i=z@?XO?cH0#@H<V{Hjz{7=~lmjKHH@D!X13=(Ix;EBDG_C6u)a*>a{Gz2k
zl{>G8zbY=rxmt0nS1&#C>T^Fq!0$8{;D-CKv&?bYOMK-r7oaqqir`kZ)0L#2%*bQY
zI?Y4$kOv(b2^56o(9CFTSb*rsJsvf;z7ccw5rX}GQ;JsATy~HnG6*DV&uxL$zZ9zh
z%C>tWq1*L+bb~}2ha*NraVlNhuMT0LV3>*$WF?s<)Rrl8<~?ZE{wxFec|66&(dW2x
zoXT^!+Hceq1pWxR!Gq0cehMnJ#z&3*GgqX!t6O#Iz%)%3ge6?rjiYGL3=Qh2Yy7ly
z5v%XH2+=iN7MuKOJ!Gkr<TF8IKR``WSZBx3?9Nl(*4o}4#05G~Dtk4K@CCxqP~q9s
zC<7w@A>p_Q@Y^mXsxX!`u8Z-1g~sI@3Zp5eA4paDPB42&36aUNlThlnlnL6c{Vk!a
zC(G``LagfcqA`FWMjkmh!bTd^1wuNjMXGgr26FO}7IQ@zb8%X^c#6w3u@Y|^9=12v
z(zZ7@>^lM}Cs#cxKMA8ZS{IK~Wd^}VaTG~kfixsoe8r4IOoJ1J#pVKJ5C+1P9N$Xi
zOg|>!2Sc@im_p0UC*i78Ax!N!Hp-(szjkz`K?#&CdPwT2uoUr0;i>RIOH(Z3iIW6D
zoSp8*BFRgR{Z>kHgz_iB^{s5ZorH>H%BpI>GDg5QU!BD<y!(qP%u&*GMW;#ss$wP{
zTjGYbJI38gk6EXX%LjT}5|m?hJAd>~h-3y4AZeZ0b>$C;wb~V9p9P)bBF_FizE&KY
zxAv;{Dx!q{Zy3#ri>YyjL1#ry9l{A!`gY#D4UW_al?xo@6szuaE~l;+Bp<|b4tr)r
zgZp%AbAdM9G|NWUQTuR(ox~&L)z?|gnUiLw;l(}mYZ0cZPoQ>d){2EO#ye#1+0c*t
zRU|hMQLh=OfLXAQqk^tNif1gJ!d!1OUAsVL^-KjK7VY|uAUc3wF`nLGWU4o`PcEo&
zxOxZ<qR7>>J+9gfIxVhF%Oc`jNJzKhC&-fmkV-}dycz@=tTS%VdBsL>N?StgFK7l&
zjWz<zC~KVr3tot=W=+;IYa{ZTEC(!>DDT>IZGZ#2V51i-vQ)&fh0panN6m0%H3~aM
zdxGuJcPa{aPUkn`Z_#^b9+8~mHf*bpvTite&cwlxd&Q(}zM071HbWis2;=59&c~7(
zv1zM+!_xS=NGC0dshX&q>p9nl#lC9f&j5y8>boGK{j4un>z$SWg-zbjnI>4SGLG|}
ziH5s@%MG&z9(|q94%(AUz<ud~5#jU*yp>>ZaZ(ZDr}b4<$ko_LP;Q@IHm%NeAEF&2
z7xQGwsQrR>kO$>#7_Qi$H2(YF@Yyh9Pq)4N29yl9YA1B^J#dwm<&`MwaZ`k&Yxr}y
zf+8B&5jV3YHIn$>I19wO6fw$TXgU+=C&T7y{5nz`<#-D6!ZkT93M4N+a1F}TQXD6V
zZ)oT{ekK2C<D%uN&<4Z=pjSTRp?Ea3I)fK2NyRAD^hr(NG#nuJgkTz|tDWVPDZJL~
zF+^wPL{B&N*oAn6%v>o>Di6+0j@N;3gPM9&qkrkO=4+;~6uE<l<5oU87~t?lIhNHr
zmSE|jxUsbN1;?na&uAT|{2{jNSLRuKX{8;N;8v!_a196JEOh;6F~o3i?b-XblhsS6
z#MbnC(gsqvxoP?87Lm`PDB(_{%+BLcFcB!3w>I&+DK2|W8Ri8Ti!{5C)6Ga_q8~;<
z&YIoJ)iTdC)qRAPfU;vcPowjh+@ROKgbLNmXr6B`5MpIQnwYmw*>0&yqE0;Y0k>)~
z&ghvJ5j+m}VXcNWQN-lNTx#*<DO_GASby3nFL`QQ?TYnD`br)uXKMK>F!9h4JF)F9
z$0-PdD|2!4_-INF<8DU&;)AJ6vZ!UXb297SR`77F^VGJ#?f!NP|G9T;)>&UL%@GQN
zkmriPz;W>0sj(4$G@Hk@XOTg|T?pwd*x_3+Po2wCpmI0?lwnedCk&Rq{gAFj8IogK
zgP2kycuTvJ9J`PN<!-1&YMZMXtBsHPk+a3c1fPRG@&D>GObw{&F;tY_7TRvgXEwKK
z$2g9!s6T)6XS5M9K^}Hu!zNau?JlC#s-;4bdwmqtAJRO_Xz!((EpLCm9K5%~_(?qa
zWRL9yrE0wis(i-)BS*)XSy1vXKsVotYj8g4&=C??;<QNuH-qPLq|cttIKL+73W%yC
z!H%0t$Hncz2NcDws+!$~d=)Cr8cW~v<eGN--F+oWtZKe;Bhv_Bm8cmS$8qVYX7+I#
zp+Bc*2h`xhB!jZtDdCssneo>7*#3q`s!+2?wHt%)*{$K3VCQRL36*P;;7<~zq@iv+
zPjjc}fnlhHrO2hat82=w%Ywe>d_za1TC{R*jVPUlqsS5JT&LP<r{2ijQ&CRf4b%2<
zux?bpXlk;XZ`sRJhrTCO`BUeV$qf<2JqZHxXIw(bc-#gvsT#m<0d*qdfWBbJchL|m
z|K<h7lS4+1417C1UrHl8I&Eh2;YHtH{<a*7y!_}7Dn7}L{?L=Shka*aI8*BlwHnOd
z{x@-9Kw-cTp^P=9DYf1;q?8V<@HVo|<zh{z!uOpkLehVE94a_>Ip98R;@evN3w@#K
zi5Dv*0|p-A(!|c^W;2_@oo*@t)k@Utx#Vy8;hw5QYb;?!M!Xx`6ZP0nxyXOX`G@r;
zw&lGlo~W7$7-lDF(s-f|>rk4kFZwkA8ZjnBqP~HLZKRM*%~9@^nM&HG+y9~Io#Pv8
z-v8m+wr$(CZDVWO?bfz!bBnEQw_DqGYX5qFzR&Z=nKRd%NhYr(bCQ|sjY%VU(Nu5$
zVV%<NieUv({<j#J>>AZ953ZoV5><XFi}LlQpth0@o{**=!aReP(J+V$iHKbDpV5D3
zIxPIpA?Nvh@lr&TG2`peBZfBETn>EHr5g#4Nz*CwBp9VNBT`2Ql)%`3gAwDuI&OM<
zx#E*wFP>wd;J&x?@)D+=Q)mT=K1-e1^(xkkDz%<lv$Y}d2R1?$)1F)=Zrn>L>)bZ^
zS_1+ean5=<(1**A+g&1rKwS!uy)O1;TcIoQ-Kmc}@_!F|t7Ebb%jLX@%W4!t<{}Fy
zt#p<R%Rca&s7qUC+@C9{bggF|L$ZUvOa^PWB1+MCOXrtxclVV7)w->qS@Uw}t-Ol%
zz@l_#WKz{oPy{<~NW(k+j%Emh+gV)~IAtS$F6SF&l(@~LIPK)7oSJXKoc$oxn+KnE
z%%sO9zrOH4JhFiRo7%g#IL%09at?AyK~DCSXDulG7od=bH+(Z{rc&~rkgrxh^SDg~
z=VD;!#FqZN4dz$xKu!-qWt|XhlILmNi9Ch$WM8Gt+;KTn5wx7EtLO^(5th#cuAqFm
z+(?Q}DAn&y!CZB%u?eF#Cdi~v_?sC6iq=0}4Lhx)z!}f=X65x_60zPeSHD*vAo8nD
zval|TS$M@>o|ckAQ}gei9p--?!J}{H)j1+p&^g7?IZ+)0Jupp^T6M^pjTTq8ZKWa>
zUmBp}`SK3AqRZ+G1vO2%{R&;=WnFhO>WaEq>txd^GmCFG#+o<0s%0Z+zQ(0AHkD5|
zmMq*^eWd|x+$>2J=FB~B1htT{)LhFYb3YWiOemYNf1Mzdf2H<1-fCp7mrL$}ItjH%
zt1I8<ar}H`Z`@R7bGez%6{CxQJS22{zHZ$;c1q%G4l&PI>v}1TqeE$u*jg(eFVn#F
zWQi{+Jr#_nIt><UvD>Qj*)RA$mFYHJ+lnqX1TUswylStmn#sBu7)IqWSp7Eg)^B(|
zZ{IFIwl2ntY#c<}NyZm~<~Q?G$<k=o<KR=X1i6;3U18WP?7(TYM(p3!-Qu;{8PU!I
zVn)Bty^*s@GHwha(OjB>9$B<YrNKh<1o~6G(U5)YUQ-^y;+m+xH8GoMrP>Q<vaXdH
zpA9_BG)-FhSGESYG4!=pg1I_>)u!i>qKguh^->rz%CP)3OEPB*Zm7^9a$5DZI2m!Y
zq3f#(w{5rXs}<L=QPeyu^aCfclUKCE9c-<dQm*v#5|_TQlCUr2V4imH%2ii{M1B2`
zE{k(oNPkfHs-96RMp$~ksVfxWDxiO|PDmp>Af^ZzIk?X4{ks0>JjgFCOERZCl`QJT
zH>nnrMhzr5p3+badtE^T`Vbbreo!q3jOTbkfs}+u7^XO)ADSj$bt>6Bxu0P@D{Ux4
z{isUb7j*P6?N5qJ+;=9@AF-SA^wJ0eAYFuHf||ZCH)f=1_f=4RZk>Op3+KIkvrWlj
zhZfnFSj-C4mcliEU+zW~^6j~5KEt{$x9K^%Iz67B@2fhZ*eCHDsqijwC2=#%&@c;@
z<FU+*KnL15@cyx{g6eP|^ODZXs-6GrdYf&M4WVr>5LxlqN;FcReU&+~IAu5eyiU7k
z@4j^T8xOpXpVI^B^ajHFB8K11Rvu*1KjHT>i<7H6s5cC*dz$QF{9|3Gk^t7SY=vKo
zxK499BF^9@nv;;45s$nmrEaQvALFrD-+YHdgKYK#GoH932++sGVmB*qX<;_@Qb<Y&
z+TQDYl*P*~={=-<@?d}bR^OAO*B)yO4=^x2^H7kVj$OKM?5x<e>notCn}Detk3u=o
zv)9iV-<KkVjGOx-1yfJz=a3kso!SXV&RS?$pKj$)nSb{3aqb)pTy4)(^RQ`M%>|Hu
zgl(%ZsJ(=HV<ib!Dlt<V8<1#_=zMT0EC9$Cb(h_M2TMTgWmk4LNu=V28|Okd>J0To
z6!AVEXJ>^EKL&5UKQ?7a<1z1_b)9x@cw>r?;efS6O2#}(O(4k*Aax#Z8j8%Mxt@5U
zQTZSjzkk0WN)MD#$um#qZW!nE5U-5$<ZIBq0Tztsd0R&23_IfPv<$9tdplvfYSl+a
z!Av-ILi<C9I+lrxPHukKm{)6@^*aM`mTI|t<2s*f>?uB!dZZB)fGzHgdvs2pxb5Ed
zsE3A|h0lc94vmX>yB{yw&@gTh1`;$<_=>i!6?75BZCbi?8Ty^%d&nD8+=0Vk7LIx$
zr763!5`u(sox5d~?RbDWSq`qkJN3UCg)R(J{wursz9M?ny}Ar{n-d<%Lg_!Jo~yWl
zi(7GV@a>dK;y~i9cH|@7p1Hb7=yk`%AvJcLZD<9>ei<Zoqt#Xdj#F<WQ?VIE%H7DX
z0t9ZLbIBbp{+r2#My(P-Ovh%_Ha1Ue7C}e+!5kX~_Rcx7p8Kitc(`NJYA;c4lOkpT
z^l%NET*h8Z7?zNHCQ{)p6~6-Zh-TSXK6HAFmf!aEqAw}jvut$41BarPp`Qx=$$C5W
zJg!-kdK#J8%G4j*&|(REX7}XsXp)_J3VxFMf=haqD&3Y9f1oJ>4sv(94PW!6pUB-Z
zNZNC~q;b0rx0kyRg1yx8)Na&36##Kw*{^`wSKV>{Fud!%n(3~>F7v7q^R)3?vv%D!
z)f4S=hTjEI3Ji|@>ZNHZ{D+8ba`S6u>8%u8F$%~YQX==KLLD78ee@S#FJSVOyRie<
zam*3`dsxYYDOnbpE!7aHWYQl*U#9he7#~tn@yTpHZSdQD@5d1%6isd!Sz+`e<X)v<
zx91)qARxcnC)yFjJAPuRQX;I|nfHYBA-?)%d&TQ2yB8#L^$2<n7Z0t`CTzq6p&H(d
z(ww#Y<2MZzaZr?9m8;o<JHn*23(+84!IGK+G9DI1d!9(ypw`niAdaY<M+Cc@)N<t8
zps}ig7CALUHdPAqT`71e1vO#ITrdOJ&;DSu?yV;KJSGK}(yP}T-5H%f7lLOO*VJ%*
zdkNz#iJd)Q02@|D@aEEsUI@!}yAjG!Zv=f*PAz20P21^CKDAui2>QqD1;d~=woHVs
z*#=}vPg<mHy+0dTjUVZ8fpg*+hYKgW1-{~w2T-zyw<puUya-@crb`ZZZ|(ak%o%}_
zG0`G+@DmDW+a$r+8+4r#CeXd2&&^UPI@fjXA|f64Sn>czXi4JCT-eA-nSg;fGSrkA
z51ZZ7EhQbhkYs_2yS<`M(d$gVY|`6}`Kne};iEhSJn}~50z>OZ1q8hW7pXTD-X;}U
zSNaCc+01~IP^WcYOz-|hf%`o)vJgZ56~gD<?rQayPyCi73pEEtUso+kQ(X8Tv`GD7
zWX?R;#LmQyN|J_3MED12;Gq62w27IF+Eo#@%%(zaG_=W|0_&rcD3tUL&-(4)zJ4-D
z)t3AMMJ&t-CDH)fI;%T3@4%iq5*teg)ncXCANAfh?t`$*=wEgAkLYibQdXo~Wemj1
zE1c{nlOk%78B*;sYFv|PrT}GtxtGwc!tdYys@_pzsXX8V3^F8YKY~2g0^Grttrk_P
z6{PCWsYsTKUoum8H`48kpOC%F^)>e#<fG53u6z}jp1<NZG=na+ncX)g1{5nkUanyh
z98`n4ERX@8Da1Q&!~ptg*k?wGo@kU+NJc6DwxmPdYuTN~!_Ku-NgDYtu&87~doKVz
zY>I<&k*}=tm0?+zLm@z*bixOd_C~+1>!#y@PP-?%=tx&-z`f=qQ8r!B`wmd9+|xx_
z`Rr}=PIA1bj8<h={}*S%<`1%bdRa=S2L1~BWCXA<q}zjfMez~M#a`$7fe@>z<spzP
zE#pHY3292>hm>WLLcdC?as!PVSP=M0DSdSSo>Fs-eH)oGm2bRNSb66BJuq(>oL53k
zAJM;chzImF9c(4c@fmDK^s)T|1RaNFR@VhCEM^_dH6VvtS$Eonp<bzRk~atD%^?-j
z2+dY|;);h3cBwm1OXTNuAF%lix8GtzIkIJc5%><~hSAJ>R!p@V4pG^rxkt`3a7RoX
zI+ruc)g~%38P<z0FE<h^;GydQ9WlOyO^)%kF{sYns~1a*&^?~1qo4Q;-dwqtow4gm
zo)a|2Bo|9Jfs;^X@?fk2o&4Bsr0PXq<&wZ8SwaQKBwU%YcaAkVw<^Eclg`_7dXsS0
z&fzgd&)jw4{CJ7r4>Fk_z1v3Qt=ie^3s;ayaYXY3%0}oQSiwGh$)O!2+CMUQ8=Ebd
zOq$cy7Td`Wx#xEiX$)~8WnxBR!8xchz&I!bDU*kDC=y8J+-vgLJFQxYM=p15;VD%X
z182iFNu32kT*Qq1Fx$FFE72z@PE`~(S1C;Dm|gHe%8(dwwR4V6@P2aFJk{&o3MadP
zMexY6F3$*<dYLLEwq&iqQvv;Q^K4f|gZ+g-ZWlK8*T&Y{zs#5Kmmdgi5YB6d89{bc
za#c@_UBQ6lihGQaGGs94Vvq;qe8AY2tbOQQm#jN8fKe@HbFM+QYCeWc?O;xc8mgE6
zYGN&0M+chK{&mdwsi?-NZ9Fw}c;!uoxt9)OAu$QH(&0%gAH<wrNaL&W9nn>bS<;-z
z=eB#``!+M*4C^~qZ}D)FOHrMlpD$P_j%<y_5ZH*s&&jH745VS1vIwRiHw5UQFA;FI
zM_Iqi{3%-BlaD=i(><Rg%Z^#FvZjwpl`;S>5Xaidm-&TVmpZ)BR-`!bcf=*QMX<B$
z)EL%r+rAYdWF08SKd*;>SETX<qL@s(--|!6&vn!-8pZnWLdCMceQZ~;&73%1O{F%D
zUMSllXMk9{Q|l7YKgT}ibrIEIClHp{+P~(;--yTSOUtTeMv>Wp)>DVtGKMs>1T!ua
zXdvb#wl8^(S%1w7hZLH9&xR)C<48I;A;Q%S8FWc?T?NgTJXt8CuS4Loany3sc-<?H
zbm09V1`(*c@7}LsrzK){J1m}w!6|in>~Xb5rsQlcj(Th(p2?DNyz1SQ%Y3s(`?Ho0
z!5!<L9{MI12?I>hpOuV~w%VrDec)IX4ew{hU`*s)<R2j6j&u9F?z35LxB!vu+ulIQ
zb5XgY(`*&7{QPl6k)gSZM`TCPoaT9!F$C6c%yAUSq(|c!S~d>k<_EnJ9<qRtQl%EO
zV_j$9f1Y;GN;V6#34fVfJpAZyul^)y-|)_f+4Zi4ifta~RFGTfdWtdD(jS+I@ALHV
z6~k5qt|vL55L6D1x!3Syl8Lkb!&kug)jx4G=1vn}8&j0e1<cG-IgxZoqRRvF2z+GK
z$>#)>*um~4uFr%CXRX0<PJTLVEAK8)70U*wC+odgI^bvUy37>Xh?=ABF7Gn*1)E9V
z5zi+tQJH$`Vb0=z2y@|tI*^G*m^hrJQC7Q46dE%qI(E!f5qeU32EF8LuEG3zQ@*I}
z6G>qCSqjeH1^B&Qyc{}=jtcS<e!mO$@_p4qe~jKJe7OUvUq{m^DSxi`y<gv~q}P8-
zEBb#@*JF5`8}<@>iy3^gHY6wiN2etq+?WHhWEiQztG4rpW||<-?9}<XdX=QN$q;y_
zK9sYGgcP{^MDNdA@B{HS60DzBeE<<hC;}`zH279yatiG(#uxs*p>(+UBD;0ym>LA~
z_Yu3zUJnL-<sjNATL0~fo8S;^<;oO`FxHy-)AUp~2shRW{Q8thw3C9+5)=@fGTefp
z9=s!9afzG0n3~W;W~|Oow}uZ5R#Kw{vg{q`ZPQ{#<T$PO-tV0r&WyTCQ>t<=0LIE}
z+CFS@pHlLOn6&`a4ut9&CX+N5bWR4R^~rA{L}Zq`=|v5l^NZEZbgxU{O^;`yu7^TX
zfa+LoTv1H~(=i)z0(##?!;G3{d{&}kfwjwh)ER!=DVRrfo;Cs&M<-{@-;0lwln_=2
zWY{n<<mgQJQr;$bISJeITup@_`v5>-!B%Qwg=~6WF`Q7#lbS~3)g26lDL(GVLb>_M
zP^xfh`+0|aBCfIZPw$Lit`m*3iJT^r$y1g;a!Ik%JuJ0e60WL*TbZFS2EheVm9>=h
znGo*}9s47}_nTf-Wh76Ta+)XtH^Y%<CR*hYeY01_&NuS3wmKkEx8oB0gWjC;zF7ht
zIt6(O-1`oX-qIj4!xtj%?fyhiBCnBa*dm$^N||y}-DS78wysz{q3YDQ-;zOtozPGA
zaWBni|Krm1mXrWN6*7qDqts-f6pGQfDBq#%=-u!w-iDo#_hi0_z`O#=MYnMxdz$Ep
zPN-ZWk@FffmvRHqjm50KPowS)X8o*O38|#^x@65G8U6FlS~2VbgS@>|??+&fYRTdL
z*J+7TjaW1dYV+8+_`8w8oJWhHX>F;}<qJpy&2zCeOEB)$YMi(;a0?31nj(yzNhj+M
zb<9!7p6qC=A81e|$8h_AeC8aRHzH3zv5AO#rrTik6lQgf)&#M=3S4TAzMJxu2Hytz
z8#iY&akGBMe|9>nY!Z*rRrsRl*Rxs@ue9dd38@{EW@eduk2m?!l{GMJ&-;0K<E)(*
zp{D<jSRv&QRC(i${`C8{ZX#?;`ujX~!ct~X^*B$i`ridP088)d^rDk?A+<i#Zo%W!
zH1L)0ShXKmB=Qkkms&#jzX_}L!$LyG39dJY#@<|1C7b;y8_9HSa>Bc!F{u2_PjuUa
zx6Qn?g@=d1i>7;zddg^qp4${zQjYV!YBSv*)V@*bGE0N)K0CcZ(F%9HjLJ!^0lo~N
zH8<5jl@|aIDn)B$7}rzy#0+obom~T!!S*Jqpc?O9Oa#8{OH>sVsiz^Ul>Hz6-q|Jm
z_2Q!t3qc0+#r=d0I#-7m4$tzjyn)QgZ}t?^<%tQyR?ms0%veXg4`wToypP7COQK^V
zEQlT}V{`9DW$NvA`t_M_$nvBDr(BGz9Gd#L+&e_kt{aoCJSf$Py#fSd^P#%#E5t0b
z4q?dr6rK9`DUh<!C=jX$>RqzJ@Q=~dMNE{w-<m}-X`kT$R*>lSQ8VGs&rXm(nwg)4
zdgovZAh^ya0#I+%2AnAOht`1?Vk7PVbu=|2S#M746_-tF)$Hihq%38atuKAzKY{%e
zN3^L){bJPVys@<57h=&uIKRvF&pp_9SiM!uU&L?MP>q_;9+NlIG4pMnyNvUghzgi&
zM3nui9o_?%5JZ_C0>)s)cGD1i{n+g<46CjM`3~!lbq|EOSpeNdrSD}GnhEXos~evQ
zZ~r!iZ>Z3P+HC@tZME@7{c)pKtprFs%AhlksiZ;c-T$OJj#1`^PIFh*j=<kK&+RQ#
zX=Er;AY5iJGQ10AtHHZ)8MCE32INi;8SD(DJUD`RoG8#e)sxVyqQ}csQ3B*YKG|gV
z356is=}ss(D${)6JHupG1`0sDXSu;^0)vYe#Cxgg2jf$S_(dGn=-I_#$cd{y`~0Cj
zk>nxg*~Hk6_<V8?td2)x*~GElalDiFbj5ZF%c+k50rN{sx{lKt?Hbsh2s$*!$25N`
zhtY!9@n@B~-t>j=)Yw)kIwjZ?<>8NbG|Rm}G9dr{34~$hCO`F7NbZy!-I$PhZQXoT
zP02uhwP(^kx6&KQ`j_)Om20bYnreXkn(Yyl;gU9o0|dlz{8pr}SG2ulE6f&?U6I76
zdx#(kd>;8bv%?u;dfNNS);S77)VX>nFRbHa$*m!!9)Es$-j>9UT^_6snd_<qrBebu
zWrG!>9TwrdaT&$^gjHka)PJHC!5F5B6IW;o!G^jb5=kXs;mgLz8l1LDF3{%6T<pEU
zG$(cY60DFV5f!KXB6&|je<XZ3YY+sdZt=%`8hQP0ugJs$9sHt|h^^=sF3imTp|Mve
z=nLKPLP>OxwC(lN+sKHLsuR>rMU^rrk$<&s2Y6l@3>upb7!E4$2rKkiKJ%5Fws9#%
z#RZccbBXc9eNygm37yA^l5eisWW@@tcv{N9XH$?0F~ZB2AY*!C=CGNjSF(_hQVuMb
zJiu~utHH!b%KF~5oiRLR9qubt(jz3ykqE?!+rnvjerWUtH=jJ9@k+`3Sx`gklo3K6
zMi>kp8&Hu03(LIXv!>&F7ZRHRmL$5HsR+o-)gl}dfa7wTtqr3~CY@7z;M!OCgzqPd
z-r{BBrouEPx(dfuUW9B==r5l>e%)G%D&P59qk>wG+_^d<#QTUp+1+7h`aWw5Ug*c)
zT(kCIawv)9fKW7YCu(o3WPmNLgZ3GlWnk<oCL<5r#Nawe=15$A8Eh`F71O2z(?$c<
zUW0VF-GxWEgCP7z&Q_1XMJQ_y%5VT7VsR9fLxiT~hwv9I<}Xs6{?S8v)Z&>)ZAv2~
zCC)=<ubJw=5)7)$st#RFUbVi+pyEIp0)!RT$xsdz_l>jojLqqSj{1o92*Chdb{!CD
ztHF#orCBCQbAj2o%+-ubc`=ig3MpmjKY4VPky-J&h&eSdH7cxub{LD)Z#$whCiOx4
z@?UX3<~SfEsdbBHw{pEOApJ?|%K=Kl1=;%iJw1xs#M>*3!Ii{jBSt(Fgw&W9HfDdv
z)QY$Zntf+sshK}^;eXjfFn2nzmma^<zF6UAYM;QVWI}*|Amm4F@{LVZV2Y6!j|29*
z2<61PZLVqTiD>{gr?^v~cw#q>aSo|lCokuKY!Aw$f<6g1r|l@yc4x?d-cGLfRPxB4
z?UikNLyViCzD75?Nd#5cjBM5to?o&!p_5B!$}pBDfZ5m35p;XEUa1>*);~-@GW^k3
zFKrIZ%$I9ngx#MWnE;M>Tk~?Yu~@<S?|*mvbd-b<hZ-+QDL1<KBK}X^%h0QVvT58x
zLSYj$l8gl?j>0kxTb64=8~>1I!0`{(Vvg15l!IXTO0m&vfqeRms?x3CF;$g}sc(;=
z$UtAklGODk<cLsH=qAyU^grFYZy1(3rON%5M~l|lQpjhi8EHK~vT3@PDy(0n>$L<X
zX~qc{Sn14b)W$)ydW1D=jG0aWAGl(;4eitocxk~YDJa4iY?RboqE&G99xHxF$qXg7
zroa!$ab4Hz3A$yydvMD39p_xa+3;krA9wF~JEmFV0w6t|uR+FvupfyGRp1lV!)oL^
zbXrv<bMQO0-Rh|enmVarQ>whL?(R3w>Td649T}r#N0++@;Ij4OMPrV-VeRHG(w~P_
zRTK?GO*Ej2jIxPL@$3k8biz0s$PG=n<O-A4=ZGUbqIlWdy)ssvAm*wXYv#c&HQGDw
zycEx9LS5w<F5cPkuxWAR0eqhWzC&0iXKnq28@&UJZIk}9JeUr4z_WXVs&<Y$T}(;d
zo%Z^}$DEVg#yXO~$4yBkCyq6Bmy&v$$5UUgkCI7h1G))(3heF6;NuH4tk02eI6^F^
zglyqP6TF3ig<47i_v4XB4)z%7z9}>XAmWQ0(82wn?;B7*OvVZzHU$=oDO~2?O9%s;
zTdHZm8u>>w{kdd29YOindgQsahQ$KNj>JpUozh{66T&rZ0kAsUm=T&vwvT~x8|}NK
zVw48VSTOSYzpj1%1xYPoSY+z5Z6lSLM8M9K#)Dq8pNS2UPAX_h*Scj(L`3{@-WRnU
zr|m{jVNGqyXFx`mc>JFbi*;=CfgU797Cq!JL3!nl^_v|1IV*0zI=$SrzE(RpM#7So
z_+#o1&S284_dI>&vFocIs5<QukdeQr%U9m&(lppc#?x6Ni@k;0jhS(%9XD2lBpc3$
zuYz2nw`vA#ts>#VPF>~ZEnjom?$K;2JslB6ig02-6_xyhweT`qlURW~oQkXGO(GoD
z-daK6Ckz!2ka!oILF29*h*L=*KQd{qI)rS;S*BK|cZ<j-<6!)vi48Y5G|2Rp;3ku?
zX9%2h0eJ^EHh6L#QVuI8gOv!xuYub=m*8z$Y{#UBmMW`B6xsyY1^TM$(_aO1mq-O!
zk;Y#tHB(Y(<YgD}3_9}<ohzCwU{BLAC~EivlWnGQoyi`3jzz48hCQ~DNFL#hvCo{{
zGW<~-&En@MzxzYW9%6rpJ@Qq64Sh`I38eu>5(ldK{LPxR-cG%<CN3aylbP^+|3-SG
zLcwhj(rW?o#Vs6w85Oc4p|Nn@4zM;4*L!Z#TPr>6upY`aFhH-Czl<7J4M>!oSFY7M
z6vCLEef$kUm-YkETXDUJu+}}SxE{H*y`2XA#*aGfLMJ^rS~b;0WFLJlnPIFA?M_61
zV%nyyJW3ar4pG3)#qAbMTTG2ckthe?p<^qkVZ$StA4!-B+gk-;lyrelI-qDL&~@-p
ztd|v;`U=+y91ZP9MaCX5wh#;tnOGns&EWpF;Ug!O1eJmywkU-ciL(n%V1?qw-5@%&
zWqu(#g!^g9?@2)A?sFHXNR_8qmwPI1#HkB16yjN!=`U!p!Wk=Ra4vONv0>^un@d4C
zX$9-X`mvki3mGsKJv0G16rpy$)FSSVuhPGLRTViSiP_}f27S8m_!qOzgO8&S3qL~~
z-K&Qb$l+Zr?@~MGDlCDKya(2)i>Miu0iB)>c1qe{V3?0IWhYMK(2R-^(F8u9dciiD
zp07CNUSP`7o?FoT??qD$of_j%Y?_VgY(``PwiMnElN`)abUYkJ1|kr5r4A3xryvNj
zM!Bt~$9vb*^jOdmC(m~ABIJ@i#6rrLkN`sF{aRGY*6H?hO|omD4qd~Va`vrDCx>>T
zdyQzk4<+41A;sq6^3%&wuLbWS3!ToiRn`O7tvglRIL9CB&bkUbKw9ZW^U3cv(zT^u
zk0}E-Xv2uXaovc)(k8gw=x1}_7-UJn&!vAC6+0wHcnsS5fA8}D3Vk~y=e(i>7o~iu
z)ACTeA<wM|Y@=?(4C`KL2v@^~W)CTNFai6R3gBwD(GnDn87&i+*vXk@$cTebmf85Z
zUM&SR$Dm&nId0~t%2oz2X$1Gl2r;in)vQD3aDR9pqn0vF>!{SFp|eFj@Fd7yk10{w
zNh39q(ZLLshYHQJtZ%rb8ME*24di5s!>o4M$dSARG=|3JV$S(~M6kVhmuQc@7-&Aq
zxN9vTGcT5GHYuz7xrB?tN<&1!4}N>wUcVbaWI~yp$k`n9s+H)80E%^T+33P;@W79#
z`u{)AHaq&L=Nn%bx|Rzqdp7S?Y47vwWCr!WK5D%WO(}=l*$cYHQd4jw2+ZL?<cf;#
zTLG}Rh(UNLKqtiG(DO^^HW8d098W$jk1|83!zZXm52@+e?gidfeYM^F4NKg~JH?P%
zk`aIEtPyLy$5(h&Knh|2S~MEy9P{OKG(5UX<4@;Z<q8_9>}?tFYj(2;wnQ5Dp%kYy
z8%VW<EyFgJ_{g{bv6<F?f4BLI)L%E(Q8=5S(>v=9;qBnku2&zKe(@p?7iu}-0h!5@
zc;uJ=iDN^sJECi@i3&nG^*?kuEi`l8hCb~t2G_NT>HbRvS4)c^njLuJZNl7~W(oI*
z5nuQy_REr=8C%DN^Y;%Z&0NBdLloda<NP(8Rlk#U(gSVnv|J?>%N>@$`Atd<)8_Ua
zWUH*lf~KQ#<-b5eQJ$SQ$Vk++5Rm?WVUe`0Op!^U36@<mmkG%eoZ@?o?jp~<-bp;!
z9c;N^rK%Uw;*ocw4lQX7HHxB#r09XzbJdaoTPJQ`NB@1b^ozBUp-OlHw^2_~dmEHv
zXGwxptzpi%m1ZEWdP+D+WPt>k9KTSTE4J!Km<X(gxLxKmwIOFg?IcSh9PVIjki9aB
zWyF3WRDMmh!HaRO*lXZ;gh6|aRc3Wbsn(^ra>rQ9GqgFo?@>2hyhkFV*rveKr5O=E
z-(a+w;BuMzE)T)OZ19LXh@!K)XDf<eHKg5zb3gKDW9~q2u3W?3DPs4-t!C#VQmKj6
zbJP{7{<)Rcz-l!GNC)4IevGexf{3N)y_W^xJ{>Bj#aw13<IIG_sTvNZ437jE+vxN6
zE;!FT2cPX-*3mxZF|rGntllG@Dt!YxmlqlvzlcJpX&8?8pM3UgREA^B<7>`I+##qu
z6o#2Fk@RI;joz}S+&d~PdvlgD!*XAB$_}fw9Riop3X%JCCKi&dnwK1uJNO*u=pR~r
z1k0y;p(c)tK2U4S6gFk;Xbu1t)Rjm}TEhH`A@G#Y`{F6$WKQGe>0FL5x{h^KS+OLW
zEy^S`=c_yWh$BRxz(G2&fNp9tyJEJ1p8BkjD=#J2iREktZ(AhyleeBND)d}j*SFxe
zw@&nzCOn^|ImGl-LFSn<#I&3ZHXAFx+1%7nx-cuNrFq9>LFS*I5H2gzu)(~{MA3bE
zp#!cYnJO5T&QiroWc?w62K6YIsf|Ik1Ka1Kae`JQByZD>lF_DpD;4?gz_EZp;ZK%Z
zaeK%G{X*m_^)7suRl}T`ESPNug?gPcX|5dL>P&G?xFtp#XT=s_BR^L6;>Vt&NRGeA
zfU~S#00I}OAg!EDdqfc+Fo1_{hESQNUB?erbW(WRjM9HzU5v$|Md(?sF?xWNY1+1v
zz>-o5@V4A*`4E3Z<p=kvHlnQ5m;VU$2FD!Fr8;u-Px#GFu=EV}B(S(TmTMsPX)rsQ
zwRb|oIHS)cle=?36j%6C6Z`|@7seu4f=@iRF7+tkk>tDxtAV{rlJV^9OmKtxtXMF`
z6r)y~l$#Sj`Zu*S{!8YPX`aB{?U48+C|SupV<a|szE3!7P`8M0Ug%f-z&y5Bi1Q)r
z@yeETSz-FE(F*$|-qoasfUb47D}41bREW{D%(90p96w)aD_MO-gx}XgC2?Q2no`4!
zd_@V<+l}lNTSc1DH@(_)>x|2XenuTMLSbErlc8%|YmtQr(v~RE{06sm_grMBYt(w7
z=wk2?*QG{__M^696jz0LvJ|61`<mpjQ@n8qL8#7^ODySPnS`!nX&XBFx&@lTDS^8A
zb0NdK?Ep0YZ|_TGNR0JV9ovYFgOpi8`&pgyx@k3io1C+biap>ZUBrrYZ_5@9#e(jY
zIpxpV-Ic)ZcW1f|&8FwkU8M)2zt@PSCq1&b&psYR9hfJDkWH31!s`#dA8-7}xH=8>
zM`X<y-d%zx1+xUAb$e)RMB_e^NgK`}9gL6#!0Ps4G%L;zYe^-(m<R&T7n@CPqj~Qh
z=W89Jvjy6g)WPQcsu0ry1=?6_u*_z2bhc)<!cD*b*Ycai5(8pdr2D}oK^yX#V1W5p
zAlKyY71F)Y3{$-5*!;q)8GeK>o&sZh|K3qxu0Ds0>snZ{ETT}Hhkt~J?OK(j=r5Q&
zy}9Xsw{4t8<e2dm=o2P{J1kj6;?%DG2@$@0c>-=_dBlW@@xFX5_qa)b=5)!Vl=6$3
zuqnPWxJ<8~(<95TV{DdtF0+X5W#zCJhgg=O0GlU{p@3*A(T~>Mv7dtYOIPfG_$zzE
z_NR~fPoMwVSZ5iDJcbguNUHeChLA<g^N7uc5;9Mk`s#k_tBHiDLHI29aF)v{KRpvN
z%Uga%<C!SP{F$frKgTr7f3p`3hmAGZyiD;xnDu}ImyK2b|E4T4Ydp<=Px#*hEyku)
zY5)J=WZvSq@^#BM@679s(Rgg0_3%`iS~M;%j^*$a+xY>G+q;TI>>n=4nOiDx5<v=a
zQl4s<l=qfdM9E6|9+I>}M9GPqV?+t3*gxIsw}j$yntVTqDB@2s3op7e$}l|segKyV
z3j(*d&V)rgaX21-4?rv7FroNlC6wkT`Wc8=Qn3~;D^$2?P90(zBt^Js_ve_?|M?8_
z!-CC?=jgal@z`L0YPIJ-y_f#)Wx1x0?tKBU^bCJS=q<zJ4}>AAQUB0-$9YfS?vIV_
zY@5lk28%v6wFUtbZzp2VGG0X8l`f`tF&mCkKK8T<Sv(*o$p@o$&LQsCDr4hrl%+Sv
z04Hw++cS|94~!<yLJd@<V^V_AFE{1m5+aHk%{;Fi5bVRjY<1pdO)BP=J^KayjI9t&
zSmaTo3L<_F?GtD&LT7-7uRhdAY$i!9`=UH9&776SMlLzy|JN{{2+1u0cLC(YENp|y
zD{1HJcQk@jBq-=sDDnK^PO}j=Qe10WfwN@$6GP$aEKDU<YJ#nBl!8^zrj`Y)*E<2s
zl*3Enxer;q516Ysh>uqZ(%o3*@|c{>FN-+=;G1gQja<zJXm)OycLgH-LR3|ySE-!W
z6Ld<mWX2Rk;$@6mg4yZ^Ir@76u^YD8xbCsr%bOEM!|q<50Kc#EV#IMtVh<twd08kW
zEWr%a-yz&&>AyB^o&vZ&U!I@KZw&as*@Oh>9rGXn(<z&6U34(cvfATKrGD2Ng@&q#
z7@K@A3h1v|vL&L)PX|f>V!c51(wSr~_D=FjL#g71`t1lA<qoRQ{vC;T?c;H{6V)Vw
zqV$@SA8eLKgEqMIBw2%|jAKQ{(hfeBjMzUQz0&o4XoHL^SH)mPmq5X8sPfD8_uK{B
z*%Ad)XX_{v)#`B~P>rys&GoN5!}0dS#Zb(nGD&-B;D5C6^pF)qs(K~Zd%INboTLe9
z3Qm8{e|M20)0$0c3mw0zROSO0UVC981q>QsPGxsix=%7J1>2?E+x5MQU66m!ayKEt
zx}&(NR4yLf2)B6G6cHQ0hA8ap4debK?<u-J4$)rgL-&O=WEX2XU=ths(1;Vy<5Mq9
zqhRNn-_oqkZ$ba@)Jh4=`Z+v+N2ffE&VxZuqBbIZL~O~h$y~=>YdMMDpGl$QlgfAC
z17mtT=)Nf81-$JYg=3zw$-AA8CnZZ~o`u+jLouErmh7e+L7s*kp8?ZYy_MS$!s$|}
z^gi$DfxLIr7*oN{p?uGcjYXi`#vmCA`prk<v8Ey8H3COjoDG;<5vX)NlDh+e_#w*;
z*;P6wBsHDOHW{744owaRp$BQk#DyFNzvUB^atW<GNt$gxEF?SZbiE1g@V{=fyiXg8
z<iPYx1Hh#bT+))BnFKy6&(asjjLjGxAOnBsP8KoI_pt9LL8a5ZK`<i%r!5_+-3~GK
zCuLtbrY|QpUO1RqAzOB4g?L-&YEVq!3-;T#&PG$?i$4B7DCBULp|lj{S>5RjxS4LW
zbJbHo=>1rfQjH`{3(+pF)lc{Rhl0sts-2iA#zTbl9&tQ11>*VTM`8w4u~BY`64<$_
zwUH}c)`N@#J=U%nbQ7Rk{d+l6+JBk@l7?fZ$iW5ngU~%?5Nw~TGCyV6YvheuT1-}w
z8WUVa|FT6e(P>=<b6iq%8-^o!n`C;5OKB5<ufL|59p&6|$#;0&piidk$jD?1u5pw}
zozWjTK~QlS`v15KsDP{x%-e2a%)`WBfP`D)QfR=8&s72O`GxEpE(AFlecB%W#wik5
zi#|0E3?&l(0{QIy{C)%E7ncXD?|h$mK8*JIwSOCi-^T9<el9EoWC`~8zPSc`mvi2H
zIlJARJ3O2T224!8#=c$TzY8X621H*To-GJ|*43LQ9h(eAC9VT7rO?bgv!|9HdNC<3
zZlYmm*TT&vh48-_#LBLF(k%j$ONdN(FRRWcp*)2ivFbhi$?)pn)j(t`BNC+hkHewB
zl9gM%<%CSq<`*B_M2qO2A?v($vvBq9OF@W+StNBe;OSg?iA88}`t9zkxPy6C7>4bR
znOS{+>}>v8V;?Iw)6hEQ=-yQsMWCzZECf(Jng@YrHU@na+dMyc4PfY?!<;@<E_sYl
zUj)4=v=sTMx-n>ZOD8oJm{3!@04hmw%r>3$Y97MO>16xe%~BF|nT|DgkTHr14pfka
zHOOrREZU3V_QjyG6nQzHlBU@q>)<vWM>6M0C(^tBnE>8W5E7GAuyi|SPEB+9e?#Wu
z(GpWzM)et5s@yc2v9711P+(DfFoM%!Zeh`VE%B)*LFNFvRM25NmE~gY`KzVb?CPsl
z7N?@P_jhfQ<wThr0O_^=v+2LMEyGKeo2QZSDqBtDU3-mTSVWBrwZ9%rEZ|6oZ_!La
z`S807EuW5TjQ-_e<ob|)pPtHl98<88-Y}T=G^^&LFqBeeDc27giW>Oj;v7!FMv6xc
z-X9mAx(&e^ms?M8S!vOHV%-c*eT*h2dlUgPBk1c}WG5cgsqDmw6DzSDny;vo=|X~F
zZDAy8Lo*mVB0UDH9XlO+mZFnz^RmM#oC6iglXP6AN**DC4Jl101#Feq$Q$pu0FC)R
zt(n_mvTE&@IRga3s3n1l2u~33N2g;63|`WdWw12`-I)*=(63Nt+6qsO+XZgQlISp*
zF}4lopwOSMwNG#*R1gOghx<zh;LVt5low~SqDfueLN;E568i^liov)Sm`Tx($+@o3
zA<O}K0-Gc`@=#YRu12U@0Nj9rHRKg`Iv>yS=m?L|*Y$4>N`<WId5fvK0M~L|RzWx7
ztK>+C6T)_I-jhNTZ`YxZkug!>8jK_2B`5S)QjKQ<EQ;_0rkQ_7ce>a<WuydnGQLeq
zD^(f|h`nkNjbVF;V?D@$k3wI8%AD7cvI6@XfZaDd{rq)>SITA4*9#c&++kN{yF~Tl
zFJ-mEtFT$z4b;7+B!o^N?@$n8I2#{!Cw=bRNuUkz{x)ly;>Pdxd%n_0_mRcrC-e|t
zTxwxtmj<dCNpMq<ZK)fMJVl}A6#!q55*VyF@f>#^N=PWUQa{qTm-Z=Zfj}6Onb?}c
z>6u@^7Ycr{A9rv0Zv%=9^9g%Y%xSlI=pv8~C_2#V$X`8_TnC3j`x-*I-uM7J=H{^=
zv>&5@w)3VA4dSU&Obnm`|Jg{%nH@w{|6cW}({)a1&pL-#5c%SoWvm6YmtnlydT0k{
zK-%$9IU;Pl9q&1Oa(aD%<|_HBF_-7)M#aoc=pT7;kR{^v0;xWZr0--dTw}FeKC}B&
zuisxYgp55rt365=qy@aYUZ53^%(d{I{&Y&X<@G>&^6{G}4#KOV?fkanpUOQvbveXj
zPG)YafXPQv@*VI=kco(O9f8IeD&%7An9JS78t|&&`XlRh%NlX_Td8FgZ^GTwma*rK
z9t=-h!a*I9l9wDZ=xjy?7>+^#$II{ow|bpgQz!^h@@m-on4Ke230}JXwHPPl%`$)8
zrDe{dw9Y<f@7wG<BcL_Pj{)aw-w~&9n7dD@{P?q#)1U7K(7%|*--{gTJ3)oK8k-?J
zEeKQ%-bMFZ#>~80;}p)t8QGM0+@d(YnNfpBc?K}1V_@qq#f*_B=C^g5s(seEk3Yj{
zRUJTti_>(rsI&RNVBkQ)bfUo_$bmZxxwSGmo+lmEvSMKDvLj!L>?s){46W&-x0Kn|
zk&XP-9<q*E<|=}7SV^#1L;Zt&^FbHKx#P)fI@V<uF(mrMv`(twsyGIA;=aH_taS?)
z6zzP0mBwqpKr`loU<X-1e10IRdDZtpz6=tW7b``JGp~^)3TJqjvj5#GqW0MV+kQNi
zr`zQ;c%lEWr^kJ3Li&0vmIIf=96>!b4>(o-HD?Rjv*73LIUiFMUnyXSeN}1a`kt|%
zFR^;eRtIT25hq3@1uy9C>teT)bMJ0oYwHl|XHjZr^86uc6iTVc?LP01fOFz=w(aO`
zNai*Kh`sFZ4;fC&E}>gC=brj4GtjXIQ*VH{ye0JobxF!tX&x`rtgxn?S@lY{VgLF-
zn<j2AM#eL5oBF)VA-JBpFc)oLsm2*R4MXD|p98`4R0t`7g|oOhV_6<!7`d!jI>5{(
zZl=}Nn;C`5t}b}Ko=EX$>Su6gE5`z*u9r@%0)mCzKK*^A_99~AxY=lVDY;bbb%0{y
z*T{dDQTR%R0aP^Y=b5cSbzzQ2R5LKJ_MZ5sKHh+3yv<>PLg552AKf`AX#dh#ILQtG
z8sO#OrE`OSOA^wW$V=TznuGKCiH|*t)d}s|;Q*&lt~NDsXFPBmXSN!#KrQ&MK_F?;
zC(1Gpc!KQ)7)&jKWhWe(!X4ZZ!m+USb?O`i7+E3&B2J8@ni9>OurgO=6wdAULKh3L
zfdykq$}d{jB@l4w4Lekb@1}E%Qb1-7DBWCSv=pAf#JO<(Seg{49}4ZE$SK?8Vzvu#
zU_0J8as)%4r)b95Rhnz<H0uM&SYth0We$-PfT_SE=J+8wCwQZr6%mSV1fcwGQ4b9R
zqThIgjBqH>u_aYOBco-6K)8+SG#Z85;;#8hlvzP?xJYPIXWNp%e<Ok9Eks)Ro*J>u
z=drP%R1}tm@{)IDMWfvLw{dvLnbnWHgRzutJ&TN6$yiwlLUoGiWXn-KxIC3Z0Z$Bl
zPux#3vWAE|H|{JOZ1Eip4vP2sFz47oS^&KX^R%Qz<cReNmEiN>zyBpy-)#TB-@0Eb
zCkJU8CZmI551v9|rO}-hI=-tS==FB_hQ(nZ$j+f}R+EBu)r#!>Q|5I^zLnkJS+wIH
z*yZ3d1zLqMH(s@^m|HnmtRuaTmsN0YV_2>pBjr<=_vxu&vZ^G9%H)_yMk1yoHjuQ*
z;`J~Ntu>GsGN0{Cmd$s<h%y&)W+u7GJOjaQTZa~pQZ0f0D&BQcpu#DS2pPM2jsT=J
zlJp9q;i92w4~_1@Cj%Meuuga6#kdpD7de(fQq(o38eZS<{}QyP=04>(z0*ORa{||m
zd*%s7_x(2J)XGwouIVPjHZVx~fm&%qR;OLl8*9&umdphOy!@sV@!?fRJcM&G>kwD7
z$F$3WJ(+Yf@!=K=p?#`9)57crf~zjXoZ5Pwt*(Y`>E9?=$1Ewhy>!5Bw#Mh3J&oBS
z=0K(yPy9Pl?Kl8LHiOVOV9Fb%0p|HMK(k-0WZa2baG@=#)SC(oK;hXLzyEi+@!WOV
zvG**lnUj(!Vb1DHYfN;#r7iso-UfI(?0^aL^mB%HX+Q&enUwy}Vn9nYI(7)o9)Eg<
z(?ZG6rgnEcyWkJcLn$?MpNXD<maKt$WBT@P5K2+4DXVT3ep{b0vDyiIz?U*)OXvYT
z<4x$f!bdErSB3cJLF5PdU(qV^20^oGWQWXhO|xD2rVS~Xz^e;G$tX^Lf0~taPByq`
z!GVV8ZZU_tYN|eAG#9f1x`eID-yp=4uV$J*oa;=+6ger6VjvlR-n4U-`n^`)<=;Ma
zmqS7LIHbsGTDdg_kDn7KFDG$wuTsGVaYDm@AO__a(_&hq|CSlx=lZ+_PcrLV8_ed-
z?<Lc+Zt!_912;fok`NdM$2N$>RA8Q<q`Mqc8csjAf*)8$(>M#8rc;gjjMpzEMX-mr
z7!TB-j*zJ<*JM=V2UY_V64!Uf0rG5R^q2hp&)=9smoBWWgi=UnkfsY6XMs_DWHYso
zm22SlV+*)2f>=au9DM5sWeI>DZ;-`DX+X6Ja5kliYUvBAlAGs@jG4&1FT0mqT74cc
zw2j#GJl=_?jD&k1O(LS;x?FP^2m<2n8+Xu!q@TC^?<Ly^L?ifp1g(N~WGYEph0wX>
zo3`U*66^k;NAe<`L(HQHU!7lUg-ESDBcq@>W7kxaJoL1=xE^@z)TE-fl{vIacrDU2
zuPI1L=T^SvoGeO#4vcw*K1_nR1NDEk+!EkDxKhulq?Fi9U%8DxyjR%?NgfVjDk$(l
z16$#p;5$6i@ipgSXyu$i270MZ>8Hn1y7r+p)(%?tsg~zCZQc7>>_MAME^Nr8Kd8&N
zvpmX=RcRNtK$tT{nO49V4kNWJ=#0omV$7&Y!KDvdT1Zt1`Kx`=zVnhhdncW^vVOHq
zRD&biW?icxKZXA=f8@BChfY;EPT?)+Z&cj?i>v?ExBVbOX7hr?J}w{jZ_>X{05|1~
zJGs5jYCBF`Ouge)L71L$tmgr>@7yYFegj8}3&qVwuq|-O_v|y#MOKQ|Vh%v0$!|(O
z+ag7c7KV4}-a`V{Tvw!={NRWZ9#`9cm8p|#Kyxzd($)7RT<`V(9|5EBQEXuL;Q=x7
zqjY;Uidu*)7OjH@?kjgJ;7_r)Kn{o`Ev};9|2EGErnS$zd)6%tyAKt3SJVrLq%?rj
z<89Z*&Jd0FABtH`{b#i?DTOmyAmN@)N3Q|%zLZw)b~*7^aHV7xBKJs0RDtrlv?{(K
zahxWLOimHoOVvvDPcH*;m5X5H9y$3sq^K`)^NAc6K*%Q`(U~gKQ_Q`@m2drm;uExq
z^il^?4@4z#iTxnV#fu6=D}F=sLeL6=hid>*(|z`7C_`sqK5WK=z$3|Q<UaHiQ2h|&
z)x?Q9vihx|I6S9|!+(U&rSI&aT6SiA1hUP2vwT3iNL=dmx9KQckF4EvqL+(xfJyFy
zSrB3YC9%cRw%_q|MCU+J(<~v}@U>=8F5ZeZ*aJCXX<f=03t4VyBHoV^Tm>ISt!(6#
zWZJ-rIFwHTE=W9j_Y`R>pYN_|btmDMs+?X^SWXdrIH#@=eLP}D_#_P+6MkYwpO>Qj
z@-Q5nX}O|cZE-AOzi~<W;E{L3pd5c<Z|wgCMKq2ooBu*`D4=Owkg-8#Oi|V^Yr#RY
znUOV?Z2#JU+k7>XI$^Ye+-Fa0ro~{;)z;YL?mWs#cvD;jL(B*h>l#gbsqBX6h3J>r
zWS`kN{B@w|wJbl2%bo9el<*Wf5=}@{n0;$_;3xCKq$8c^;55(7Wjb&zc8Hf>hpPyp
zWKBxz6S5j2)~3Q|!uPG}<40J~y9HGPTyKDAP=o9L0@Dxh5lw@1G(%jxc-U%je<xEf
zPx?C)gns&_dp~=_v+2}*Z1`vOMJ69#FNn62k!S}MWHJ`$u(C(U{-IQ-out-ypFlak
z3Ap+~Q+MSL@X}i+gE<^|okY}+plz3Ky_&Vrxn+IiHheC-7E?=#=!10+k}TU#nq?hP
zk;TgXsPF!<*jRzB+`IyrlKs}ly;ArQNdNb}$s=svvd_~ws<h1B@Vm0scbMltmFJCN
z&R<puG3#--jWw4*Rg-5W{?864@Y)bh06l(CPU~M%gT6|ES;*bpZ({Ac-;-muC#JDv
zj}6DR#=l%(ykG*t%8*({%|$lWPZ7-nmseHExwHiKbkN3}$6jjx<N)OF+^tH~t4zT|
ztv8Hl4L&_0n+9>VO8o(bv`c|}nOVe#_|yNuFeiK@jS+@2mzjaqWx5uthaXBnFzQ$_
zcSYt(rW^wg<?|X%+VAev6L68o3TC+t*m>O%)uyIs;fD~kniuQmdy+JNoYLclC?FEG
zr<``ZIhH<K%DHK!-WI*^e{^}p0t|5O3TAC&1Wd!WKqRsFHU0J;&eSVJQ1Dtygx;xx
zIS$h(_RomldP|IiWq2r6$-kD<SH_yfgqen5_fN5|MAIW?PRL5N5^P@=$H)f40ypF-
zQKzQoAtU^m?)a;w)jmW)bsnM_67At+TBK5({o-x9BF(<xXIdH_Sefd6HVNB8&+Y9z
zAxX898BAUJG3ZPej*g0mxcE)EF~N6ZrX!}~6sij_Slz=LW*&wpqTtMqTp^?qM0rD!
zgPiPrM5(h)v+hNIZNG!`waZ>uMSz_8#CVnJ$W&qD2gQ{744|y#_XMno?~J0BXyS{q
z6|t->d5DCP;~MLG&aiQFm$o9!O2aon14CP1$tETKiblNGZB<2O0hW8AUj5A*4KNfL
zJ5WR3=h?up+;2ZK$iunKvWB9qwh<dh41Pss?}MdR8i)$I1y{`)h7hwSrGltATB3X%
za_XfKPhDT;#HCgJSx{H^a0dD-^EbjV$zC%S!YZdyY36<<3J?hzem3X6R;F$++S^;u
z!yG|I5vbjTI~o|fXmgu*7LYu4GDh00#h!CFlitl0$o&4Ukg-E_pwSS$QjJ}TfB;p;
zb0@13Z-z~wVO|VSe+!P{m4K7{9cyZO8CdmiggEB}@{}JHAc)X(n}qz82mNA3$y-Iy
zGx=FlRJW&>h;D=ogv$25EJ2-n5`pe5OA_wPH?$-aW;3lV0CHaCM%KMkQ(^Z!5_}Ha
z4=?Qp98e+-5ed0~!T~gyo3M#4PcoXFY$7uULPn)5Pl8-+ATM|u`FO8JPEnOWL+Z6h
zVx4IUrx6<^ey9Oo4`rZCq#D$@!MPg6n^@6w>cgJfUQOv37g+a2Nc;N(Q^!b0${W)u
zOOaLOy=<YJXG;w3|B>|-FqH&LyNk2v0*f5n-Q8K-9S-iYxVzip?rsNn*Tvo4-Q67)
zc-;H{FL}x9q|?*WRnwEq$w^gpeP6Yzqw8(sqM(C|L~j;Ila`OQc(Bt+cen~Cd%~bd
z8L71Idmg=P`lFLC(N}n1_Y7Ho9eY~~jf#M488>Qnr*Y{XOQ@>Xw8EIHh~Ew3P?Qs#
z|1E#8D51y;+Y9$o;0DjdqizIiXS*TkFrxGkBNiv|lCVoo1oV>xEBk|4c?t9=3@*#I
zG8S7{Ie`~=^d6=MD%?R=X$P)J+#H@hoo*+2fCjH1jV&+9)h`#If7n_@xSnkKN8VMn
zQ#Y#Ro-VO&2B90J7g0wt$n;uh<G|2dNk&231$u#;BcK!$vc_`!7{|8goS+NLMvWnO
z4i1$j1l^ZCRR{Y+_el-M#%L3!`2Ws_e<~`m{eskt<x46NoJZausGA8R3L6w@5Q|Nu
zDY;s8_vxACUebd{({NQ3dpjgBq7k{*lowF|^QILKyfRYr>mXcxb#fQJYznE)Z5Jb~
zOq7AokNmT<+QXJ<6bjNf+)p0flP_Hlvj;>5AW4;2em~ec!i68DP{|(m{cC)c#+YAx
z20=IAOfp3$k!NIE=#<}Q0o|>(j)I3+j4C}(#{234t1Z(rFB*YAKE^SzjP;v5In~!h
zjpiW(C5tb?uQ*HYgp)+`atE^<^O&GOpIfnQ&K`u;q6XOEo}A%H@0vH{w|%NUVEYU@
ziij*Remj0SCZMID9Fd}zu-6w9g~Ceiw$DHQ^G6oaMyB{L$-<96=&}y?=f^8EVV~gH
zmeLWBju)Wzwl|6o=MS_I)vV)B{<%-@=nsI|ANpz0i>_M%e;|pw`eaiU?tGjB9dBhP
z%(Zqo6&QbD%ans<_B(@sV(zN&^6xK*hJM~#&3N%KQqZxZ7s%M9IE>PsoTBN|%jx!K
z?O)&q&pe&UZ4VpGn!tDULbm1|jWPClmv5#qcVsf=eCvkOqvoA|`=leZ5%^dOn;|ET
zouFOx2WzNA%FMI{qsCgX?ZV8q)A%vvRZ?N`LbL$6tFS-VEndHC7w-k1=oeHC<D~J(
zsj)V<7+Ow6T+|-I)Q96`NYL)iL#Wpnm>Es~iy|MRLC~mNWteHvFID9xl=byni~)6U
zW3NKc<(d>VM2n!6B_23*9x{t?ZIL*o7prDAv#H5`wD$u-?Td0NXkRM{7^?#o0Lecr
z=Ks>V*2wDvPVuk5YA;y3@mXg5te)5Sg`qXEpq-XJQpL*MHhriWUK<A9c_-;?<f!RB
z4tSqS9lx%GbYwJkvGwBzcjGpaA;qP^^LBQBKaM7;l4MgOpZD^$GL)u?D_1lo!uG)n
z-&qkf628CEv(1QgJES0O5`!xFgbwS6>(v5#JA1cK%MS1!g%bnYyBO^!{Fa|Cx2uxK
z%_Smtxm{anZEFON*EIik;3I;a{5yT?L{Tg;eau?T;nY(O2!-2+x>~U65*xQw`owQ9
zds3Jwfj5LVr2C<WoK!jsX$5u49NBQ_-=Ry+WoF^N6LTIH`WSrjjIm|1%axjkOZF|G
zUD$P12c=t?2iP*l74It|8MrN2b5&4;bb(XE&;nU2eBblneE+~D^f}@H{HqYuRM*pZ
zWpu>KHYr=jtjhjH9msnv5;@HUtEd|!R+FDhJLd?Gd>-PUu(cer>Ycx>lP|Tbg~>ct
zT_bG<27_zpvEj+8G($8#z_^(?X%gEZO~{>6zMFUe7w)xW8NVYt;WnSt0uD;J(1UH(
zyK+{LTN=GD{Jy!V*!2B1>41yoPb1e50D`N`3wd9jbOD`We8O<Q&SG;%h4$|#+<7ka
zm^XdoN=+zDUHMsV(OpCvGIaW;)fC)Y+3757rwuIcv0bFpu@`Ll0&V@Hzp}><*$4%E
z71Pn*=>d*L0W2x>F1NX*N9rJ%TpOV#t+IdW58x=_i3$GL`#c9WEgbX-IK+`Y73xCi
zT}ru3lXls|84!@!dVU;C`2s!jzsi=j&l8pTd(&N1lpP{t%qRb3{;89S*19(zT=DN$
zExJQDD8Lr`)G7r$oJoc%EzLXm`g;kK--kUqRqQE!7L4rtJV(RUZ&q_HOlP8Z;HB_{
zu}C4iFMTV;>~jhT9?lw7zAmsrvd~%*Pq{A#09x`M#BDHftiz#!#wKe*(B)Pp?*@?V
zf)%zM%pKMF0Pu{eeseG)NTzCo0f&&yWNfX7M?~jn$Pwm0jnrZO#(vsQm9bW~L8tkH
zi*g%CmBm^}<1t~8sC7kv6mVH8QWxzwt)>z3q`$6Wbx_n2n&hOtgx`+gKTYhQ@Te){
z1iL&N>$m0%G<HW|xWOX78FOb5I!K3;X);cNQS^8Qa23ztMiP+^VxhQcs+XI>bOfH8
z>)Im+eepF!xw%~o-+>ZhU5s_|2BH2<m9gfl;2b41z1b}3w%apl#>5`u0U<}jj^yzM
zz65`ZQ@lCYX7eSr@0YM;b6Fs+DNV8eP#agY@=L;l#Aq`TEqh13&+C(FnVv=B=IHMR
z(*}CJz0)$lQVP-uL%qIdqVGS+sXcxE3X+)?6LVU9*~nwzIji6m!eirb7`$esA0`HU
zx0!Ja(&L?5RQOA^Q}dP-IW=#_6Rw;PfR2Sop+UnK1(lF#1Z7yx_dFoRZ-9bX(XH%|
zywgO8-{{<~isuXWOaBy2Y8&Txj<CFF--U;F;y0wuKRZ)dJDX?U-wdDY9YS5QuC8@s
zt8flOVO{(tFNN>X<K`d9`^rq7{&Jc$DkqCRy&zxQn2+b?_Z+cTy)F&`XEO1-&5ld0
zrMRLQh&6BoXwjM812*1g=Z?YeYVM)s*iafZLJhlhn!OdB#ia%787*SwTwKReTvAjV
zVZSfdA<$F~yaFb5yA*d|FaTQE%Is?sf_?Uio%(p*0J8dYgwj_|?TIGDkvdVu__Ip{
z<pm|m<^aeGpWGB=As9W}&?-hceohOPwMt=y#eO6YZZ%tmv$aW_<}SqO#XgvppXUsu
zFa%Tgkv}uIRx2NYTDjj@7>Ze#R?h=|)z8c~)OXtJ98oc>P)SH(q++mhA8{XrIF&I2
zX&Gu#vyOg~>kgBzO)vc3Yp`a6MKmv5Xkv#%JHy(24W=bCBo7hTx;}$wfz)p4lGuHD
zJ;L$v=St~c%6lfQqM2K4br3&mo1XZHgr5JdL<KY5M4>sVURqGSz@S!_AiXjIXlSqc
z;aB9eaG-N1_<h<4t!)`L-Q;aBZeb3m?z@M#kNx-8_Q+lBT!DIK`Q&2+$G8(?PTzrM
zELzzEb`?x64V9CV9H*H%RFqWpz>w=DGD$e%^qZz_6*`f~gpnxH#&Wdzu3<FGUm|b9
zcuvIAW~|KJ`GRc=y6GZ8vCo1AF983E``E3A37EQ(mHw#NhUbyTI1PUoIG(Wc$Bdfq
z+D%XD@X;2oY6}ZY`Ut%9u66LQY`MVu$c@tn#!3ixlyX;#cCMYIsocL1(2B2f`=1XJ
zWSUrRdT7fFZUkWzeD;5Hr(71bRr!FxF*uUNd@1RMibS%1j7${n5-V{xI$Tnt`Gl>U
zQp=QTU>9Pf^5JB(hj!$LE4Jm+8e|j$!@MmdaW`>qsjide(E<ROkAE%gK-eviY#Qv(
zzWxw9f4&~)8o_VLyW1sb!K*uieEIk&i}*iGd#`W(#!ZjDH$zOq7OHO(r~@ZQ0J_^j
z;U*w(kzfCa4H4*TC~@4%h}>h*8-P+hkT{M?>!V9*`e0aM(m&`ArVxYkZ~(jiO>H@l
zrnU2{EnTS0M8#lVZ21Co1Tr4c=HbanBqg()l9j#u@e6demliYeNvLo4DnONLCRZ9N
zOsx(0fY|IWUpzi|5M@8h__N4QiLKC4*nqeU!Z`33pLl8<va66?E?vRMsZAdi4IT(W
zzq1hYex7J)y@itVkijZzuLlaK>?B{DYZbM%;nM^Zt&<X7HvdSb30eCQp{H6Q$`urf
z2)?5w!;<T>KsKN=LM(Hw`p0EKRyWJ87#_$6R+$!`;OmmbH84pnV_<?6a2`E^ei3b_
zr6pVmwaWsl1#h{XAKqoc(UpMF(uW(Tm6^2M2Zs}99}Wc=ne6CwK{g=z?W($+*;n8}
z*R*NXhYr66kW6Bs84Gjg?k@SM!p^f5!?lAezsD}Pv_Lat2As6#r-qeFf@=Ceh!K^7
zEW(em=Y{5>*AE+)bE0Dp(Cq)q<LzsWSXSof_6pNyURvLve46Qt9?rF4b!ojXGPKU-
zq~f?Fz<T8Ht!BU0w6&93%E8;ON^dW6%(n(y$G1BB2#HIfU&?Dm?37vU1y`-S=I)W4
z|N8*=W8A+DZ1yM)fx(km?8XZ%vqsZ4p{53^hxP}vGs~X+YSCyGx{xpE$ntUT>+j($
zR+zpdp^7AYTn51feTgzo@UlDe$lUw2$;t7ja5~C;T-b|#3kdaQxPQ&LVT(`}Z(;;H
zWSBP1<!pjIO_-j66dXkH1gBWJUJ$;d0H`{@A`Go_g$O3)#i)(`x6wp39JckAGxX`q
zP>o`gXpJ-tk0E9Stc*win)Xk(8)|u?d!K$K;3{kXq6M%CgSc(gBX6pGccy}}8AulY
z_4lPir)|B&J@XW>Pc_nBfwKghHc5n!Pslf6tG#hL4I^;&O$mnKs3~C80)(oOZvJT*
zjfXbZiz$E{pI;;@w)dbBaE$MKEtn4S4{s^noZAGWF<DSvxbV6Tv!-QQ2P2+_nXDtj
z6~Ogg>cfGhM!}12;7JvsJ%rth4lgm=Mzocq5zi^I@8WuEG$+cJzhISwJ(`i$v_7OA
z@e;x6d|fiG)NE?Q72rNsmx1AL7-Q;QK{S-XSFG9_bv+jT_snk?b;x(sIA{tQ#HNe-
zIuBibv1-r|{kF}9k9bse4^d^4l$hdB&9VbcvecWFriZR&Ae5`VSYp!8A@%s$gwx}B
zG>=klsk!}k+%7?#BVW%tUU2PsewA7cNBx9u4;-B|E|#&fGaVYw$%5DaGG_H+Pa;xj
z7e?ti6n)V$<6vdXq1^Yk{`9;wWlO37KB{>Wv&eLfpr@vRw*+fB#4mDA@t|I30NVZj
z?p_GNB*T=zUjg6G6bftb0dT&T=l8d&sfS1MpI-XpcH(qs+zT#gi}*4x<r0LwC#ZC5
zc&_IKhC`VK(St$zp()qQvQm=jse+zadQ5|K0Pr)^OeVQ9J0AxJf=@3Gb|oS=WyhNy
zI58hPiH%O&sKKTq1`-Ktt>zc-0w8Zan1Er`pm=f|(;vS%rh8wl`YOyayVDAkC0;r1
zhUg>~xs<rwG)<jqJLqm-%=|P7(0S3jbL7SYdBSe~*lr;co$`##`Cj=Ljnfw+l7&+v
z8j6r!mANbL+$-+fW!1=|G40v4q<3pUw~`T8LDsc6Ukhm1<o?G`>oA5@@Sz_sr}ye>
z$<KKk)pWXkO?dof*53hF<E<#<7S@x2R46w0zHjYBvZk!k?G6IEg2qt+AHwn40FiDk
zI;g$xlM=O`Ihe)rNn6POwhQXc_!5u$otlQ(r7Eh3SRQEQ;}*B5l|e(tmA~sPOj*Gd
zKJ)97c4u(QF)wEKK9r*2do?sj7w%x&HKUXqEB|&IK7!*>hd<eoMFeKX<ORztd}UK1
zhAFBBA*HLTR!5C$YK46q>FND5rR-`lL_`rs19B?Gf(j&FW`rDr**pij?u^9_Q@xZX
z)&ALq9i`bu?tL}e&R4h(PcJX+&#RG<n-PMK>x_iz&X>OWgz6aiPX3RHoBHamkJA_1
z=^JmWUn5ZTK8}BH)F%eK$xT?Xz5OxgCES1LDo9rD{}}$fKHMVm=)V}j<Y1N8%dL-x
zXa6i=T9pQmW1$@DVl*!z(+sq;wxQM<S;3?olVD1Z$0b&dluj=!@SB{NZXODu&?CV2
z&Fi32L>t%izkv_?+-Lkz_zq=JUC_olr>KEK*T*cR9zsBncgmd_oldZA+lZ6G*rS$%
zOCci3^w<35IoV;sAub7O5{OZZ9|52V0zKdp$&CwGET~$i3;VR1>gf$*29FevYCcOw
zOW3kF@s*kH`UUV9X>d(lbPG5pFX=^z6mIzFwR)E+b8EeLAFNoPO^yT2A1wGfE#7`E
zP)R&lct0HX`CaEZU<1hww6|aK7xzvYIw$85R=9~;DBynb$5S2TtK+l7n()mer&ph%
zV?vogp^uHS@>nP<_5PWB#Ab<0(OGz#5_5L*WF`kMmx5D5yy(Lq73kpn+<7s%ID!UK
z?~+*b#P(@S^Z?DC47iITHNjKj7N~&`-$`3Ct1wL32e)4x;^xOAPQK|aV$8#7*i}gm
zlXsMz54K9urq%pQ{+WxbKbQH@_h_yBVL3J{HCQz}TvY^@wMRxBii?)iI;ZFPSdNkM
zhYJ0WN@CedS7`ZH_o<UM9Pk>HxE_BVI(Gt#IT8sMA6iE!?j|T+6RR!yJ+rv0ao-MJ
zv{R@IBKyLg7xm%voLnxy?DQuB2?R4E3!1aisY2$tfzA<$Yr-K~{sJSpW!Qmlqp>>R
zByo=m9oG%MS5zyYkp*X?LA${EvF?bAyU#H`YeyASfR~fRi_RY(^21q^9%Z`X@2O+n
z)<rZZDaTT6yuZH0-0t3*B}TGh?vLRE2cyD`6mhT2U;M73yZLWg(rji9Tv_cxDHhQ>
zljjpU_T2?0%o{$E!H{)6l4W~}d3um{u3~pM>GI+uLT{A*aXYXv7I!$ZW@3J0KUkQ{
z;+Rpk^Q8p%DuwGRNG$BrIX05~5!lh4RAScsO5OP%KtbaW79AuNo}w9E;(KmrmFic@
z9%e>jN_!!R_^AND`T2&LJgO{c)V@?PKIjD@9(B?QOUwE&mn^FLhX=+Bc1~O}hAKRy
zWrUirtQL0n3&&rT<j{g%pm0f4b5LIX+1yn%zjk>y*p<Lv-vx{44g3HI%_<;;JC|+5
z2yuDyKU$azN7hM<tWrFUqadKC`Jg#$jtB!`@X)`C+h0<qk!Y}3E4UMyiSse_V4oLC
zrjBY(ix!9`)XC{#w<nVY7c~qxd)%%4jZhR9(3ABsqj-DRq`qZ>S^up4vAW`;mtej5
zZa9ChRu#!&uGTNviaBQPnHPIh!9!}6hjfg!lQ36S5a|tE`yh8t+9>`tP)kfR*}Rxt
zYDGQhZEnltuktRcIN8PQ=#7<kvy7$sxr3w|I2sc)MA-(!VRNYk%flP9S*ou757Dy?
zDHbbh_k-&4%YvnQuD)D6V3O*o054+9jc+isX&KzP3gVQbsM;qYn+KdP3hu%1`~GRD
zpX^--OQif^R=oWRihqG)*t8hvy%Ez4MjS9V_K#*T#hz)f3^n>_7h#E}Q~Br?G^^-3
z=sml$02%m<H+e}0<^M&TCu|6;ao`r_{E10TPII@qgPXbcRU0TEEZPI#QH2s&*<+uG
zKC~hkHr~frLneCfBV-vX|FBud8zO^^{sj)*71WZnk0SeBq$z?cpC!~t<A(XiTq9vZ
zBxyQ4r}8PRlbFNRn>M-$oF+?3JZWk4WFf`btI5M(x0%vT&%&4NxqrCa(ZNZnPTK>M
z-;B{|+5h~Rx?A6!A|?)qr+S|Pg$En;+i@dA7oJ;&E(O0;+SwA~MNuP1D}f9tS601$
zTn{oO$%H}Y4A1X>6<nWI)}iRn6-+=?7T}jtI%kTd=;&1vLr}S~LGl)Mr#v)PbrI!X
zN5elgonbQ#P$*#&2(SQM;$Ze1V8tq80hn6F`Rq{UZM%Czlwa0B{UU7f`A6?13G~*|
zKo!M#y4fAMK0nkBR><41L@7<eqRa3^AvSB;@sCX7)K?K}o0;YNY60CmC|y$oaed+W
zC%C-ML|mc$Iq>Ib$H}qOC74Rh<aWG@<)reM+Khr%w+c@v4DEk1*&gkqRh9GX<uk%#
zfheuYR{6QekKr3X&}AeFU(;!$(EYLLJEe80aRP@tz6oq?*clz%c?&La`jx<Rn3N1k
zCP6ity;P?VY=Q_zusVpOog^VwKhI)p=^<J-${lp&YvdqBhE37X*IH3#92KKk(o5uv
zM(C(W1;X#haIw~j&gdPpb$NG=8!*yp=st|pRvyAkt)$2V(-TCrXSfUs-7x<wW-xKC
zzQ*y4L@A5!+ruuXo7YV0=?=Fu#<UC7rkQ8;<U7m*p<K>LdQJwlRL?{%5~Rkfd?MB>
zhW<+CtA79}IINi6Lj<hr6r-Z&O($+BRAO!Lr0XM9k#okPt$(-E>W3McyKFlK)0#B?
z?GuNA_M@eOxBhjozp}`+**)SlB6YVKQ79RtxE$%n;)NqEp>H{#2mSlcsdgMv@bESz
z=p{;yugZcy`YAAFPxhFpx%I9eXR?FBpCL!DXTMKdqb;ejsNuq7DFZ5Kmv2U%aWRL9
zVnbve%P}M#oOqES$Eq<Ew^x;#186ol7d$4s7qAfvZf>Mp=}=Y2DUMW_dU^NrJ>#Po
z&ItA>nrn&vJa?JZS4V%c(d7yy)3=}j!djjaP>K=dzn&dFH%#wY0wl;VW|n$EsYS#o
z6ZcWP?N&e%R~1v#P+89lbe+T;0461?H{q;~r`jX0AqeeM=@8^vl945Urbk5TH9y<1
zj<JOb@Q}Qg&Ds#0Cdaj1<#981{37GJ`-PtB*e?m~M~U!@#22yy){V$t!JdXH6&OHF
zNhfQ<YGzQ(ChxDKHJn`a8v}D%@88M5%*@Ue#M;h=Q>cLFA#!>{9hEM1(Wa55Sz)Mt
zby+4n={4ex&8)eLG#rJo|LIt^e=-<XPsWc2iLHEgK5}hS*VxX%&5KG?hWSnC*an%O
zWNv3zaLe^vZeTVaLWQK$a%wQ2NuMd4+)7+$jmN?0Fx2X|{_OtuWbe_iS%b(AgnHQg
zmen}=phUzo6q$F*Gr2F^ocuazb1u~mZs6GwrV3g5k5I4nK&rtnrp`iaOXD-uhM(8|
zhQY%34i}Jy_0A89#v2JA9>3E@WZbn^iq>z-NsZqD6Q_O9VapO&7ce<GP3RNwtBhr#
z5?-d^P?A~r1<3`E!L%`n^$BtG{KPfRzaBG=)&!fiz!oSO5y4eO9HJhVRjX|0G{Gt?
zY%~#Tls}fUCiP{zsEqc;B-e<?pvt(6p|VCZf0310a<%BkiUSH0DSl}Mcl^39Nt%-l
zX|BtJL8ny2-*)-7evzV{+bYGgYLPQ_JK3S!-xrkRKE@1BJW4EHK)JkK#okixoY<pd
zZKsB_zTkC+wY~uD+SsErK^54pS%YwCQS{Ywj#?2fExvAad`-%}dSLtNb`@~pLzEEI
zqf_Zv`rrB2libI)s}8?3zgE9yUpk%4{~efQ|NBt7{Qs+aSk2v1UYR&Vo`(Cs8-Bfj
z<$v}xQ~nZ7qW-$_1pGfs^B*QZ>i%b2nl4CJHZuD+2~w-Sz~ZJ^{$6wI#tdj!jB7~<
zG3D(cOTdE&AC3l&M5iefan7|@TpWZ5`ebEY??eh{>pkZ3Rc{Gqfl_^bHq$&~H)!HJ
zYx;CRgtY2Qn~BN*oc2;#npb;8u5$X`xW%6X2T!tpEcNU9pBV+FVy$+p3xvWBbC}U7
zOn|pl<*WCGr?-wS9RiCy!)yy&zxoR7$)cYsQO@)&3ryUIwjC*;v6?2DJn90^$3m4q
zaE%3JRtOkeYa?ahm=V$|vTI;{&>g?FjySm5wa`W85v`pBpzm3sA0}%}Z1IAL`2!7?
zAjOYm3gfI^Zn5Vo9{RpchnvVhDpIN2EsxVx(ETSdRQb)kBFuw_(ztZ8aDf+EYa3-(
z`)F0{Z7@HV$X!gyfrUy)Q&s3kX9-n!zH9G@D3gH0-F$r`2hsKgp+>fOO+tQ%8`cVc
zc!h8rcB#sSJB{`}T$C`S)m!ciL$k1-@XYa9u1p7cAu5xXW!+pMk`J0z9V@{!7)>nk
zW%tXp6wq(5!FH4V6<SJljqj;wlQ*n3XihpE4w0q@xJRIX?VtJ!UeKaW|B09o<>%ub
z_^9&CG%mxYD37-zGFe(GsAl!e31AtDWEEy99sQf=U<v7XTwl{Ih;Fq!E;+37HJd#6
zreDe?P))t0CMsElJpEvqY5#%@%(aYK;2D_iNqQE!rR#NThvTs&)7G<nhFxu*cr(pd
zslEu%Ch|)FX!aN0T@-MYV|I|;IZr*YFqb!E{7QFl6;$K)cZ&T9H$JcuJC<Jk7`&2r
zmc<pa#{)+4B4FmB<!VM~mn}6IXyGZ6E<dxdHr5%3eQMO0GdlXJhLZ+iA>%FAA6cmX
zy8NEZ>YD$K3SE_}H!)jfm{+O$EY)<?Yz4a$NPpsmhh_quwK);$WvlgjPeA+Uecj_W
zx#Mqo9$o*UjTYsVbDejT<$Zc=u_Fdj3Y|_w=jNy+Xj3J}!LNWnvH7g|!vd?>ipaw^
z<;xPHibn%y^yq_C4n60J+6^gLDp~d+HtY8mc}LI0Y_L8AtV16rgsXUVR@kwx>_(m8
z25NuBkoD0dbyY_Th=fUv&A>?W1MxpMx`c{}r@@Xra3c;}U5Q5J6KwT!USO{|zTP((
zdAwG&QV}yj=%5S-nea^5-k5me19A9Dy6O}5kE-1IuYy>pJ}v!s<1B+WUyVc08|ssf
zpTFw;Y5%2u@AuG@ujB0khp(H<?ZeH;(oh$d&*KBf7VjG(cV`SDWo!3<Z8Qgdd27p5
zL8KUn;X2^s7hKh!>O?P8(iGpDz6{@^kVL$VY_Bh5)IAh8#9DOBt56pyS~`tJZzgP}
zq5lDTh@HzaiXrgkP)s?VK#CA2g;iP-EGr|=HU|02>E-<pf)N&`(O-m%(z}N8CzRC(
zeSkNr&DM_Gd({vs1J%O~gY1$|d{v(ecEscz`Mb9)cuq-Cy<$t=Wygk^6U&n$DroJR
z+PMGF{jT_yyf#?@v^MuqNzCyAjv-(&04=GGAn!LJl@j(NHqDMbg6zsj(Ky>FyP01j
zO%8aQAwI`7eEbK_p}19^Uuy^n6*vMIoFxd(1gd!1FYtDpUTQlyGU?x(8dDAAEOaQ5
zh|7>68bTxmYfyX~{Es3uV~UlP&gcgMoaA872atv$zthA0WqiDBMCuuq{;Z><q$yDc
zwk;=dm5Vh~7!lW$6-2M`7F!A4&PCi2Wa};Z*h~{5I&9jhhd(nB_mbbZc-ZSIVqXNc
z1oB$^49b~^y;H5Uc%?+lCuKu3;#MkNATu+y46v)BiX*2gz{PG2Q~Iw9+Fe^~F868h
zb|{8f&W2|9-64|-Z(A_J{tTBvQSjFnY){U2T7RG+cc9Hg>W^UQ>gO-om~T9@_EhRU
zF-i{7btH1dB-*4b)Uc^jcso#dJwgt@%0uq%o0H2d^45T%e81HAqQwmvzZ0vw7Cz)Z
z{)`+zuE91XKP{NgQ&ClW9LS7Wmra)sJ&Y1m{HD7b++h#GOZsv{N9zOa6z<vE`IHq^
zh9Hw78f3Q|vOz4o6f1y3n)v1a#}mCYTCMn7_P8*mH#9Rk)ku?!iWL0LhEGYIS}J~r
z6Z(opa8Y|xYpS(XWUmnxJTvk1dH|cP9@B#r^U#9nAZ0CxvV>R)fSqd*a}!gotQT+4
zRUiC9?!VI+?IHH#^Pleu4?wRaueds?4?GL6IAaZ12g|RkK6mIZcTl3Wre25cD0unX
zh4LY}c<vw*JavXVvG&fh`RKXg4qo>ts3ZzH%NOUdRVwW@yl*U)WW(zB4C|E_2x-yQ
zI7|K+-qx{%x(J6IK|kvGff-Qldt6xqvaO~RTXT^*LDMYvm7v3;rKth)CgHO7ME3YI
zehQ$bVHXk>39VSzR`cg4uoCwC(|vkmS$h|&7Q-^X&?Ijb6$|7O)({mlKSdFy;CGR;
z8qe&^EAt2`2@l)2>5jNU4=D3JE**}QiUC8|6_&0<Q95N377`gQ$wsn&!X&m3&&z9y
zvfUH@^?>wV5Xk)}bev6y-`W%H^^eObj6*x(ffF)OrVCb^dHWI8j(K|?Z)5ZDe0|9U
zoN_bS>^V)w35CxM9RC}vDL>7P1SPyCC!x}}y7mq_A^({4w!*L2R^B!V(79kA_XAdf
zIuqq@9W}JlTbheF>#ZpBEhNP)6xl7l`jde(B*ASaqDyNjES=tfdu6uLLuJ+8S$Q*r
zXGBa;L_LBdehOsWU6j^I1ps1Cwo*u(!IdSQ^}r{pg+JX{OXH*OcTA)v(P`*Xy{A{_
zJ3>O`nNJWG@sfCW_$a{tw7}=VOU_)4df#s#X#1yLq<tOqXu<?OhI6Ub<4*EVDA~13
z#YExEHPLc?0txb>a?bD?i2EgiO*{#t$MT%4vvqUVgD-$VIO??f>3j$6*!s1;_sr2$
zGhPTr2%~Rj77YuL(agt}0vj9LLB7q}WyHV&Vx-EM+jl5=h|HpR5w#+IO;kCqWinAh
zm1<K)CBFGWl<|FlZC&xSptl;?`o9OY&gxTQ>$+Oa7}Yh6_qBK1i@jwa@}SJfe}d@=
z!10+H?y|B)8SwKElfco0(CUjQEzv)gGl3`y;18N%4ONl?#!|*he$_Xn-V_^nQIYb1
z;*NKK5#7(PAJ!DR#fE*zukXV)uSMT|&Y2!o_m26zY(}^Bh5i0^*YtdIU&w0d&eWrd
zThVkKHNVnkz%zl`fSUWN;QJH&!qp+9`SNbevlIf@pfmIAS6sG!<m_#Hb9x1D2_A@U
zq@~ILL0p-XRWSW`{?K@BUUq@|vc@E0jOP2ir<{aE5+SK-+Z_fff-${f+~ppVkyrj`
z7HO$A#nDz(tjtzHB9Ej*t042J&V}?9Wa2yBDKR@a_f3J3>Qfq+{*_3=`&OH$B;yMw
z-Q_fryv;;Ve0y!T@H@-O!<gX`Mc@Ya2#ISP=WVUE#Fa=Kk0ffVX~6K?de%g<=|oU$
zjHx^^+OMjf=XKlNAv|*Lb->mN&CDKsJg-gaw!Iq8oIt6O@AbMj^N^?1e#;(dbUW7`
zKW~#%Xp=LNmh&2bnIUZ_^R|^ljdnUe*Ift`CEy$xwOtjPGaVG;%g-lFrD1Hv^+dU@
z@<KL-Z-g(7BezsLRKTlC`;sON*N&LcFkM5&7r9aLhK~3F)B&j@YbyIhf%jztnEKey
z%f*zc7D2L|m;q53pc&C%bDJo!^7S;TEL3_64c6uq3N&cMdHX}OlF}mVlKZjIl2+6<
z8YQEy*(&sIE4nGuAgV&2;O!8-&S%NZbq0vF-Hm^Vw?P~6O@6(VYX)Z=7yH-XG3Mki
z=si|+TN_(VP=Q-O7ZalE;OT`Y;{|d`Kcb2O1(~vGGhA$gAMJGoggzA&MpUj6a5;dV
zv1fS&HDwKlT4gu~rv(kwTOzJFXZTHGnr-22W?&GqKsREMH2`qCvq>?H`i8WdMCJh_
zu#d;OKoJ)yW=fBy&O?ZH=^TuCncCYx<YTpRw*+Q_usxVhM8CuiP9xW!U4|qA_?m>t
z{=0XzD)uL|lwI^-zZe#{V!HNx<LiNxivtypBJU?#x<b4luLwOCEc9ONx7wzMXQChT
zmGVMb8@+t;MZQ4?QqR%yx_Sev5u=7RZ9=}roEodmz8Q>L`~eA@Q(|?$+vqD=z{`gk
z4KgUWku(;AHXDfgYMT)N(Y~$FnLLwrxF&Z^K#M(bsE95%O<-5=Swg)(+#M^q+8D3(
zYF~$^yN2sJ?8{ER=bek0qn^m3H<J{w4g0rzwY&1@-)1RM8folTrUxU28QaX0-P}*C
zdxF3ZP}zIS_Z0rob$rfZx?3}?%o)!?&bS>(t(2cQMXaYy{VRS?8rY{MbscqW)@jxt
zHoD)6Tjc?-1_BMi0FKopDvs6hOq`8A-3RsyvG<8~64%iv9}MQ3=&L$>-G>{zU$zOh
z4U2sn%=0!fT{9r|Pq8Pve9QCz(8u9++|Z5~{e{6)xW`&Uezr@cne3fi0|}b_{MIq%
z#u51gJ3zdh8AtpqBN_y=T6<x&lwP!dTq^`DFz3>In`!-x=GdUc;^>5YB`%QQ*g#V6
z*wA{y)fO^wY8xEA2z{`T0Rp|TNQ$>}NQ?6bd`gr;uV(*XW{$N+*nb>H!dNj;`CwGV
z&wym6Cbj8jugI#GNYYDOX8;-iY^`f>q)+WaH@Hw(Fyh-<UQ-^s<CC24n-KCq=NSSd
z?Z&fHxM>YqL|vZlt<G<|pD^KmU%_{7?tk9;e?HVVGIf5+)C8H-&a`p0U<oD!Vk=P9
z*U}Ea6Iuae6D|*4d(0s>-1x^PIW%1VHtqsqA-;|ywE{~YYL9MH$@9F`=)At=p-RfZ
zU81le0;2*|jXJ(^M~l8XABR<q1#Sg4O!;6>nSG6g(-^~enc~>RX6yk}QSD3kIyqv1
zoaBSeume%occ7v;zl|FYyFaqjQro6<#>$jxlViMe15UWUIOt^ILOIk<K+>ZS**By8
zwQQx8NIudipE!@yu#Pnmtce3|@evcMV<3Q%u9Y;JGfPV4Q6+xS<*{VH4if?S!Vsu0
zhcxpdf@-k;jVvLfTLuwMndpFJ&_=~dnKduXV^5h?{w1k{$mQovX|Vo5SlPhH3XGWb
z#f?B`<>K`Q(W?ZrLxf{qqL_n{zEwp6RhFeokeuIyg5x522cHn!&}?+Ziz_r$G2zZK
zYn66~WS9QZB;hRb!C+X89InQV>d^0}D6`7ltimIZ$E}J-fLabAuPl79?T+f1?0t+j
z8AV@c>K0oQuu;o&GYh51m1~&7{h5<T7PWV2)KmG&VBlQNTSVO(QTK%4H>vniU4k%;
zI(V2E*#u|JXY#YuLZy6f_^)3bb05TCnfiC(^<)!*)+y!QN7_F!FCS$2;+Qf&0KYlq
z^KTPd7PJz+1B}!p$A3ab&`UvsI1W;Oa>Z42o}))uHy5-N>bSQOXL8MIY4|7Hzs1;+
zn6qAGXq`>Bo4HY1S<?iGz`yt=<6Bs=17k4Av?LSDPySUL)cq%0r$ix!^+!F-;Xc`<
z+7w%fGnpGsfunw{$J+k>H6#TK2sXIc;~exW>G%Sw?E~n*aC+(cw0nH4^}9Iy+)gp}
z`}_SyGkkJ(@fMy>Mjcnti|bOlX<!ZtX3G!UFYtu;($Es&EDfx&IZr|&4tADXp{LjY
zqNiqT(8Lj`{K8s?F`1Mdk}JJzxpynCH!?UUjk_Z!sV6q)6IG~%+5W+sG%G{vFC%b`
zgF3BHut95w0JvF_e6#NGQ#&Ye;uNB5L_uR_Fq-)=U?k;?q2_J{w~Cxd>vE##F~bqU
zY?WzKr6Io`4RS%UXc2AB`J~n#MTk&gglAvFu<!{vp`6c@S{xya0?z5y9|m*wE+Hw}
zAm*%qQkTMJp>Jgwbraq|K6W~(d8nl=)?9*>Kkc6QmgWxp<`NIcq#o2<JI5YgQH;%x
z$`6XjKNu3y{`v5IT;%m4Kr?B7K5AO?ZwEgpLMR>fF{V*`GM0PIGL>53u*&w45qXDn
zEW52`?(s=7eWRdG8M%zJOII>6bw&9@mye<DN?2NyhnhKY1Acy<hpf+UmrXr5<?6{u
z$N9Gsy@iKz2~V^XjPhv?E3Q3sx_BlE?>FmEM4Sa1ot>^}ON6}YG(Ju|9CZdE|0_ev
z&>2dexz>ve;%f)>wXsmbS3V{wdq2=}4e50q#;S}<v*d9xTY<n*%ecMy3%A@DGdZU0
z<Xyx*6R0i}?us>ZrxQ~%0%q(c<MsNqp{K(ZxLvv6IwwBmvaZS34Qi>OpL6`q6)3Rl
zb-Feympx*wJH}n&fC2*VbgG`sP(^u2aCaiBOcbpnU)#<y7SLJe@M7U;j<33L=!6|v
z)Eq{7Gsa>5Ea6v((y9)QngP!_8g;`*FdC{*QK7ysyTF7ahLa*)v8|vt;0BL~2Yoqy
zmz#Uzw?;BI!Xm~o!j56$P}xX%klBv+$@{Ntw|C6hCGL+<?bWW*d$I7q(B<|s_EKvJ
z*(uX9DEi*cDQqgYdds`EibK^An^K5kT8;#d-KE!&u$O4YMWt^H7zV;E$w?y1-z6v=
zSekLpT2Gx}>3Z)$#!$KU-M1&{fX%o`Oh8(~`j7AcBKEXcaCFwV^^>mzT{;sfO~b(>
zDHnQE<FHX)GAK;W7)CKacS_-+@5)V^)2NsyqiCVe%$U#0Ey|)d-DJv;F{9gWyAccl
zvc55$Q{tz=2@R_{p;lpHC4{+{iV}DK?%&PXv=9y3PWcbx8IYo%ZXQ;SGmfUZpt*Y}
zyRR-Uk*Fqbh-iw$QysY{4&1Lv_y%DI-8`@wvn?>ir4~|&+xd?v2AlVujwMCuaFtwG
zJ(GC_N$zvh)G)=Trt@R3?Y>f+A`6tk0rQISDB7^Ml9cqyy)WueL9R<0GVv&qrTS16
zO{t`}pT4|Y?p5<I4&fx*KIZ&*BgvrOARcN{5-iriI#ZKd*MDIJ{Jx}n(#h*TYG1s%
zUQW-dmomQl)^R74H>aFU5<wI5`^A>FwR#PX(n9?%c-^@AhDA~hi^QfUl@5M1))zDp
zb2z4`<j`|S!s2vHF0Qp2Bn)01VqRXXK?0180px`m)O-s8<WYz*Z0UWxU!3IVbs&<I
z&B-Vluir;ZSh}<lhMhWoku*>{zHSu`(uGLDkc<eY$8(0@OIlhmB~O-`Lvt%c1m+#8
zlZI=15{r8n(#qWZI#yAQd|MQqhq&)~rkf2zRj<#S&vvi?Z!fw9i!t)Lw*d777cwr=
z|ANW=b0CFE0~7B{X<pWjp`hob$!J68ld`=8z}@S}<}rlwII~j?f%Tq}&NPuO(2XAL
z%VB6Gbga?rPKHE8GUmiksE+ibQVyPpKg(?u!s#uM^2_D?72Eb4?SKl!HOk&A^+b_s
z8j@UVKR9%VRF-F#Tnh<bxE-5;jVsZY5=ZCo-N}MfafYa2Htv)KERI9nS0pA^j@v}!
zgv*imHx-hT+81LgtAhGY!6=?i>PS+Aiu@!JJ=Q2-RGpvf4*>fjq3?u9%9JxFAS-(+
zYv5-rhn57|IIPtq191SbLH%)opzAA-kJ7+h2m{@^FY2p+Zt-C=XlryOdY>--+YhYP
z7+2T7dd+%pxl)Mo>ZIR-YW+1Fmv*EEK@E77ROymnO%G6Q-0jO?WxQR-hDOtcvj~n2
zuFfvCu6~c5zEqziGgF%fD+{6#(Onw47TFmNT<?_~c;J}I#D==anG6Dubc5m@LI{zs
z&ry$j@lOX{GH@?dE%9N02EVP!1s%LDC7xB<ZKiRiHjw~kCFfMH`*YE_mO1o%-~XKn
zL-Ic*caQqtyuKYE|MvCueZ5q5!wTFK6e@2z@Aj_yVo{U`AN^w(lth<}nmC}yZvin4
zC7ok81oNHnX&SHdCj0w=<jKNuNj~yU*!ivGgB;jXXUrXScONbTvBI6|MI#Hoxc*y7
zZH*En1@y+}kZ1DQZ#_qNl$f6x%0xZjZRnx@T*Fw5EVrxneR5C<smU0^#0?bDE#OAY
z>BTCrs3<+a7IU%>nee}n{B)bkFL*IvVyDPdPR^0rzZI>B9*tnY)>)KE!`q3f3a+VY
zJ{781P#WdC{U=nc63^)Bef(i1bA?Ow@-ko+$u*3J1G-NdIKAPW*zKOi&co;0c9n)#
z+_e(H{CC{!Q3kqJ5r$*0XUnE`P|c7Gw+z9(^|1^!)mmlGPg%^z@MPawy&1%J%xnO{
zoV6Sq*c+xlV-OdYBT@M2Ofo3=K40v86)1Po`9g~8<Q4IxV5i78d<9wt1|F(i1ST1r
zRKPoQ>CGJKgXDIVB2GExP$9SQK)!Dr_ZPnZ-Z=E|2(HG&&mjxlUQ`_Zq?6QPoeF$F
zT%?(cOh=<XnAP@=+;p8OW`h7U9l8re=hT1fV^RztKsJS|7VlWcYYcj&zfYKDOcRN$
zDM&8=auYf#axe9SHhD6~428NZ1iK8jJYNnpL$mYCkk=iitZF|>JKb*h*Cn(E>s67^
zn$1*?1-UTV;6-Y|>@D`RI5XO8=wmK5Cav|e&wJjyVMPaz3-k3kVMqIXMPK5BLf0KM
z8p(V82=M#4Eg3B?H2dV}EwZ}T2NA7fD-e^_wdx6rIxUXt5a0zW62-Yfhq=<3U$hOf
zziQwXiNX~$rb=SlqrhShJFSbkDRW8fm!I;mmfx~yT9h|s>QndRGZ~SrRY_jc1dE(O
zWzKyW?Hu@rafaN*wV8MUC#C+B;!9I8U#)ruR!6}1F~m08Jyr>qg}<09E9DNeWG##*
zSYEGhoSD$xy0*uvu?s;<gZMrjo%@3BTRfLi;kgcdq;=>>p5-%fjerVDHjd;>U$YzI
z#W`)D`H}uASE>tAQC6UNu@>~4oG(CzM{Df=-ppoBby@xDU+azG{}nF%T3g{i>1l9e
zyug*=f%)PaZm4fZ_>cZ?BOZb@^P|X{D#pLgh^Cf>-Pcewq9Mms(4h(pi<im^kCtns
z)=vh4w_|`Tr_gff@~I)i2LKMY>IqDw>evqnXV`+(bB7wX%A}q}ry90D%**K?a8|NQ
z-wRfUOIony7feI%m^7XU9Gz>T&%ZvwFH7;BpERpW-(o+!idDBKo)dGlLI-%#3%}FP
zUaWX8d9t?7kcm>KCQk#9Mhfa$$)Hlu{TCdqQ0`5eR^0TGjqY5yzx>CDb)j7bo`|fG
zE|;UH<*Wjp%L=VJ7oL_L)Ux1>D5ULGhh>{zn`aPC*2_K#|1kVY_psVy>{Q_Iabg*r
zye>`e12N}4?>B}v<M!4ZmstYlBJHY76#dV6qgHhReqz9d+Gg7M`=xj8XN@|-fyE;t
zMBQf2=_}#Rmz<@$qLq%dM*Un{8D*0}g#O7h4w8ZRLKL3z(S^uskD*x8n4ik=K=uXJ
zlw8Nt#Zlz}7Y4Za*u;GuVaS|^5Batj4-Y?xEjX%1hsCy~O8olE`nRC1Q#fR|mI#MT
zMSjnze(`|01M_r@pt~yJNS?eZejKe$jfryDCVJRa^;-H*Oi@WBo?-5nk@`v<aMY=y
zIj-zrJGV1>!9MaPd)gN;;%_n~zo?{bB=Xkg*`%${xKv$qM0%?CqQGV&15DC#$`E<M
z7HB!ZP+V)%_kB+2=L);B+Cq+%T5Ft~Jl`u%O;nEO-H#tWpKjk>#kYzMkD&HcY7D=d
z-fiJ|TT14lAXNDH+*EeYU2%tEW$4^ok70)BJyKBo$UG&_fKkYEmHqHkNlP0(vGq+j
z4P4)oqZ_5Yvlp&?9=<npnXtD`A`tW>!W__g$x!~$C1v=;*9ujJNx5-1;z>>q*DFcS
z{gUhgq{uIg0RquZpJ5%(pAVzkFWt3Y(W(XsMhXSQIjh5d^{jgPCkdV{k94eYc2zy$
z*MwJCdZvhHDAAi`o845sF#iYJlqD{n!tMD-F3yU)UH=3OJ4I-(HVGw30C#zUilo)@
z#qf6lPJqWM&x++}%zQHLJFxwI#;dHVDl;*AF7$weSF^@NuxjavUSjfPJl2ahDey|G
zQ%ZaOEXrnfwp@4+wRRI-ocFa{rDL*FXU`xPDC(o>Z6K(Uj&q^o`uG|Jgl&wMQnQ&O
z@2ah-vP6wDKiF4qwLoW;l`Nl@QPPD^ZtKAF8~A((C{#1<9Ihb@nOwq%eN?J>FHuVg
z^4Vtb)<StjVyKNsa8eJSKvHy`cknswtBR2e0qMi1d#Q}F_Jl8SqR=K9tgJN&Dp~UB
z(2xt7<)`~)l&|O!d0M-R{sZzXK6$FP?XzsRzPMI-Q|h`<8ufl#J_qGQ4%>m@E4E5^
zo1LDlUL&Q!UCt~lJ2o??$7Y7OQRtM9l%46RS?dc?mqZ}IyT|kQ6z9B4nhTQ7|1Zws
zuy!K|<Mgz?)P`k&RELk{UQF~gaJB8M(xvGl_#2?&Bw0A5^VrO)1WEEYF1e{E*+HIH
zqq=>8Y-ltp`)nU&h|aY*F(`awbeL{LCd*~ig2jMNXf86!{;>(Z8#q}A+*)z8MBN2X
zg36=MpFS;mM!-z!wU~6^i{%P&7D16nh{r+QT9<b#SCb40DbZ_9lE!c@R58ypx`NNY
zrhrhKS_3&k8cf#JeO^)Uz7E|S$M~*&niqUNc;3zZhj>n)+ap^wqm@6D+_^(DzVUP^
zc6>PIHu8}Ye3x2O8PQR7T1hA7SGp3*i*ppy8Q{aSNKG}$0w2M}Wc8r5sW7Vplnjp+
z$I3KGKdGAfz_{v=@e&GU8&hIxaF$NQn3-RD!9Vyyv+2P%+uP*4qBwXKGrGH&IHd1x
zDJ1~EzOlNVe*3Gbx#)Zvy1A(rZ*4an)fY#x!n%s;{ffkcx2dgYJz=7Xs<x@UsDJr7
zy>8QeJw>*fDrTc;Y0`0ty|YMU?KOS2kB@g!S~aN#(aswjOj%ep-zvcRAlo$K;YGw|
z7`v$#McGdFr=e9aNn0exd&QOTd~1azoQ2fz>hhvxEq77Y;b3xd^m6v`Q`6G>DVP*r
z;9L6aXkLH+O;juFheTI-+jJ<ur`W&7_PxeSR<fU9EoGSDkXBML5C|G^84jOjRI{Yi
z!9LeU1)IRbhsF)~GJC+f^mM&f{|oCOEcc6XGmhFIY9EuJGWt-z<#M$Y<7z2YhaVa4
zkKV-8VX-rX=!gXwx@6K2+eK0hQ3nb2FPfalA0s3jVItD%fTF7s{@gw#E_w)*S-@`<
ziYi+CdL@+}`v&`8f+B)p#^3`L`Ug&?y<8EfLf8VC?QXo~HG>B2v;nAM-22u49Hnd}
z@pp0zMqU1~%B(EF6JWNlB(8Qg1)C>Fl>M=Yj-M8RaRicK@7+h$;|^pjtB=R!g}=d3
zdJO2XoA3>~dETU!f8dL2AFg^e;pMC(BJQ$gIBead%dR-DA6j^8g>7j&KLLj9FSYvv
z2OJ;Ak2m+Y)f`)!pC^l~u#Z*}bs_1)Bj2n>$+3Kv>~m#XtKFuH)}^)0lwSuz*iAz0
z^DpS{q1%UBW{Rx9J=&v5tVcTr64(#$ccn5MY;Ou>SG+S%4kdV^Ijl$d2C~>qK+khU
zyehaB?V-Bof2qAwJydrKILq$Cl{fa7PGUT+%xyhb0%vZj%E`|_&l`hX?1g%`R>~e-
zQ8)IrvSHyd)>2)ZD-%Gz#oCX!O}&5TgQ4xwAnVb|J@bsZx0cl+E3VEaswcGHYxIVe
zH%+qc(=BU7RzG~#65ZfKLfzJj?q_WW%8l~(oHAw!<h`5h+hsLae444A2!_@Y)stKq
zt6WtVaJGgMb+My#Z#rdHG}djEJ%&En3v(U`>G9pp%8Ygc#CLgd=sY)`w~Ovov+iRs
zZARPnXZePZIS#V-LNn@;+;)p9`uHmQ1S)T4MOC6b6FZ0&J)!{=&E;Tqvd%c@9=tVN
zY|UZR47c0NHxW*0>JO=@O!S?eH`XLqPbsThyZ>V_0z3a>F#aQ(-e&ZN#tha6Xk&d1
zkM2nH2p``O=n>>z8e18y`g{c7L?4)Lk<+fl5tdM|&oM1~8N#Zv#mO_~gAA|xKy^HL
zxM=+FLqXi7UGU>G`sCQXXx6qNsjp>uOLf`*YLq??b47N|M)x6N+=Xs`rejbs3K)`?
zK8TKI6ZNs1l?8!BX33aRN2uSTbRyXFQ@@PHvRZJ^d+EtvYM_$kJZ=eB2WLp9(MAo8
zVEtTJCRu=a85q_7XEurwPWkNO;MkS%Wrk_JO1QBz>c`BpHK?~P(XPL(Rr8?umtT(p
zl}OZl6_5ihIrVDhfio*AXG~w&ncxh&wL|*6T}se<?o(dSdoM}MSX0P@cbfpj!Mnhl
zfBL*v$vtj9jM=WE`n&>IQz8E|R7bP?SL{pTH1xk>Uu(@tJ#L#E{r{CyGhxgoh&+PX
zd->8X91sRfO<_H`vRbJBaHA2IL#}gpVysgeIc_#GsD5J(=)m<>kNxK$MgdlPqOW(w
z5Hr=u&raq)n*um%B@*n3&F!WNbpF)e5Kw<YUVQIlR)6|ru6*N=RG1!~Yl$x=G_+k+
zDnN8OumPNp@}$@a`2VG;>ibsmWj{ulrq|B<n(uU6nI)6ANVp!oC=-B<lV5UP!v>hI
z)E!s|j%3zoDcNbDq<RjmO4|BlxK5dHvCjvSm~1xIa02x$f4g3xuD!(wep}cTB@x6@
z+Wos~?QEx!l%)(W;z7Y@2KIjdpFm*0CO1vS^#Qsz0;FrDd%Ff;4S+`&G)A>_9Fa1t
zKsA_|w@x%7i2|`Oc#ZrvJrO`9e9v_amPFQ+4}+MYHKn#c87qor%KIhHZk=}U3fx07
zZBwpq$dU_Iki(yExP*OClw7#Kzzz8MhF@UL?^ux@icjKNk|^r(m=xThaT@&^J-zef
z%7Jvs5u+Pdwu>`@uGKGBvXe{MiBck6JH~T5M1?5I&{f^;m57wj)Kg$-af@@FO#j#p
z#(~{kD?=~pA^B+E{%yj1`v~m<DODF%T!Gc&+A!zB^w=e*RYzKLeY?Yio^12iH<xH(
zuI-kT1%c%4olA=}Md(QC?$XdJJJEBks;r&KU90~`Bu|Q^O6~+MEf$lFYR-Tok@1l$
z`3{r*!A$S9+I<*>jWWQyW$W~)J^5{rq>(V%4?a6#vmGAYBM-sj<AlX{IE;qDt-#;b
z2-T2eH3)5i3PusuK8HByv&ytO>DTgZJ>ga55V5PYdCl6Ai~`rvToibeu=%{qjVJ4v
zh&w_mGu8H<!_SD{Fg^Z8f&uB6<|%h_u^Fpc`OE5Fv?w`z6i;Qrs>KD$&AP^Gj`XP{
z)o>vP-wQW1LB{SRMKi-Wy8h$wAD>?XNp0O!$4hkf`b~FlaTXue&t8rY0Cv9}$iSHm
zoY}ycJuXIL;LLh%*ua?$oY}yc4V>A)nYrcH#F=?M&WR{!(t>Jh5UFd`avXD#lm!(_
z6QYURmrT`enWk}&S_MKs(#NHkkz8ojEP}hNH)znRjgK*Jb$w-P^MZcOVV$2?RSKFz
zXv}|3#LRE^*K}I~1@K&C+(VrDwR<BZn+KrPb1nQ=!lO|O+=E5I<aUs<;|OY7Tvhg3
zXtP^V6g2I`PzE;s`tE;^E~+lcC$QD-VDiGSGR|;vBRR$HQwYW}i$YIf*Sw<4e8gCA
z8ns>jSZ1W=ap&yWE4^nhqTP5OXvY$ZScu|1o|DTQ-;guRgJE;xEo2j%%(mFwjAV;Y
zZ#@XDXzD1=Y-~NFu^#3+JuI*`vA>FmoV1HwHdMz03>`LG+0D3MbM#;Xzs8AR0f|^-
z42FKO7kb59un{*xi?68G{r~#%pQERL+TZ_45~^SB|JNb><M&Vh^z@(Rk1wA--QWM|
z&AY!`UA+1mefrOz@^XHo{`%+sPvq6#B0G5+=EFAdQjfaw;aBQzMg@5c4`yIJoigRM
z<;fdTrTxXo@!aY?iI49?bo^Mv#!;v;0+55E;+=_!*OGX~P*8nE!|`x@e<I<XZBCRJ
zco!nzc#&uvHGjV%we5;~2l3j2h}Xg*-3THi0`B5rZbu^A#|K|=uoVSY8^hGbaw(sf
zc5Ml)B0VnQ+(UxcR+y^y0Okb_C~-t{IV@Onw9%t8qC%r*O9^dUU_mBj#)+uESt|UI
z22TsLl5o-ExAd(EIqR(|iM#8gc`lCh+>X9g|A5fo-(9OQoY@qFv$9B9;Y)?|gsAN9
z&4Hk66Ph)i+_qcOGrm`?KfQvZ-$LYskzUUT^N}2zk0u41kMO9&CHquG1SQJA#>sO4
ziz--_`Msw)Ihhy?^sWvs`cBJjyTePMU;tncMk<iC*;#E2R2@%i?+yU9tvvL`-;m|G
zk4>vB&{PH*-Z&8gl&R3rU38+K53CLG4lk-We=vq%2&+M?-_|Y5N?-h)IKt+J1pL#Q
zYc~#edRB{q$#aXb8VE`y<}BT+lauUEPS?b<exZIDQ=!8Q>aYt7Qp_ntHsUs(wY*S4
z!m0}E$P$4w?doQ%_>PZ{j{!K2|L})DAPDrGl7!AzD?+WWPfkJu{-4u#Zy}oHLU1%@
zVy4HH&1+rr1N7I+5AUmB$n~#4@Y}rzjk+4N8G=0m_!%_&PIl(TjSh9H0=LuY%!JPb
zYJr+S6cBXU`j3GJBUW)L<k<3XBF_E*W%P!i3I9vM%7x;`Rem8ZUk1%JtD!2$=)fUW
zi4Or4E4z~ydz*l-1R7i~Hp7D667{2ID&VOS3_PN%%N&GvyaY&4AdknKWu;IZ$2Qd@
zrm}FA6Cx@%0(x?I_$0Oy73#vK@X=^8+{4yL`y0|7QE~+9+Jxp0$@+pkK@C`XFqvJu
z7eh`*5Yroy(t*?SotvK-iy)%g4ntF*KL8%wgof5VR5Y}vfNu5gfc+q}yI}I}>1GnI
zu#TV+?X>kSh(bS=p_Tx&UyJ~{6S2Ad)C@vk&)CGgMsroe$g?2Svo`>8V0Qv!TW#_`
zRCBcHW+3W>{6%HcLs-|+R9q*Pz?B@j>r%#$cQEut;Bo2mv|Kn8XkA*4h0Ty*X#*Qh
z*^0Uq&Ey@zeI=f}@M82Re6IGOU<*9;Sn~AWie|qkB|_4XIpJu=?hGhOCSjp#kyOQJ
zGPyzhj}>!wS5q#ER*@VNE?5~#Dh4@f;K3x~KyhHsgx|BAn1I{<e(E8$$3$RxsZI`0
zjyFD?kWRdjHeoe8&U^ienVYroj0%F&4|(S0iu%BbW_+RF5d`+56VOf`sGsf%Du|P0
zWq*P*P9(cf=9c6R1Sr)JPC-8c&BMD8G7I75c$bJnV+gno72dD_|Acqrkm#M*+e7=R
zmnR$*j0x{9MgfQ3l~<n@UiE&Toq6?Xfg#4@;-0qX&t!&g2}hjHX@-jo*!WAeFf=X&
zBKa*X7^Kldx4597Z*z#p-|hc!`VsOMJXIM4%?eaJ&*m(h?sj!{$jo0J3?NIh9?-Lv
zLM2lopClPWZ#P8}Ar@g&J-nSYB;xZDx<R|!E(YPYiy%ck$t@qHrKwWQLN_T=AiO&I
zh5%e!Cc02T76su19$cOLLSGILl`U8b^YthUmcZ3Qq7da1i1VfM08{Ifxd}an@A#_>
zb3v0oXDqn^t?st)NL$~veaX@3kC*5r<u_KstqzfLgoVJ#OmP_gL|8ZFm}Epe;VQfN
z949k~HKhoY+$J%q0KtE8`=+}PtiV%pq@nP)_>L2`>akoksJ(rHmPiA_3BQW4T<h!L
zqk1)h84%e+IyYr_tyysmw{S8`R-!wcgA{xomkaxfE?%HlIWG%h)6lLACE2`YvTHa_
zowZG}jVjSxaJ*Na@O+UG{sQfhPvWb+1GM*P!sUN*G2wfM=zPA&XhMY~eDVn?3d_f;
z29g|dD4p<#_X{z4S3kV`@B+yCl%YFG(UV*GJd&bdg<&z>ZH8AnVe>`7=F~om`nCjy
z>tWbg2pZyP&>DbhJ2tTD{E%-0O3x=IbIw6cSx33;M8c&WMI!V*kocMvrs+{iZjX41
zPYz(3?t@mX33Ie}5|L8i(ojq_33%1dgcWu`xs<)*J+#jX6T18VXYcR3Be#u2Vf_F7
z6gW!GZ=`H@%VX#6-JP3Xa^%sBSJ$4g?nt(ueZ09DG>Ps;L;?%}O4Hu#cYhA501)gK
z66_aA;}AI~9<fQh6bglUFOo5Ok3Kq<4lN1G3%%?tKhUS>K)k<bjHE+$z#iAHwQ?9)
z$JtHs&SCW{zSO!1^(UPsiKn0f@$U3E$kpYc0qgn&sU54)US0ZPXRK5Z<F85DxZ^oq
z{HGT={Y47$=Ia~VQAE{?r-E`P@r#M89D9Iuvilv5!1R}@WQKE!X4d={t1Os#PA;jY
z$cX`|YXym|S_jv&;j*S&q?SU)@mR4uPXd?I{9UIJc4etAf)Cw&@$Y7~ukm?=S(iXD
zT){@<1EVQ1l)?V<r;=+nd2y&4)0~X=5n&k3+|BkQx48F#;UqOX3Fj>$4Jo9T&*YTY
zb8^U4{qW(c_o9CIaOKuy{wZgT<wWJ9KE`s6&3wOI;fCYc7H{xh<ERhEPEQ_*k&fPu
zJ1#m?=r;+1`N9Z-=m2J24rs~9&4L=5P4X(!yy&#yTl6ycsG!z_MKmL)0|6wL41J-~
zSHv*ceR|y7;X5km+;j&7oaFdtXRr0SIYkw(aGw%-PkBbCJhNfTXA{TmcBewnk|+S#
z!3f~ddA>DOG&wcDor9YDYywmrUWDouHCq@(JU{HoHpa4WaomNw7dl`1;ltHII1od)
z`f(uUi;Wxz{BRRd6BId(M`J>cj-TnT0Y9A&NN-lA{>)wc-VMb0Tehi5UGv2j5t(i*
z6}_-j6#6%4@@<QsOt|6*!Uc4&|9ah5Zn;R-;W6nryFI2CM=xsNx4-7*yf4j2Sh1MJ
z2g#e)-`+G;>91L_Aa8HhsX!~-Kq~~xP^f%=p-9GOO!L-7#nOme3a(|@83W#zM!0?r
zu6%GiO5O!eDM@6Ou>^B8%n&^8vt5K~W_4DRyMG07+6vC+xOL|r-dtS1do#(?-z?<A
zSj%yx*qC>n&(4TbY`p{IyDKSo`!TMviq2E9cG3Mo8K%i*AKB{U-)yCndPGW!(QpfD
z)v;BU;TGwVu~DdGJpX(css?bLHFx!R7~c1u>|&hA4jWYW+}xs@#&hrIswFttf~V?C
zmIlqsCQ34$094K^#mWhG|I8pBb5F<S$J-6wAJ}XYxb5RQLdbHZt2vpF$Jq#f(8NC<
z6z@~KGA6MI*|ADusO+-fjjVUrQ+F)yjWog@&TZNE@dMY3F|s)7971c(e*^!C8XYZm
z7insJ<|@TzRfb+{YC>qie`KZNQj9>sF(MUD{}j>lqo$RiTIL&*n$^t^i$fnZ(<hXn
z4KL-=2Ncj$DtyOmN8=FDG>_1OJ~N^f$Gu0ed2w7h7is&J_1P}$t;w|8XVyIFT|1}~
z*;#5hdF#m0^yBF5tFgLo`BMEY8{-VdMOts%0r>u>aLRaIy5VQwYH^4SC(nw(e%2bH
zN7#dSHu~6HU47p`S!IP$ua;>;vKr<nC}>G@rde4>b0$)Vm@=ALVu626le?}h7&x(k
z6N}-*j_&p0kesJRq_JL1wVNxR|7So@o|*FoW>9!XTQgiXHKFc{6~4+pwhB&JW$h3t
zWKm@lO0aV0u73bVD2TZ}G_r-^+zpBx6*-@j45OS32V}S%+g%Ut>9IoTpDLKX8RqcC
zzx@995ntF$b)2a%K%{U14nn%<c*kSbahwqz!$*$9KWZ%gv3w(=bm)B#7j(M9gpUZL
z$%5Rm<+v`S@4RfmPYeU^niqc(p%j1Z$(75?U~_eZff`Oo^!aNZ7E;;Ra1@C;$8jl8
z3}?oKc9ImV2FgLLB#wYeL@B00v@`1*W5djSuW$|&VpJv8ddGwX5hDPdhY3@c=cFD3
z1F&rNMf<MXB@gJfN>|vz;8><ByEWiNZsyLEA{-!?)AEj`p8ifCfX)U#My$pseE^|<
zL+*talgSI45uyz9Da52<h_o;D&S(?C^L6FCajg%}9+3lQ<C1pFh2vTe_LW5C#@RT@
zNZI1}xpG{4f{Py8Q(gDij*>&iwd3F5*p7OSW9xI9W9yS2n?%~EvF&z{j+A@HwLNn1
ztah<iE}qrScFoD-S}$@KS5=90=IW{6YR%cxoMV(4A=YCeMq$(!4|h`(J)M&17z(0j
zbn+5zpG|Nd`FJv)i8*8kI~OiXVu&N~s+O~}RZ0$}xsAlw-IQL5;_)gK#mQ-%iQRb&
zUJ1?08BN$(plWGdJ1Z6}XQhF??Zd?|FQ`Z}6o3;}0%c>LuwHCykFRg8NLuoHRw{D(
zH8T<yqq-{F<D;T=HPG|H)iltnyJo^nUiE4aFbEYDYM{Dl!D}htHV1OPlvRm_U7uGe
zk!5N42N;+tQnI-byGoGH+Ve#<+w+JC@kYLu@QcpAEQjZk6(fTOP9>Ie<q9%(*Rk<b
zDVcCknAN-1ISxvqz$W^PLyZ{P(EKO~EsCtuttEOJgiP6WHO;tM+#Jg!v}p`<zFc$f
z*=8DwFgppwfip8Vo?$t;5oRRpkn24>N)m#(Gp3pQsrwqP*I~0%7+%>t{XrCs=LyZS
z2uY%uhRNMQ$b!2J7Km`%;G%;L_(dVV1lo-loz6zUDw1Q30VBH!2mKMDS+<s<*(SaM
zd>;&KgMqDXyBpY!?g>!W8KFVCuFdstVz1H;kKKb==y5(5T9<rU>F%R+^rC9JnK|nP
z0Ds4nrNCpmH%UM(tSZCPnSgFbGEfuG=>U_14__#f%A_)qaJ}WV4-aaA;x?}HKtu+b
zb#Vq!qowjeJkT<|xNeOUZbk{$--NbM_n4UHbSf*|d8@b-OfFm5=Vuz-q#4!HP}^41
zXRYzvX@tSrI#^o=Yb#kjuULTrqym?iu0fPK35s1#H$Zo>c3swF6IuM#INU($h+)K}
zJ?pjpc%@X2p{~I19oRAkeMZQ58({FF4xzhYnc-|n)0Q2pPnYQ{0*n|HLgJOIMz(b9
z$f_Vjip4hy8sV3T%^YQat9ND?v2*DKJQ&3@-?3k;COE{eeWLbc!Ey@!d~0CYl4EjH
z<BAx@Q!`BD#mZa}IU6;6U{CI2a$&jF(~L<RQgtPlZMFtTt{cV_gHUik8XSws!V=8A
z;YI*t1EGDy<;R;Y2=IQhUc1~w4#T#)G=}ZiX6aqc(Ic-=Z}K>i!w%-?!5mGVvpG7r
zU9YXdxnXhcW2_F%2hKP>Wlp@X0*sJx1cktvb7pB-HocBsOeQbT?`YCp382wsrDx-R
zB}^nTHFLU!xt2-;e^zVl`ma8>t7~{c!93%5f}S^kOUw6mcg`xBc-DNEPX=fK<r5oQ
z*2<T>BN@**B#KFa;xHAFrU=_9emY5tYGk{a<Sduva^$-*KQ{WdZ(t&ETN*N328`K}
z_%aWGn3N)QYo5W{o(XDcf43X5(Sr@Kv5uqKtZZmH6ZhnvmMRVl$!@Gz%I~@AE>&N*
zsG{|C>sP*h{kvX^S=pYOMzwEQ>7vq>pcA>hDC>FyL!M1*?GMTd&;0Tvy2EE%PQPw@
z6xI)$1J<tRtG?svgyoLYKjN|I%c8r<Jx30`kEhhr_&`N<2xiSoez34<*IzThN3*<;
zB`udEwK~9MYc8XsX10eZro6RmU~Ix9mhvh;c)BF$HH6>;<eRs-?45g#ea#gqp~)Re
zX&%HeI@3mm@RJkk1d%f;ybc~5VPwi)DE}@F-Af&g_H*mKcxpR3GkokjU{sEtGC5+~
zNw0h?{1^6}Va7TQf-yIHzx%w`E#5nF*e%R?L1_u{vrSbtBbiJBFR_p}Lj-)|Xh5tf
z7fMm{Ul=mCpnT30df4y;isXPS4tNrcd$&*);1kcQoK(upRElOF^+X?Bogc`J#RYuS
z&_i^S?*$__9&)wv3u4=y@T@A3sO&7PL?CD2=;0Y><x8vdKEQ%!%@geERCvHv!umlz
zm-F^)nYKMxwYZzt`CA_B>h%tsjk`B2DA9E0q|TYppJi*jZyn~=>$B{Ioh%cZl8ZOW
z)8LSZZV-JnHvi}JUe3lkWi#}B!f!xVpxWcTP?MK24dG+V7Z5^+tX$q3?Ea_LE`Ctf
zKF&KRGd*hrgDaHk1!F13u4VPq%Sv=ie0t_QVBypYBQj;a?i1+SN@n%~a+#GfCrZ#l
zEu;p04=rfIb*Iz4E@^USdH|a$%(Q)4$(fBT2$7%}rKcCAtmX>{G{d)&j4F%`Y<C;j
z*tgX}D3UG(&3WQ0ew6Z_D=w}14aV$RE+yB#Km*zYUuTr(<Ww<6-ncV?zucg#gPPs$
z>NKGXqx5w-g-uiGG}M8g1)TiO35#^|l+R+YcJpFo366uV(h(D>tUY^L`@FcmLREL8
z{FtqI0Y79?%){)D{>-=bYi>0`xJdauPb-??eb&9c*Ed%<DxWX(_<@188##`ez`42d
zHP>ve;Of&v%l4zlthK|e_JJ-Ti>!6`ZTKj;as=3Ym;Nbtccw*~t`%PZ<w&RiP8+Nh
z28Dn;tS`6gumzP${3m$-D{7FlL$ZpMdhTn)yJdNiQGIZipq~QkNMNNm<cErMOf!S+
z*FV0t!J$YrdbtnYx;sPo8jyx{-AFGWiQ$x`K=bX)V(jelL9o(c(Dje6M}$w<#Qo*F
za(9`Qa}0KI!Cu`y2Qr=DQbJQh*!Rajm_?dj|2Y0bQ1$7LAI;SnQK0MN%2#1zgs-{#
z@mi)g1xqHj;`Yag04>v)(B*PMt|fT?@f4377RY9Qb(SmGCa+#ksAd9Khn7l@b+eJ>
z&^-_q3h+4vO)zF>84)cdkhx9@Y}$n&>=RdzbP7QYyG3o(hGVqMs0IOia<W2pJCVTB
ze<!5=oyY#5<TivI+)M5Xf*P_Rz%&z)wZLxUbV+iqG`(XJa$}gS(9;DsR}d&F#8OfT
z&D&#qh!uVOJOCsCBL;a2s>HAkMajmF?ZdYsR3WzfnS(|R%aO<R1w~y&kwVw7A01A;
z#GlT!&<6ttDUzD6gUwbG@*dc=tQ)J*Zw=KlHlkFpgegVK<p>JFa_zzjtV_9JW4nPt
z1(sVaSt5nfWtG70Q8F#%9TRnIP&X1cLmq0MY;gFIwsgHuBSCVS0_uG0MWSvfNWVdJ
zW`qo`VW*~sXL2Uch?zQF^{6%|8i4ZbkkJo0(=?@;9xDRk9rZO&t%DUnI&i$QoQRW-
zWWmFn9M?a-jv5EVApkC<#M1_At&tw17C<PVStcKB;z~Cn(p#32w2Ic}*EBoEn%GN0
zZ+O>ZZN_cwos=|V4>mH_XcK2b^O6O*SfYlq`&bD)P|Y31EuS;3YL8>QQ6qcTmixjP
z0*~i**(#AXE-0#R#1kd$&1rarm`(0$Fvh~b?_?TpVcyMT-x#V6yu$cC1qw`j0lZmM
zBcTkE@&#?LZ{2J=YR_sGe(Y=g!L-IOt?|pq2}C;Ay0(K+I5rU9HA7x+dRZ-Z-ROEG
zd&600CGXy5W6K#ggfSjSziY65RzmO!8jR>WbsC$A-BFkMulf4fj)Ma0x><P;-Q$%l
zYw5%$BchaGqOn2Ua5_qvWvm3yS#8aVS0_~FLi=oYdM4ML0?^BIf<1W7lqyW1?EGjz
zf$7|HH;o&A8h>(X!V9rPpj`$?f;u@eH&ZgQo}kmrFdP9Q`T4Be&{_s>ePFYAP=FRQ
z{4{P1yy6=lPP~V<lRJ83B6iJUMWd^x7vsvPVG^*7GmRa)zmE}ke}i9Q{1>~E6M|YY
z7|)5nbNIut4c>`j%FH3HQ_01HpWqgR<81IFtxv(XP$$fqS6ylVbLCuIU*YWfjr|r#
zz|!)Hdcn(dT+mW4Q6DvG%*;nU_wn`F#qB7jLSon&TMQs_CQNHP@8wbA+Ul+zd)2X_
z*se8J9oFP>N}<nS)%{$9ApH>U(1wODN2!Xi_4Xs$-`AfsDeL3$M}~~6rZ*q5F(8Ln
zy{HUBN<C8yS{BpOi13-Y$fX#A$v1i$wN1@3;1lcMj+zmmM!{@?A!;H=PDNCp7d9Y}
z*ykC>9Bi?sOyjc+lA5~+H7Wt&cI*uosX0+_ZGx^vRY}5_*KJxF70<IbE(8mzoa$u3
z6j2g#S1V1kjHTYbh8rn?<FmH6=<x!EF&;F5p2@0pi;P<3+N=@@`sH%H4C_8On0L^V
zD9|Csvzarrr35+;k34XbF7fU(B3*4Cv58g9RXC-|-2*MtSQl*qSxl(rSdMmtTw2IX
zi5H<)2p7Aujp4dZ17NMOlV_fdRLmC>Rq=F?SO*wdX_-^a6Hq<!Szu_)eR(JE;ez}F
za4#0#J&)0526PXA1u(L^&;*BDX24JNocAsI_<$Ef$r$0e5tpdYB;_-ow#Au?+xD!F
zEcz2T9|XOj{x-|xgChDtdKFh~QM8FrM$JKcT<o@YLz>P02K01f&gcWnGV|Xysu~?h
zwQ-GnE--fmS5Ap(qqR=cQWk|ZX5?qPuMu2l%6q23E6YWSnXQ^L!Ah#Z5NlHl!_~Js
znONl@wjE@(j?G7F`R2`b@7P~^%##b;cXvK}Y$POqJ0m|R+#Y`;_{h5`$sDafRygl5
z_(fJMg3&`6*GEk^Vbqw{>ryK9-hFa}DGu_lZG-%~+6MVIru`b^Us6-0$2!yRLr$wn
z7Xz5>0|!FhOKm+OfFY(^^@|h;=mT9&1k*Nqn^T>CaASW{8m7uhI>9+~1i<B%3r5ir
zZ@k(;1D?N7*8FdNhgfmaC;~AdH`W_$W$^U`Rw>hz$7C4{o4b^5w_JutzjVkyoSMc5
z7#>@_QiuEoe%N7PLH)wMM#ifd`M?r+&q_p*H=hbBjEMf0^2{KJLzLR80rf?jZUBKv
z%%6I@(RpXu;IR3$ai(AEF<O-Dp36$PaEeOfwXL+3P8WRci;FuKXYg<-Q-89fXP`9I
zm1<UYNx+Ez1cqC`&qrhgF@~him9blX!bT7MLY2uL;mTz9kY)0mgG-w2KvBVDPln(-
zj7P#Qrj|Up5UM)-E0K9oX%>(%OGx@%fj!SzBU$KqP6eH_v7f@Yj-ER2eFOH=^%I|A
zVK{V~+i>XmOyh&arqyF-d4;xPw~H8Rc?LTsS48GqYvx>|{V^I5t{aIMEO7u^1v)sh
zPrfK}&B*tf3JBW|Tp^n-2+s>Flmdr*Y$Fw&Uf$0-0k=uQK7sWFC-x6PdwPF@86D!&
zkTek4eQc9K(kaWx-zruviHu37@0yP*f+E6-rx-@#>|w{$l7TVo%_qZzLn5=CCF|9W
z>in4f@O@^%=s_E@+33Z&6XQ*+!{){N%YNjbr<)+zlh_e*(E<U4s{aM(jCa)Zig<Fz
zmLuyuZEL;TmwQeH0~YE!bEeC<9MsLW3ua=AE{_+sZKd)Mt}#WK)|-zL_rQnPdpNcI
zfI)Uue_?a`xhGh9qh&aDGkp4vEng^`|4a(C;Dsxm4!80y2!riM@T+!%qC|crM&!NJ
z=09&B>I9JTQZn^kYIyRfyMc>)ioLK#Jr1Te@G-{BClDEJVeVWO{l0NUt^|>#1>sKT
zfVrV@P-kJNt=XGKwR<JY##SA40(NlF7ve9V{{&|W7qfw7K&fW)9$p=F%UL;xY}`q7
z!MnQcaFJl!13mlupu5&rjfpL;<X!U%hbFx~+es|l4I04Nd<PLpk1NmaxbORrmSC;O
zYUH#qWaYmMM**kqzoAI9nve^kxR__G@td_W1l{x;9*l<u_3mlLFs_jbUmQ}-*7(ek
ztr~5vdGA_wa>te@qh4xJ5?*hniz{(br*v%)9M5opN5KjFcCyZz?#6CDhRkyacTB6)
zeVtLX!W`RVusYtR`g1qIJGJG@#=}0DjvLZ|L`Nm{KJ=@#YaVS!whkNw?)qHWW(R)U
z^g$4_%vIk_S}*V(<hcl=Xk=+)pV$0zp%`9W_$RIeX5DJPijt{9qW|i~g<8&J0p;$U
z*PA9qRTfg&%4Vxb-YaUzhH$wsN{lG>m~YOD&#HW}l57qQPeDQ~AvZ4~dOpsv5``q6
z^9ZMc@!c=be<d)n8IeMV-cMRK=LtdQn58Q^jW$6%sYLA=<EZ*(Cp<_2HkFmIDCLre
z9R?s~g)Tzh4{s4N2rA<<vrZdV-)Ef-XCpAymk8YHa`TBLsbshlFxm*=zZo=k5%EMD
z{YWXfW_U7`rkahgZ09Ts%GfZH%aqTof7?x9qa0z11)CuuOeh^ajlN(!9PP*d*7POm
zg)^&ud7B*}Hj~x;{U3I`iDJrMxwhZc14RN{^0Y?&&pK{mPcGm`AdGTG-qwXpxdJUb
zcd6CP(cvP=Dr<~K8fU1@ks-bFC0~E;xF{ES;k|p}9UA0DQVQV#9&39+y(ct!aKEuK
z?HG2i<E6-Pqh6b}CUR)(-7IM;-`?_R$;j&k6@q0!uIesjuaWMwrpW?t2TBZu%b2;9
z7gA}G(`3Pg&&w%X7V_3k>-;c>NTPMry2}>v!-B<)a?G9m_{6<yebn_DEztphqHqb9
zAiUc>!uEpD<SO@uMJ|Fnp4kr!{}6CI5xKsgj_X1`kW`Wf20lrKJp~_r<=EU{r4VqI
z$h;_J&b{Bb#hR$26LG?`s<U)eGi!TR3A3|x<({{%iKgY8Y10=GRX$~9SNitj)R{Ya
z1=+^BJ4(Nj5AG`n%mKb`CS!Oibog{dYq9d6L60Bpm0XE#PAk5$EbiS;KfUi)q3=cg
z-8OW1kY$!W@U(ly;1NqsO=o9as1vE<?OoltTVwg~z|(#}ioh-Cv<W^ZI~(v313$u3
zCbS_lr6Q;BMR%f&HypG0LH|&wC!carr<1I=&)h%e=sGRGVj2^KL0Sc=7ew*A$}|;B
zR;s(){8Q~v93POePk4|HmGQXlvB@?-pjMq#w!t@a1!vV!uIahwA$+<$_K77nQAv?i
zbKaWxD!Q~TsC0Uvcb)BYRZUpe)vr`UnNF9pJuYo#G~x{0%~tLvOxYd`pR$696l(3g
zt<f6cbFgi(wc(yu3G)}OVqN1h3lstinMDL*vroFDhSuhWs`@@>go<Tn71C%q>v0*K
z^w+`YD3+8=N5nVxE>+<=Zi21xcrC#v{_4Vr>UzHsqY1?|zi(uChWr>*DK8$vwO|jf
zYNWL2Mqy9~^BECxWtL&Ely^aBywcgZH|*t@Z=VW?<i}1%5bTWqRvRk+<EpwLWLMqs
zVjqvG*kHh2v~BN$d(*{^#VK-nDpBP<EAKgbIJc2);|H!6V;h5g4m|kzZ{R;sqoX`~
zk)}3W)h3a}tPqo+H1Y_-uSTTe>7SytO+EO+DAe2492=w18e4v6f8JCkckMh_Q&ENQ
zuV}06L(6tL?y*a$v`sr@X-B{q7(BIuw03GuEkqftt3x;|(Lv^-8CI&PVmd}e+xJ)o
zT^phoo>2P}*by1zgmGDW$@q_!2NsPt4R;#@FVkEZE#|$Hag5aLa1xPWJNoe0+5Pat
z)nz}Pzy8j#!0_)Tcw#c&bA@(5{<kWWaG_>{$70*xVOAY=2<Hi_HSL#N-5p9!T<f@b
zZohf`hS;Y~L9wYsZXF_0!5pbX-n;nHJYluLF6HX(GtgMC%3`jVNl?FNDJ$||Gr~v8
zdbhlIMcxQim8^DiULDG?R|k{)pr(L&^=R7dM?@71(r2koFKDSjYCSZD`i>pd4IYR?
zpy<`iMPW64GPv@c)D8}C(e**Yx4yOyIZxUBxk~BF5lqtseK*%c6*+l%(mlcr&v{16
zY}qJrU-x4!UpFB59DZ>^PGt!rCsdG(x#Vk>04-7eIeT^(e;kuZksgD8!d`>xy-^tE
zvcBTDF!$bs{9tb-%LX7e7@)W}p4)Cj6NICyYF3mk2T`h!b>r4E-GOe!Pn-aU7`r#`
z$n^(S$b)f=*xia*fot<XDh>sVsU{TZT~cM#$bx7%Xy32PH`gEDyuP@7bNPyVV@Khk
zm@y%@VNI(bCf8QB@$(qjyP-q-=Bu1S?FlN#mEgLru#aJOnH1LJ%Jggv9&@g3=5HLx
z{Oo#b9kQ-+0cD;23Jzi|apjE<E_(XX)Glcj8dK}%aaZp<SEj}le32!VwZ#2<F`2xW
zz@`6U^1^YRnfLLv_h>z6pMqme44n}2y^FAhEWIo4#NJc5u0D&&-I{nFq4xuAWHk*Z
zZM~1@{N5(@JeU!qo?0&q2v=mK=MUc<Zccbyd(Oz7aXX(x<~bHgTKLp@e#;`Rr5N%P
zy{0(gT?2J*0*<w-X04~c7YTPAt_b`7vCXU?YH9DFCFyN(IpwmL+1vKq&+Gidn~TeL
zZzg%$-o{czCelK3(Vdl~FIDs%J1lh%f@*g*1zG@GEen~+`EFI+dqD0t==DFQ<L>Hu
zJtRrJIJ^+47Y>3on7q)WBSJ2pA*7y!#a;s+YER%eyYhc^LA!#LImc+a$Kt(@x+{lb
zyZyOtXU?f^%eo##*$rvE?l@9?5XAM@r0Ye=#=cC_jAsxQRWl?3nQ!gfDQ=wx7<<T;
zs|wtjrS<xBOb^{vAkx?Lw7M}m$1+EywdEBhzvmg7Lv3O%=Bm!BXM>5l>`AVUanqLc
z&iqwps=-6`{`*^~5DwlJM^#9h$#ftSA>(oT&fk82`Tgl%jii!hXXGbl=MJ$|y5xx_
z4-4t5DZ~0}3;_CoE_e2=bMvN<9S8wjLZdIv6bAV?PmDu|HAlO2oOx)|QHat_qIwXo
zFG|!h&$zf7`BGjpY4fWxVt#N3q+~SP{bD;fYW29(^bxEaU}Z3;{@)$(LZwiz8|mca
z^8#h0{^tN!3|EQbhq_;&v&Q8j$kom3o2$>kNVtvnfJGft;z$;>xTy5vk}JqS+m8uc
z`#Okq!y@R`AlHfV+-;5R=k>o|ToYOufNERc^+1eOz2+Ot&#=>q?YDcb*Y$GD)jow2
z?_l(O6r(SYgU{5^%LUh*YFQq`e%9#RE9NStWo}R2m3sr6lcG4NwNC43eUMgRH?D+{
z4QawwVm?MtBNfNy?w!t2|6rBZP>Cq}<EuXe*5g0c1x8)jX{&8aq!28LDd-))TYu|E
zCi&mQivAs!{(mZ(A;@CD9zVSX=nsxf&5gC|^1F!cZ9t$Zg=K|svAU!}nXT)mvUp)V
z2VRg<ofMsh^rJ;8W|au}CtTAl?&fzsQn71#M>4y^fjGFD)OPE)I9&2I{6@axN@Ms3
zz6{BrFjUNNnAb#>gcpCIX<EL5dds#hU>sMVeCZl0ya&mtUKX}++wJRX=t+@({g*F*
z<^1Z)fBB*lN1iU`?;pi{f9x=dMlb|q5i%^}4aN=_!VkFGy~Bvh266m#){pTVy#5ET
z|Cl6fh-pYP53Yv^`i5L5>vS4P^!4XMq7SN#;eTs8#$$7}xBeaicwenf7ZK>Q`Jo$J
zOss1iB6|7$<}cq}eEsG-*b(bhXHK#ee-7=+eGsY<g%jd%#&)q{W*6lB+nb&i_G6kK
z#H<ZkPp+d6N-8we5eA4*j5MO+@=+l~p1oDrfC|C)?CinE*oHWMvFw{yAS&jz3{nr6
zQ;oE>H20&q8JSX!(teKkdl0L|*e-kDE3nv<sqj!ldt>J|N1;ox7+BaFfz<7WjxD(-
z@gjht+rARxQLN4zk`=DzqlBz&hqx4=qhqKdeaEY5K4>5K5~>`VV!e8M<okHi4It0z
z&iUy`ih{!`3F3&C$E>}{(?V(~b`09w^l_8oT*Di$ed5?iYKGw}-Yg51{Vg*fg)_pc
zXkVZM(1;-&&SNF}i+A!&dxl?|4;-woE-lOMVyBhGRT7D;WF282m3v9AF84nBveXZ<
z?3>c7`PqsOpZ(3=POT7$I^NI!2;aaFUMUp3?I=ITll*ii_~=*uuO#~t9;Tku&V6JR
zUS@A=T1P=WYEEkBQX@|CfoYqY`QG%clz)XB?(w9}eSuapEUB4gW@n`c3wPQ)OYH>^
zu;^q?3x$<hQu!brXql3W>o#jmbQm2XcT7U_-hp&=*WkBo6W}v4<ytigX9UU^L%Y2@
zf+1dpP}!b(urPwiMAOVw8)y1~F+slg;tN!$fAK&6=l>*7=`>{t&(~jsxBkb=m)%4D
z$Hlwv2u(ol!Caj<GVE2@xf+rGee?bMI<I~6S3naFo(Q=i@InsN&{Qt~+E8|4HVeuR
zU_l8TRcsT}mGSukz{v%mVFs?%+$<3c7%sUUdZxoz{@&^w!7Oz|GJeO%Onp<zs;Daw
zl}s6t$QJv+!D`Hj$Zm5Sp8<Pr`<Y$sS$EYLxza)MeoHD06gxVNG{85;zV^N27TJ<D
zHGQI)j7mQr?0L;VIN!Ww5n;IOR~$3J2$|cmQu^ykq*-JMfZa+hyj~j(LoBRm0@Ped
z!W8b{#|czD(DmCN(e@fSnw)JK(Ass(Nuz?$O3N|S@^MitlYjcB$o`?6#t2GccqVUs
zzyLMEA{z0-w5-7#TWc+yx>BMz7eRA2GIST`6*<&O-ekq+f|aNRgYvH{rDWsR@GZ&+
z=K3)NLlHWkL&>#!Lq5x#X8e~rUGsvG>o@Npb_O_f!~SX39Tbhthr%0-s=4wBA#aq_
zkfzx5ZZ|{uN-*FgHlAiO=}ySw!DUOciIl*HWWi|4Y;94)UKIsPCxpB<CvwIUD1U2y
zOIcbOCLZz+L=JbmU__QF!`ekNl7yWG7Zb!{LDkAB*Cj1&@m{+Jk%JiuhP9udPZ$@<
zP?PT1T-W;7=>`0{=~+X2pBjZY7BG$L=S(?bu9F4c>MQt92udTgPhCQW*Ee_P%e$yD
zJu!Thu4tAm$Ly1#&E|l>od5y-uJjb^Rq7NFyC|8){CX$29w8yx?F2i8I#QL!gg~Rs
zpY&PdJu8>C|LD(lE9<;Z$?@Y99giwI-m}O3D?#p9F?Qd|!q2Gu_~8nW?^A+&$0Fp%
zDMNnfLgaf^7v8-X`5{VRKYBs($16#`=f3P(mi#cg@<gS{pFwf*r!7yuXMyrPN|f)3
zuDh2h-?dQrE~UzME>^yCx$<4%vSZ2eLliCF0~7WmJx^S^{K<=#KacX|JEHndAMIbn
zJU)s7+x}v!!@LbTqUq9=vaq7#x@6g7K#)NLc@^qtg~EFLuI_N4r7JY@2%t3=dReg%
zNu_w9ty-s$DP|O`3KxOko%7NS&_9hRT2?n&GBXstr#z$6%*pxSJBErpNLJuH(l!m)
zRb*>rKwBhRNT4c^#U~uJ-soWHrgE^yXl-Z%w6!kTjjD-XSSfq-zd>=+7aL=&x^;{3
zO0Qc36+eI!ac`|h5WQUoNc329DRJw-G7eo#VdY0XhV@21L)BcMtnPEebm-e|ZRROV
z88x#-dr;55ABy^r@JiHW<abdE@358qnA}d^>(!Y=U%Y5>e@BZQj86XBMr|lMm6djp
z_4s=v7@@3*md<8(Bn5X*k!bhRgANf*N1zd5G+7w-aEwNH!@xRD_0p^#xkkBq!}Y;*
zzby{G11Ak<nQ`@cl=Yjke5<HkuX~K>6nXZTI<*+A5ajcfB)l0{W-@nd>Ca$~(Kf86
z&MjfiiFF>S#M(GeVzl2_po4-%P^a<>GFdEm0y)A=$M#*fn|>Sms2zf>QOvM9Fm1>^
zV%EcyA{^kG)AEj`o-Lb@YqM~to9J_mx$6*o3hA<u#o0{f#bolrW>s6y=^Q;!Z$(7o
z+`XfPLRE_4jm$QH`Y)O&x@JvuG&&TZZo8_RcThENQ#0FjTm0{<4%%6Y&m-KWT9>ec
z(h(eB8ubmMoT+R9%|1++Yfs=!wc4J_yK1#v&437O&YT`Px_SOd_0=hmM{&DaZAW#(
zT5WyYvQ}HXo7QUUCm3Pd_ppX}p38=GW!V^DFhI5}0z$UK8MW6F9#cA1GOKiKD(P*V
zg?AlH+Nt;YU2v=21~(;eD0p@4(&vtZdlxl&Uln=}xdhuDy2L&z^T$#G?w(c!+tVgj
z!FH?^E7%@i)#yI=rM_IU$$m0TEk((am@5FJ2xt4lM3(VVS$`c@?~}5x^4$5_UtC}9
zpbH4T-mDFX)d2+kJb!(_6^i)IN6C<a%X$Hk>5l8xi>cX9qFS5gTXRR(P8a>$nwq7-
zF{Gis`FoTb4_oa(8t-sS_K?(IoQO<gtF2ks|AV`Bt@acZEd5r1O}acw=_|DCQ6Z#8
z510|^@H@h3HZ|``97M~PL9E>5Mb9qx@x!Vwm%Tk(Y(EZaDp|0+Jz>MP1{J5xj$K>6
z);d3fVuzKT@%x*boQ)d6btm^R1t&MmZXdUdnOoN0;J$9K_bf9K`A%>_Rld*T;8knp
z0=UOLePl50?tkLJ`&iB-hcTIBdkQtruIinUXT+N7n%)x_)H{QE=O0SF6YwYQdfUM<
ziLB^(!c2o!*|Wn@bg{6Lx}2mr;ZDud+eeQy?HDg6lNV^on0Re(rDx-R?cFUCiA<qt
zDXh0t8o2RV6M(SUO_7$nwTHGAn0sH&Z09@BMQy)51V_BXwNP`;zVL_ztuN+eS>igr
zJmWdHj@pK9GSyRtG3^vPnIuIuvK>xxmdkQE@|~I=8>84a&VY?hs<LE4XUl-0enfuS
zgQuT|NZp#WqAr*V3N_Ce?ZoKKd`)&Ws+Bb6DHHcQ^>|N9)%Q%0eOc&~-*dHFd;}HC
z?|Yvmf+=QqzA>6T?Cj3nK#Uv9I-ts5R=TMAM*<OliMqq>N&)#py_>^+L&|#DT|a8Q
z6;x|hidW?Sp8n@Q|9yP+r_<A)zZn19pa1#vKPT{y-<|#G?C<W6e?B`qJ^lIHci-Gz
zzxgvi`}@zL%J1;6zn}ih-uyYTle4ow{dR}RHY5Np^jMZ-+~!x{M!Cb)j^N*)e$>2%
z>vK1OTv{pdkq`Usg5ZwJeFk#iZdRk`Xa(vy2<E5RLGz6tZgGLbA7gdj&tBjCS@^%%
zG7p3E+Y>s!;T{a0Z-eJsuQqtT4W4g<YIIPI4xVo-ZSZ_Mx(qXTz73vlzY@<kl%ZDq
z-+J=mR*I^f-+s-$Z^~d-!Y-0TRzly(I~M7XvZ4uC>jmnq)tZ4wn1%X-^)4SrO+c%Z
z8_D}Ih>063EEX$LmexO5N}~+`Cgg&YEa3&WNf;<T?=c{tvQ6&1GziYJ8Qxe_)JdPq
zK-jg{<jREloGCL!WV(RbJaEN`TF5F(Ny+}|xI4ST+i<K<q1|uLU?~=YwBWJDiTup_
z6EgOx;3Z)E4NIg*A4T7^HfYV6fu#<U^7tH=_cY@v*Gum)hDWUr+TyA7SgGnAB(x|>
zNs|Rr!MsqMu-W?iN1PW~HRl3l59r;no7s|-QagW3yNK1P-3G&&&wC7t+?+0#P)0|F
zgW*c~Ec`<enWe7Y<G+4k#MA_jX)n#8f*hA-yv(rF<`&vM%$L6>3t5$F5|%D|3D5fM
zrbuhAB26+zl_oF0AUPM6?vu|T5P$yV_dQQpKfz~@EC{_$Rw(AczrCzuRghTpu#jBn
zRmsQRQoB$~P;vh1WAJ;t948J$b@;bRPM12qgo%B>nU?SW*oSL1FI(5KV?E4R7G_?`
zsxzBG-?IRnIzir<4{V<7ZdWH)_6l_6*jLm}KZk-Ko9a%weRo;WpRV>~ylhdjIaj(o
z0-&(p=E<;0p=3$&D$~5kYM^~^AK1IPTVk!bP#V|*D3<%dn#^EEJN08Rp`lg+c=oe`
zmelV|BJ-R^<VHg44h1(Xr2OU{FKJe<IPmB>6gq1rsOYr9_O5^py%PB#uofUAbAHdn
zDjr)N|7)7uG0`pG{-7L8)1{!fEofbo@}3)XXX#4+YGf7Wm}%POt4FTxPynpd;j5pT
zKKG@43hfppzfYKBPEEguTK9ctMJ}?r+>gzGjAsh2CU11cY^Rx_W!>sGSI1=qr)(jB
zN3Cb>4ruF3ozh1X8&OW<O9gdcS~*RdH1q>ar6ONL_P0w0Vokr|+P%xHvQIQGGNvYX
z{|Y)tdv4FmX?p(Q&Bf)rH<P@LE<ESbh>be%2)3oH$OFZ+mXT!>Z+Y>Gyb-D@S)I3f
zbtpsM4pw>%cjVP0l~UZhBy&0KzBo|typRthmE?huqGb0*Mh0gGMS>a<7OIe>E|Gar
z%A6~AhjrKaBYh|+&*}W&I0>D4Jq#RZd=!@?Zr3yVn}vKBYdNkI8}m4+Dgr`xYzc0a
z2ZoXDwjp3^2`YDZZrH33Utj*9Vw84)sBzA8a-Ohaac)QW+~A!{!L=;=)u4(1xa$|M
z{zPV(tqvq-<TWc6{)J}(ut*Q09{P`1yJ8__r!lH8^i7{liU3dI2tt6~<#ab{{)7nq
zB*OZ^s&>aq<&O&Y7~vn?a3dm_`a<4!47#1bCQd88U_$c*?G4sRI3(rdYKFpM8evP7
z_pB^=$`pyF<)PAvXU}BI`q&|3T^V-KYwzy9@U)H#$8uTdeRo9Zt9LicA5D$XxOm`6
z?~8|~IgiLm@SLumIK2UI=B;ly#%N!)fl6q`uD*{}9oYAq`hgq!FsLcNM-BCFJ*E;N
z({_8`bC&btW%(y4obKiJKIaWft{;jAn^VmmXg?Ore&aw6(4c8rGNs%lVv(_PT^H9^
z<QwenU`r}WsZoNtlsV;{u1l*0yc-|8MTX2w?BcF{U&MAcgF1086?j#$lvs_)=Tj1Y
zjs5*ROX5EQ4;*ODU2Ia#_d0S7m#%k%is)S^4!#C~ADu1w#Z?`CgpBlvd?)AJ6)7}`
zi2FgiIpBdc9az&C)>NtNjiA%4+i#@F!uZd~+l<Z$gFntwuFQYQ&CPdUnyrKt8M_U%
zTrb>J;!}$ufjS(`KwAASA`YrI)u_8BT%@jsa-FNwy#d67`q)79n4B_lyWq*)bzp6k
zrFkZTN4?mLp5I2JrCr8#UsYQ0ox77A3B9q9F~4;#kt!t<UONDQj=8?5Q@E%Pw_0Eg
z`z;hX&kcNs!vK6EVx=LU!G(j@!4`)&7?WG2?`f!eUWJ3ld~1mIhGrLOYjGkHMqsov
zLhKq=aOKY!<SuwrleOirTi@|~M*CY`aEKF7JF@}w*<s5CH9dsznYCX7Q7dFoW$0Y%
zH>0-=yN|K5Gdn>nPZWek9{Oa2QJ4M0V%=c@3D-!ow!0qE@#96s9x4j9TZ7Pul5Ge$
zU;NAOe;;ve@)BytaVVk%k>%cWNlOMSIfkq{9Rm71=_t+h@xx<}8V=hh{59U|JIV;y
z+dK~`I<6imMaQEg=6H;B9LG<>@d&9m9xLI-QPXThn#N;OYWOr65prp4B8`5bchN~R
z4w)*WXXHeDT8!O7P97@-#*-z!c-nLqM@@3^Sg9=@A)!V8G!}hhxZ>ltb~{K%PET=w
zq!b5DMRBME6urn{d=Ob&iiyZDvx7&C#b+Prk#itmNIF-vdzqcSHjrZ|aO$2nDzaRT
zKv&V@g$n9#XlY37(Or|HauG)2ew-2oCm>rHpG`W??{8Kt{r<5N5Udfu-O@i8_@B<e
ze`v@2=VJ~|2Xk<1tIffxktW(HJb~B&=PIYREEHZ7{*Yf>Uv-X>lnioP&`eD>v9!(}
zW*KG2%2KUaUPNSNAFRQHH8{o^{Fo-8MU_)AHpB)@#tjdhl^b$GNM!Xn*ium1Lb!G%
z_}?m4rwjF5$`Ooc(C_iUhRoFp5lZA*ESz1d2ce@UaiD`i8p=7nV94iPukd*ddD@D~
zG|S{eoMtm*V9eH=wb-OAQ$})Lma??wyl^?_gJmRgR-$Z*o-y52<c4XBMSz7`5-Kp9
z)%@GJq{C7jxt+2Fz2~xuh*Y}4%izR*3Jk$gR^EP4L7<z5o?73h&LQ5{AA_nPl}=$g
zW}mpy>#%ZL<SNlTBDZ|63d1q{*cr&&3}OzyYI4o@H}KOwJhROigqa2+0uG-G-#qZl
zWG5Guj3>*h%iY{m@LP9RDet0Uo|CVsiZBqpqk_&+?{j){{q?&ugHWKOy1Lxx$8r-6
z{{C=r_A4OieZ8-Jy%{W>00FSIfaQRx1>DUUQyp?c8iniC6jA7C;_}aRGmR_M>ON2J
z4zsX02b6jh`_b{P(Z;Z6TYl{9zfG05ePp*f6d||%y#7nee57C>n4wnmnw9T28icyZ
z_gW{Q2QFn6I08yiR)V~QO27pxL3d+$1FK6TRA@e?vl$m$FG)fRI^`MH8y)Py2NOT$
zwYwO)3LA!35a0~V8%b6v!!rR-P|7SrPj-B|-glemT~MVSWSPE!!f_iSo0=~9&9?&<
z*8O5D(3OFI^@g?HKn+}<aA<wX?bmf`ojjK2R9p#P3~V!M$6eOj`g8^WBq07RYrznt
zQTxpxN4fP3*@TZAVhya`RXL_+8?n6fBU)dq1-%a{SbubYA6vjr^e6oh^D0_L1LeNt
zBFU=Ma1eq$_#N9e@b_6-?<!ZdKHZg=gLQytX88Eh7J%N?-3FoGi1`z+!c|OYBlsiF
zBFl4It?oRL<JAR@5p<i!>7cwFs--wg=};rV%?I$e4_5bWyRBu|%tp)Ur|+1U>%}Yb
z)fb!J;KIG}a^nkiy|ka{_?Iun|Mut8pU3uJzjKeaRX1xzrj{G1NT<8pIo?B98TtH@
ztFnUEzpm1`jZ`t{^V-3fTxV3zWQhq_q}ZZ=t6d8`y>oOW&G$VVCli|!+qP{_tQ*_5
zZQB#uwr$&**nabQzVG_|QC)TF)?K$(S5@EcbN1PL?D1$Nh+R9rq<2^nIKlL1Nw)zg
zG1Drdo{A<aY2WgIf!<B*0)#p?Lyl|(MXI&cXt`T;&axKd`JsN&r%c|$(p>LBM^uj=
z{s-X=qslc9IuI(RShG!Uc?2pA=$<cksuVuQ=y?S=ZG3NBep<t>vDr26b;#Ii=o&dG
zFHe(wEA+HU@vtsgsT%L{5-S&MS;C2x(hG4dTjD!hueEseFPdy6HSDe!_02<Lw$_g~
z<J`VwNO`vyy37zV>}OF8ofv43I$60*-|w_aMwLm7z~wmJ)3hfO7Vku=?p6WcAb+K4
z5+A$tTIv7NX{fw+S!0w-RQ8iBFghdsU4g?NUeOl!b(<+qQwDgeLe}ATM$rD`$T^s^
zXWPX!@vTJ_Di~Vf+EAWas+4{T`HctP`cGMr>B3C)!aZA$d6h-XNYlKZ)s2G;hLXFm
zmg0(F@+@Zpc0c!T@85g~?~C$M8@ofr^BK2P^=#>)3t5MtMc9263ddO|D%n5a;Fb88
zx%7?LNPK61Xa#O{GiU-RkD|<HEj(93ff(Znj(Y*wV#}kAV;kZ*S=9yW!`9eH#ff7Y
zsTh@Q^VHU>+zoGM33iu@?jDNc7BLL<(-Lf}8`hk5&MdMWw2I_VizxVLT1RxboC0(u
z*i1u(Ny;fQXi8~5x2f!p?O$p^MZHe$<<sZ1x;L-=mkhM&Q>(ZJVn5oqLysRqh$$Ez
zSb3&?R2j)_kT3ugY$AKb&2vfG`h+Pf%T+lzHk4{T3JzC8jV#$waHM2%9BUNB`B+<S
zrbMOss|rI9@5-^@=hACy<!%9|euK7<cw=KeO_eOMblVk1Btcw5k1H)pBeW4i=JgsH
z-UH}_8FoR$`K(bN|8(}QP6d)e<rGoRWj;;wrKM<iRrC8b4^#$`HEOjiWyT=Xya5{L
zzPqZAev5{1huird$%|s{--LYT-!?;}o~bETe(Tx=wRNZ0=ksY?X^-b=h?=NaH!Hjo
z?U(AClh(_47uPzcSHfnhorV(_<LxNY`RJX!FTaSD0UF7=P=1%<8MliyaGyxkgJGSi
z>mMgm<khh94wUI0^sFD8gga&;d)FSS6q`tQt@R^8@4*5(J^mGs2F<%e9~hIulUZ-n
z`s(6A>NEacK}q$XT#(v?LzvZP(Zu`BX^I2UoU6MVkY5nciQXmReIwqn*1V{vu-?-?
z6aS*E;*#&77?gZ8l4LemKKjQ#y%lk{_yA5e(~9wPVA3eS%$95!7C(rVF%3>gOU?O)
zQN!zm0i#^1w$Dh^E2V-uJ^x|*Z)xjLkZ5l;_^fFyJAY3(nHcABoV2WDHU`daIGO3*
zLn~|0#D<Yw&_w2+9`7$1xf$Rm>di>5vTcj{Tm{S4a|Ni)bXIt=zTz?h=E?EsE*)FJ
zTa!;!DXQbB&fh&B`;nNi*ElYl<fk0y#3TOb_4g{9!E~NdG`fTN8*GNXx0iA$3Z8|+
z1EqCC9EaZPj>TiDmQ9xV=ou$gho74PU_{&f$;f9)ahPELgle-*av93Kl6$71l*+>s
zI2)D(XouJrOl`PFDKjU@Nvf=5fXgD1EL=jUqos^eaD4I~&P1GkNz&&<$$=ZM_C{S0
zLV`QBsv<E&oGhs!c<u0z;M2g%H;+57KVS<p!!{t$gBE*#6O!o(KYX^qc$&&m*Efpg
zJUUx5ROh)j_$S002R;Vmn_ujI8e3IEGcQ-s7?GV!*x^{iRdm{k@k{+-ZHnp<EPbYa
z=UWw7U(ch%Tm+x9R=@!JDOMJN?EnP~*mDr8+@5woZ8+@zuCGXw{}@(U)_;fQpQ}C-
zKj!`?Q{vy^KAS;j^-<L9wm6M*i>R2B-l)?_95xi$4z?nw=0%DqsYBM-;EF9nwgyaG
z0cZJ%_#p-*CImUAL4lEF2$@W_%IL$N?53AAggP$a%4x)kdx<(Om~uqrc<EKVb`(S+
zVRrt+QQW{r^eTdzdNFuybBn4Inl78_ntKDGaO@Ppg(N|?SVp2k5@s7mS9Z0PwX$IK
z5znrE+l+~GYXX=mkLY(JR!s7UrJJ-H^*#;)ypDGt@?aSR{gZyF1K$euwxA$~CXO?S
zn0g;n?f4+7PSXAK{R%7y?{KOKvDFFa?Kc$IJoNbwJl<Y9sVE&;Pa|Hb?lmMTKc;Gf
zHgzip6IcDhbE_?~jf(pmHVrFo2}aL|4O+xi;i~1741gAQkVW*rN?qcP(p3p*R^%G%
zi!EY}m6^**d*XMAwhoK!(QPxVm@S!0H&m71;VL7*N^C3+v28dVW(T8!PyOfR92EX|
z;{4({n&K;5z}#+)29}|9uByTDI!pRS{12P5v|=tw(ec~ojP;ojQU8j`h`EJ8IWn(%
zr%DkRqP#+XwN$%ye!6TvdrL^ysv5C6KvUX&P1vE@oqyp_-B1!MsLMLPWU4TN|A6Vb
z{T}3eD_(e~V0!}T(yPB>vZ`*=iM5hvwC^dj9Yy7?R_}~ZFS#x?C2HlW2PJg|%LMIs
z2Ef}E<aS#U;jRL>>oU17d_BGEb5&DW7>=}>H>cFMLD_d$#T>P3o6TD+hUN5G*#`18
zlA$cb-IjGS)|)7aGqxH1k5Ex4QRS^aeKw6SN35!;zf&aL)zG?OH7W0POGiYB98XfC
zzM>#pX;nAcQ(u0E1Z$0k{POysLyhN0E*}-&bpz)NMwsCn&cx$6Rp>HZ(0N7u>t8S?
z+ytjN2in2nN=TraH~p3bJvGz0Z6E~rw*GRu6*~C$d&?eoaO0DA&=LlRD$l+GCz#uh
z1vn9D>$_^9MT^piY=Tl=nXFfEQx-Sksw$5|J!zmT8vlVv*`aY=Pbk=N+4R_oVeVg!
zopCRgPHYSZPJyvNgMlFEWpNGCsCLB0u~)T7-YWsKn6nBKMW;6jeJU>9!q=owV5N!n
z8SW{STC9ww8szU%OLAv4B?K_Ga$a(fj*!#$h1DiHNTzr9I1RnAqhD1prLrQnbII!r
z>mdr4e~p}O)%=)mywCrIChsb7;Ak>XBowJEI6Z{P$s`0&sts%^MF9{`nSHPj8&oW{
zMBA~4RGwkwS~v@Z;!#en5Yf50&g^S-$OQQB&U`<gHHhE!cy9pdSTxLm#>L_|G|V^~
zfb_L_hzS|5A0yD%#Pg@>hD%BBW4fnqo?P4?t216#@PmamrjTWoKbMfub3m_n=L`44
zfi8LvZ^<w1EEYYb+_FhF?rQ8{>lYl{JSkb6V|yNJxm6mfR`<NvC$v(jqO1rcRdV>r
z=rJ{M4O*PS9}uGUw`3``)ETdKYvmd%S%zOngu|y&ARdN-nF?Omi}-5=v6NX#WK5dp
z)rHC?MBsrZQKATL84C|>RLd78SJgsp$5dk1oe$d}Gj&@#Zg~&(9-b4xuL2}_rH100
zx7{lUO+JqH4<EHDhWwE?z6*h!4ZZ~9)~DveaOA-;9`YogTUy6+P%um2R)f6k0xf{S
zs2qoBiB<Dj#@XMRO-5q{oRo&hr!&bp=%W!}7bP76vGn6KD;3T_yOIg92u+W!wM0f>
z#>j9|3Dw}VXTS!Npl+3BK!*GClom66M$8ab(_r$dNCl_UAH3CAOYLBB^=f5)IS*I9
z4nXAU5ZBq^b^N%=+F@37L@GJ|H_5nLp{-!L^KK`(b=X7i+R)$R^z`$G{3>jR`(2k=
zbM_k~_AiVcY;()8X*)xEs8E5c-J(qyN-P$t^PpcT`Ivp{*5dJ$DKF=~9CIe2$L;VG
zA6Kln4Dkcaq(!bJUcRhJqmE1jBxAm}*jW(XoYB({K5B+6dln^aB*)nx-!OeBq?1?h
z{p0@WpV8I&%wp3(&Xp8)&TQvnP;pfWo8_a(y0|Rv(hiId#-?XwZ-Kb8r!PFPsQmuL
z7mLr;$b-G_15knZFFX&X*eAS7*_nx&9pmm2$agtGA@2B*5g7Qlf0T#tf`Xv&UQR^r
zKh*Cd&_LJ{M?QZYN(6F2&BtSrcJEvJcp(w~xqsy41VTQ*rUb)T*U~gL_SG|}qeDyx
z$>7kyKw^2-(!~AOlLwa)+*dzq^$B9+($`S}73DsemnIB3$fLn9d9UE`0PC{`PMj<L
zlXn8;=DrU|{RGj0M>?DbjXwy)-v`x#$DTvf2oN{x*2BuV0jpfvH`f67__yFWrmXa5
zeHk*mbYx+^q-v3Q@!(7`wxrHiSTSenG9C43tyxXj7;hzHoJZI=#{`G!9yZxMfbGzC
zV?N~L$CW<%-MqdL_f1;>_qxL+j(6AdQxoz1)WNwwt>z}e@1IYtODFHCOK}-dW5O(E
z%IpRe(oHF_82=o<(v)5(q?5ZGo`?WK$9X{0oqt9$|2bY;{rNeq_5U`l{?G2Lu&$ki
zO~GPPH~HDMxv`KFGB0aCdw3aQV)ADU)ji<<PV4{9QSAR2Gu=$`#8=1nG&2jnzl5W6
z^2KH}aV#FJ%>S>gP*`FkOx8u1xZTWVG#~g=VAkU#Z9Q?A&K_UwM*p(^bdYfv&Hvb!
z4{!e)o$C!Ak^eEc{G>fD56kMowQ)Z>#<6(1Hp}M;&AE7LZaEVy0nh63RVQ(zP-t2@
z$Nbaxf799A)K?GmGrM3v#mY9&IDaNI&{+S+M)^$x^V2F>3B~5Uu>S8WYuh>EFF&*B
zjb-uhLA-Q&<_4V9L=kJPYlzQQf>LV_$)2Vhs9)zGBkb>&1*52$GR*@V&$7(C(%EX9
zltq`F;L%R<FVUnZ4{J`z#B7XFN0YUIj<drwC`GwiT9Zz4nnkv(xR=su0~ezY7+R5Q
zs<tKL%g;=EJJX#$ji62D)#}#?mW#CPD0iC*=+KZ%HxW!#q}s^|D>K919ZzyNR}Cul
z$bCe~KOVo6<Ab?y5v|o|cS+IYIoT{8lxO~V2bki)eE-Y-I<sS2T`AzG176xT|I+$7
zQtc14@CfE#>GbMtDwzNv96tr?ko@9vxopE7!-g%xU20^%BTnRfdxomI%;nV?z&)6z
z?G}X7HV`7VN77Ur!BcQmQb4BkzVmzMexucKhy`(2G<au;yH1YzKqvWOcJi7zHKW&O
zYQ+TmwQbF|ZrAIq*kNH9cU;UVsgoThe><*U0H+LQ^JPm3zpmHI#1H7kcG?fNRvsM9
zT)Zn?sx2<{$F;4kN~QI7;luo-b=6m>1=BTPLT4%L<W}#_t-vp0*;qd19#U-bOk=G!
zPw?2}R|;1oT7>)QvOFV20z>sfAQUI9kzVKXt_7qzHcxftheidjsQ!65YEKjbsi1Bl
zP1<O;3+pOO8(f^L>zw+J>(%;ZEu1==Y-%yiaA3(u0hpSYd~f5Dw};Wu&^(MDvv}l6
z<JUTMBrUO0Jtyr#6eSd@r#b_Lbf^-IjlzY*q~%)Bzgc(Pf>$i4bIA*kefiZ5rRHTD
zi>!K_&f08y9~6h~T9@#r<jyBd7$0OW)y&1Id$|UW%6!83A61KMvs+p%A3%eyy~F62
zRuM<-QV5Hos}7A7zOcmKSHr3|Oex?LHGT&9EpLCTEY-hR7~AYmexerdKgro55kY90
z*%O|^Vrv7hfi%~xX|ZtkoXwRRoD%jYJ^tT=V<kI!KHm}Af6HijH7MCCn6zrG{~wFT
zC@#iX*dLzHg?x4~^wIO@?JOKby;L~pBc%0Ne7tn5If5MJ{f!EGk9cKDX0Z-0zkShm
zn<f{8s;w(*ZUO&pFtYu|MHZ;X%BNXWCU4O{Dya2~<>*eZWU(2(0VxI|d~czr+Yk4V
z{9f<J{9iBoGx!5LAcQ1t`Hl(YfH9HLq^{80J^6_qZIbZHpk{uva%xr$iK3e7&)i@c
zweNElh9|<B$FhIk2LD|3&t|gv`FAq5T8rDcH<wweM}I&!5Uw0J$F!!zCvqXrub&eX
z#sGRvM#qJJT~7D$TI>b7mk?pFhFL^o6_a$;HKV-!_hS$I4Wl}qs0n+E__ncfT%83&
zS0$+;y7{6*p%RHvC!3o4*4gV<ID4r48UMw3W&RiEJ^MBq3OEV@#iyo~<}xMT;q^KG
z?nl5uQUAssYWhnBw-ZN;OZZQf=7|soPvY8DKS<Y&5D$wo_HQru&P3&SdPKwDj(0p!
zGJ9JN>&N}sB%-5d?IF%Qg}RS!6s=!W+MY%Yzk0&h09F9I)<^w>WHu05vfZ=750hNz
zGJ%KtbWrS|w<AdrcJQT)<bAZ)o|5m^8DIR|&$EYzlmDDpzI>lEzdjCJO?|oEJKhg+
zXQt)keZQWz*jrX?zb0qCz8XsJxIZqgOZXeuePjL|{`)82b7`4=C=_eVDHhj5)Lz-%
zcPOy%t=(GQQ)5wnNS^{q?EKM%sL}qeSPedukZ?8-R<W9@eB*b<xPA2@L!zBq3YMb8
zOxU1wi~<rdR;tWvoX0rfcK+6GsF?E}xX2?hMXhuXM}!zLIhUgnIJ#*YR*e?D*VvT7
z$!%S|0o$SxnYo7YqXOVOQ;RN4?GdiLw^X5ttTA1-+mq+coS!jeJm$Lw(WRU`+Mglx
zBQx&qX_{46y|5il?ZKjKO1OZN@`rRqdLX?)UaMYl*m~qq)7FTv0o6-w7^?%))aN5x
zp-P&sibc4ND&Cz=6acFvV@Y?c1?)-eNbO%3h%=Ss<RaqOu%arnlr<lem(u?_Z#~7=
z+yoi6%WOzW11^m;2s4$DZ38rXT;#+I%ls%ySz*BaBiP1DuW&EGj0iuM7;nPnhBPgH
z*#<Gk+Qf++T^nqbOs21<5C!U_Vzv^nvA1C{&UC0U>lU&<8hGZ_2h-VK)|}fiC&7@J
ziD3N)mFny3ELXGJJ=`b$4mc~OyRE%)fDt3AvkMri#p|2YrzS1uK1qgCB#)watPFr)
zG|XHqp~QqesII}#YX9MN2{5HC^bRgWtDNL)P02t)n(6tz>3@qzLO8h7=fR8B!th}w
zPF9eK#rE7)wk$Xp9+yi4)rhUix<I8XwSM1`o(g~sW=lNwP#`T8Dgu$EF#~RsI1-NZ
zV3xpmr|;Q$Q;kx$Mp&@y?X^t5{TmD!%dd{p-UJ&>q}-hMtepZ8<M+Bt-T=NHlX%Gk
zuFS^lI+2vVon<vmn6vsLk0juy1+)RjMeEp^Dl(B0gEN8=y`Y+Ss47{!2z#7r*B-!N
zYR%zbTxTnIjfIp@yEZvWtAtoHYau77G8UllI6h8JY}q+!J~wQdN$KCla#ZD0i5YnC
zS&qf|s_PY})UmsZa(Z@1<e4Y!41xy%k=X^}dg#j>X0;kY&PjkI<Es%KIj}_%!iU9F
zUUasa(dFDW2-{kLt>QRAD$|6`;G+Qhn~HVjBFw>NOl>3d`V_gw7e<h7^n41&Y4!^u
z|FFVKs^fa>O^2_1>lW1b>ut1`y3|j@tdNj8K5BzEd-O!m68K<SnnOOcw~adfZV<vy
z)Ak*EKp={xR07QnHPW84h>g4+ElQ19;nKPlPmofG)d7m9#8IsD396h_Ur42B3v`<d
zu{a_BJ0yD>K`r$V#=+v)72?oX%ss>>vr$_IBNwSUKQhL+my@yoIm#p=8rB+o-h4&>
z3VkFJwUVV{Q?7!q!f;6xYa<!luauu+x!~kl9Ltx3!Wi~56PAx%FtGG2YAMB_{bwEE
ze8h^dqrJyOo-aI$M%r?pMJKY`=BfE13t+PGg|S(Tdu}ZjoA_s7UP_QC;1GXfWyn%c
zmPr_Qvmw;(G@V4&us72$H#5#^-MAxETBB&H-MqE|th2g6lGu4Iq`e@=@v1*e3ZEbi
zorQRXQ-@X9>??F?@XKE5jF<JJ%qoupCo#)0w+v(;XN+iXG(R+LQisMh|Fcvsz&o4K
z9rf5(KwJ+T)un^b_3B9C-R*V8v22A$d|0-hET*_(^zAh3i<xGIbofl`iBU3W|ITLv
z&LPWXy-}`;U@VFuXSBgUPx<!3QM+Gc5aE|dpHVvatMyFpnVx~on9Gr+HWq)B6Yz}O
zSC+~U1pJqnwMN3vhs>%nMscCp=}~`$I6)ndL8Lkd(P!Xb*sNhGAyto#xx$x|vvC}M
zKDS(TVUa{@YC4v@9#TpG$PIQid6@Db{>8xDFzE!RCYI9REP=D7-h#`M(`s}qud^U1
zGVviB_z3t+Nnsgv24_1`VX+7M1bz?zT})<;h_UEglR^h6a?DxZi-wkWow@?}fs57!
zUmjp`^?+oUEXROMI{&PPM-k{c08cu0=_$+%tr=`oQAB(D=(j58EI3I1+$uz3R?a--
zUn`G2XBcq7*P|R#<Q0Eyx=cZ=wij#ytt|~r{o&c7!>@tHr5*T%g;~f;B5jhRsVGh(
zoL|s=jOVVxKwSifB*@FrV`@!p_$&j|rBhoJJ9qRGjA0oCk9Rf-=UT7YPLC&)6N{mJ
zUcoi0PNAB!cDLV;J%)1uN53TS%zcKD-U6Iz?YitRs4F}}MY|;5=(f=sw&lpFVX=!x
z%}Brx;b!kM6egR^oIE&rZad)wB)czQlDbx+(h!5wnol?G!DJcj%o|rG>O^g<4TtHS
zht%d9*|XvkdsTB4x~>#I6iU0;|K%LwkZ5X0-GiyEokrQ(<6iR4qvgU=XMI9>I=^Zi
z^vwM&$9wF?Ck*aq4nx1KLYsuZd<Cd%Pi}}UG~CJVG!nDhQIp9!iRh-AB4I6AlkH0o
z9tYj&>}WH4f_Fli-@uf}*!d-!{rTlDi=njb?BsF&Tkb@gzWnTG9qwYWsd`mU(^kh$
z-AzMbV8zL};tL1`Q#^a80ru5^Jb@tBJ7y~Bk)ZTNEOsS`8oGtI_K2f()|rGecmFKX
z^>*}vG?74Rl&Vl*ZePW5yj(lCkg%>8!MFCB5)%G0qO^td*6${HTEM82q7$O4hrQ0S
zl$b;_ixF@Jp2k@>wt23!G|bUq4=^t|l|UmAWXc5YQck#+H-XpB?c*V+OG7=F;%{ls
zL#!qB#L_p~#dI;OEw2RlgZQ}3Jp4Qi+Fj<~_CYBct10+acGR~BJ@MdVuY#gWZqyJy
zT(xs&1t(OhQwm;jW)&q^HLKd#)osq`O5#mW$if#(Ub*E{v;|R`{3*M1Tk0)ovJKz~
zOWOnYB@cJ+li<=SzJ^xFb+9AYbRcu2>ozo~#;6&ch^Aj;G~{2nrPqu4zMLuHkG<^i
zIl;4zygB!CP#ib^EpwQ(gvIXtLT_TFm=TebLdg-gi`ETJLRwfxxOL8R@I3iZc!lj$
zPrJTiV>0^a4%NLnGh-Q<{2bp$x}NSSZ=J_{y1r4&CTKe7shYwwBt4iaV^1{<1sDV#
zWFaP2Bkj;hlEK>hj7xHEvK@&#)V}E)&+mmn_3JUc(ov~^0P>=^ZkJ+!&Gv5}+q0xJ
z(HIIMTftgl*2w6)6N27_LHYIMnyLuz1P+(io>YH21l!y4TpK%D_1WlH_R*B*-T`AL
zJaWI3iiBFr4VwaElh!1iGI#VpKp4Wfw)N>YbIMQhWs%Cq0D@Dob)&MkAYG}@3T;S}
zPNgN?znc2s%PB;p{MB!X4NWI9fVzCw?(}re&bBVGA3|RfM&+U1B|df&HZJ7KsSqC`
z=Ysm-sK>z)i@rbtP(Z!aEiS1gG><PJ{*{8!+7-mBOIvXf-zcCwU^>>JtMX~frEAr-
z;~L|AzjB<0QES#S5Y+y8TC<HlFBxCYr!tYy$Lkg8c$X6@ES348jw(*l?*4gfYVtWY
zN*yBIxG2`{G?Uj=hty0D{weZA21&ztnBn_C!M`+5eL@XC;PEkg=&l>|g1ffc2;dF5
z><aK^cjc+=7Q|8C@qfhq-+>qEV&gVIei=Rgp!yzn-!SucpFs1xpiYF?(Ht)8lBAe>
z=7s{#dRItJFMb6ZM4)kJdg*lAxj$sU`!9Z*`_=&g5Vh7#v^}_grPf~^UFZBQI5qUC
z0mnSA0CJyrPWj8^_1Wx&+u$*`95w6-Ol^JL-=m0#9F`+)9S@G*Z;1W8GDP&jO@dq<
zIcr738&yvug`7d6hXkN7Sn45!`T_%l`E`{-#ffmMExe$zTQa#TKY8fndq0}Jaclj*
zCu99;o#E0w#~Y@#-@!zHC2$1~yut7m`u+)A8D>%?oHSzY)EUDZJ5AbX#ouSyOi%>A
z>a`%Ow(uF6p3l7`70#83<r<UCWHY-B<G)=qVAOUH(W*)D1FMNUYUINVomZ6^lzTnO
zNUQ=ZrX8tHv!Xx!oC)!ryK^nzP~Z_x-#7~{AUixOpe%>t*n*scItD<OVtdizIak&_
zdKScFB5X)tnnS}jlJvBZp2|ku`U!2FWuhR#;(6_ctTa?}I_!RfCe<0f)E-OmieDs*
z^N~gsxnSq6h5vIC#HGvKIX3d)3)VBNYmKMgvr|7WP0UxHI>PvSd$G5|LwHyMJ|N!=
z3pU3_<8-RD@zKh))!MEhNAR-pU!qzAJ5|0q?-zl;fz}%YAeBj(kCFPZPAp_7SD8+t
zyNd<CdeQ}E@~@v!H8|~5%nN`9k+fLJgye`+da~}3_@2!N-4OMgXmvnuk|Sc0Npoc>
z0G6#{?+?;fs8-*eHYerbsSy4{GN5X?;`}K6zUZ;5g%i=o9RmAy1!Kjx?KL*D=Z9Uh
z!(->}Eq=kjsUwT5F;6+?_GzPCk3e*l{P!0Nue`LzE|d1uN-IT#imy_M2k7r~*3gX9
zKd0-t-n6>sSR<_qjj`JgAVio0O)Wk+DnxCJy_PGF^>mvO)jd6JZ@&BDr0Ads#Qei4
zhHP%j<W-OpN1s3wm)DKZ;9oIjg4=j97HGv^M?|MNhfLPI-OJ|qws*T741e;B20K9r
z@z)%RiuwPBH>6GrHH%M&u>6{@<khbqaXGi4n{o|l;UD~ZnU)w2T2u}36Zz!;(Sw{s
zY}Jiq8WK+YkgpR=4S8V6PnPkE3Jr|kdQxWgI6|&c3$m00rX0g8W2~&*kdn_Vmq@K?
z9KF%r#v@K?<P6}SF4%x_>YQuOrXaR(E!zA+P~<bgT%01+kP?x4J9?K`1BFO6?oVI9
z@DH<sI^B@{o>)AKtKs3~NAE6PsnQ0uH%Gd;cZLUeH;!Ye`er48<B^${M)+#c`f{aV
zBo|!Jt01a$&K)>cLue5gO>HCYxY3eUIAcLvbK-x^G0!4SYd2HEIm>Pt?kN1boDv#V
z8tPd|jKQyO7$~ma_bODj@3svZA@TUd^6z7g#bLq_%Q14Hu$4bGA?SsaXB2E@t~XVy
z2BqW48mE!pj~f%#P8gz<5OgyR*k%-H#p*vpdl4og`I$!_Lz0L(pIEuKsWqtjso5W-
zgYnnUidU2MVAE4Qu{~Z(MtR5jR!THX`to*DpCfl-UG~_qAomk+I4zX%P7;g$$`;`Q
z9H80fx|f~3XEpDPHm<JjQO>=0N;IynD*kb6{h4m6BLz$NdOOY7W+*)m$J4`W&V&H%
z2io2U0z8fkPb{<+bcU!5zGt5VQziCSX+s{ytthE;6!Y~Zl)L$NUp(&K<-<rU+rPx6
zZ0zj>3yp+WU%T&*gA}_>)#n;@3opxOc=*1mP?*!_#$pIW0iIio(&+BNWMWG=6kEkd
za3FO({s0>opz}vt?li_Mju=#2_*Hw`uD<zRo?2aI7&t9fb!qMKpw2OvE|Q-R%Nhp{
z@!w#2S8Y9h&b>h?ix`|=QlLGl?C2`uhu8ra7vz3g*GK<@WjIl9#TLA|Ru<7X^Hccz
zyorqxa9pj{KY^Aam@2$=;bys7tpQI^cS2m*8Bq-Ilq*h^ZEt(+OI3UyIW@m7B1>{t
zZfIeyT?R<(%~Vs0^sUOCD)@bE)6Q~x8u$ku!5FLfD+vtQN*^(>6*WnhRQ1Oo!5~=y
zMX>u;n6a7P=)9DEs_R3Vm}1AoA@E3}Xc|1gE5R51ZDIsklhSNclRwjlrWseI%PTsT
zOrA?fOXT_C4ZOarU}PtX7yMy?*16=^ROqs6VPW9jotx(oD=DpMRNv-G$l??_rW~P&
zva%Td@%GYac%W~>f62&?u1J^QSw&_rt)!u}5FiduFX3@?c(Rr;z>e@zkC{{L;keA8
zc(W0H(^DIhlhdyLUfOxO;mS^-!wU8ijPMea%a`uI&nn8YNTHp{k}KF?ys14h;<9vn
z5G=sg@rlJwqu{RuM0U-=%|#QI<%BsH&)5sI-R}1kw&A6IK?hJ%uKkuH%&Fp?0sJ+q
zpIXzN5HfM-?xd6wTUb$|&;glRja}QEH_u))AjF4iO3pciT~pAQ!VmyM^Aa~xk}C4D
zB}wKy5|Rz;xRw?;u~wBIK^53hF1J`vQkpRX;YztgVH^C~|2$&*;>#iI+F}}%QYGto
zt5V-v6H~{SDl#TN`M|s5++%oWhyyHl>tjj7yD|D=xST7I`N8l*;@<!iFGCT}IhLYY
ztD3=6+>YAWJ0R-G;P;%JsnhKy0hdA8H^HeS@y26+2<Pfs1L8v^B7iO3@5i+5%eRsO
zs({~?V&_!)R7NcNiwpJUCuu<Ym0tc{2rSZ4{VDM+Mkt+G*}Me!v^soCt8c883oSvt
z3QqEih{{e)O&|?`Vwhih4`^rF)Sl3V4H|+r!@m~Vz+rAL6+rZt5n6~80yhi%4u2!!
z0)y6qeb#IFDn*V#B1TfcSjFtfUuBboQZo?w;VSw<fr3d*D0@~KNGudUCHIkWTh>@9
z6=(+G0RaTS+hlSSQ41QG3nFv=K_rX;<t$T?V1&4`IFLZ!uD9~@ycWFlLktP(5#UjZ
z7u@S>1OZY2{Y9*EOXAR(mFy@6J)0-ujV!5tY4MgXZ<R&foK`8cI(*zK+IiGmcfVAs
zEwWd!MIE4px|$?+`Xt+oEJtEN|AsdOxN-wOMtwQ|zJnh9CIdez+H(!xH^`|Qwr%#Z
zn3Wxj8)|<GfbM4i55w|Kre`du{^Mrt5&w1=Ln|+aBxX3zaY(MVZ*-VE77cnq?-gdx
z?Y|@Uq;E_VPkYxS)}Nk*&ZdmE#AHi|{kZJ4kwIR8f7NOEaNbI8oqmwvFMtDl1K+eJ
zu-)+yUuBrbV;EMb%tyi^T@HJPG*I0O#MhIXLXvn_O|@Cgg`W+t${XL7OklT7kgVl|
zQ)m@4a}h0mFDATwHd_@ea5G;aPtXmLvRu>xe;D98ph8&LyJ+j)nNCx}Bg+^~FVnB3
zt;V*Tl^6oH9CJslXM01SiFPswqhQkH3X=^?ogsDapL=(%v?bOQ_Pkm=S#}7kkD`*2
zZi#PWk>smT0TI+oReut~a(Z0cQep+`Adx`1fWs`2fyR>WLRxLSp7e%ePLxSFez^E)
zc%B?qwT*(LEr35WH~ns}70@MD|9EyB!}~i%SJ0I@yitjb9*YZRpf1obO?k9X<Cn|K
z<WtF}fPtp7i6A8LqIlpDKa?n|8ncbd@wYGKj`Zapd3<rzNF0+KYISo*+afQM1q+wF
z8Xo`~j$BoWnT6ZG+u6pfz=}u}-quXpoH5ENZMwRr<gMzio{YIRV`RIgd(K>w$#dTI
zrE}8P;N*F9DFiOvGq7ou;iM_YhnPs|iet;muPV;tTr*uG*vQMon&BRaK8XYssRoBb
zMQ{{YoI|(p51~C6f9{pC<#_C%{t7a**Sn92`_xOwn{f|Kl0R#hTh6CFR(dBp;TlWQ
z?>qFDKdLFd*Dn#;i5J7ZQ@&i?*qKw%y-yB{B;(N!jZeROouidOJRsb2;mo=}^e$z9
zeGtrZS-Eg~e^hAFO%H*SPC2`Tv$sSGs58>Tvwc{7+{ONyb#8Ml@}?g5J5zIeuk9r_
zLx<3_`{e@zr}3gmr_I|m4#g+K)OqDe%WMDUXE}L}qIvNG_5n=Sl|`!5H3oFVIsUej
zbQ@vyF46;JKxKyF;3{}SK;^Q2lKw8CSJj3jwic~QZ#%FOZ7V^8?9la!jpj&mK5vy8
zBy#Brgs$dT=V0<RUAxN=TCT8JG1Hz{#K8?a;_p2#8I??g&Gti^g;8D>Gr&@z3r?@$
zhE?o)4$=;5oW5^9C|}#5%J9cFg&!WT-+A-DBdVq=?Ncy4PA1CZ!=31L%qxeTY}~q7
zGcWmLJq^;ls#Wda#LBFr;oxMw)ud1xF4SG2;cWn3Lwua|X+Dnru${-r!4yi~YXhvE
z%}9srpBls4Uf$-cC-OVdqgv^}%U81~MVEMGceLH@MTg^uR*xE}ZsvO=A1j=G11mhx
z9{6QPj;wC@COYhsU(T{L%inh#TNL=@a(yTdRFpRNZ)>%cJyajwZoRdiD|nE<`uWxV
zQy`o1ud1Y);y7gE=8f=Uy=))R;loH~M_8~N*44YX1^-@NtxyAfBlrdc+>swHH5ysI
zLjk6eoiO5w%+Rj(V41Zct6}h!i65`*At1-)dc_02`Yzau0D(;#X?6iZHE4m8-B-js
za98N&`R@_@C$0%Xt6<%)SH37`s|!b&FCA!&ZXq!oZ@bUWR_BbAV=|580{M?|xNUpU
zs4+AOMP29UT@_jllapm$JMNUg*I~WIJv8uVWN~9#<uNNCaEf>kwpQs=xS2W32I1Dg
zy#mg_0e}a)gp;vqQ7dYgsP%|t%AEI>+l|C#z{1!bg2<}vg?(?HrIWXY==HK9eE3__
zNn2&(GiOOU7;kwS!X$CZI)*7zr2%S$Mb&^lUFSNC)ne}vALKAF&3@SL3yxhUAC;3n
z{e_m$`~L2#4yTA3ZU_u6D`Ki_@>)%5rVUJv#z1x5pb9y|;<jQ=Fm^H)nAiP0cx>H~
z6eAGVg`<w(%aV4CQH3Bu2#!&F#?2ceO;T4G?)M)^7L#u>nR13=d|DzXtZoO0?eQO9
z&3%DY%aeZ$6uAl$-1|u&Cx&!MYz+c6hpnP|Mp7}bRSwxTl*IO!@3t(=>l=xTEGsNl
zzPOJ*%daRnXRCjUE)z`>IbX;t^R^_JlPn06(OFE%iG%9<_;_+%80XQ=!h(_{2ooHf
z6~3Jvod$Z^;{~zTy$`1>3cbgAGphe73<7j2t#qSy*(EN^#8=+AG6}=ZO64vTgcw|L
zmWf<fw&oEn$I1?-!%Z|o{!}buVgggZ?wrqGMoTI$wbm`v3ge%V3B1^+E4Fu<7blZB
z!UyB7JfvhgC6-?6)K(IZN>>Dla)1H(&iP;pi9(W*IvhU#t$QYCqm|})?==-b@{>Jb
z?!VG#BMJTkZHBx_{)dteV;7duaXO4(p<lC#W0h+(JQ+=1z?`)3I;^B6#>@GueuAsM
zLg@he>qHh?u{gS7t@!?GWt+pEQ8kusiMtXi3Pmp)JS4tmx`)Tt-2!lbl<uztSbkw*
zuzaDvwBo*t01tt?sSg|!La3Lq)(+TmQV*Y3-RN^1fsNX&eOuU}y9)?Fo@CNa+&QW@
z>VawZ_<$*x0Jr}4r$oya;bpSwx>83-YkQL#v+(F30S!z36oOm)Ir^mA`M2#jszA^3
zZ5unA^-wT%A9R42LM2+zuoCuIomkx?-ujZ5^*9k+j8Xe$?`MsO%f@qn1T=F|JD>HZ
z*ci0Nc{Ini;(gDSBTiH9d(fo%C*|ras$`o3xa8+1H(A)Fg_v&7C;GsAqzqklWa70+
zBl4^X#YReZ)-4kGz&Rh;g-Tj}SUnx}lfCCrz6YhYJMcn#(Z*3A!+HunK<h0grJ<0$
z&5@0fLYcbNu*C6wOBUsyv;75vt&I&kZt4YfzX&uX&l?d^RpUp<FQ{*6y#|LK%*w}Y
zY)dDs(J3dB=~)e?7b_muo!8njYb}fEHE^i8pJxyG&DIHYWUV2olnKjn47L3xY0^3b
z%;v|o`n@mKQS4K+^e^jC<|gB?SXZmEMw+$58rSm!sA>QCJ(K}8?~jY@_F}1YPxk`;
zv)HB;!<cxfjp+vq-)Ro?LwXia^%k%Szw)YN{M)grv%_JhJM8Xv^#z~_u)WtUp2)1o
z{~v2#Z*1G5yTq*fFL>(s{fDYmwL6jd?&<suLWUcwL@2Swm^6XZT{d~zDm&?0_L`D|
z5SwAql#}v&{D{7}PBR3(mBk6=<syWXbfKaw4WPy=CX=|9z1M$^+bBO7Qw10t_U|AL
zp&^Z)>^eEMfs<A%gtq`8$k$^4GJ!E&2IE^SgZFDy1CMoyvH7Pu8xXAZS~EqikKehu
zX-I5a97@-1xe&<VWhUf+^Q0wGrGbrbzC~f}=Z;i?unj*EY{-$$2^yo&tfuh2v$Gx7
zzxN(98gt+cpiQ<sa2DupSW;nKps-fgAJnY1miU`AE+UKEl88b#qoY3Hu9QrQ^2QTy
z=-)OyEJJdHjLxia%JVLptx~2``MU$gwUU_?p8medar}&2e5~iq;3x0tA%|uB^-E@?
z$BXf+g+KR;r}_IW+jCLXt3|o{q5#|n(ls9fw-q&1T+7~!c{@mJk@$5PWnYH9+i8DX
z*KIz6Sj*Loc|VHrd5d4vDW7F&2^z}+0M-q-L~1>9C|7s4rBjn_A}3%U3ph&h0ytJX
zwNY7Fqh_@%2x`i;(V4e({>^X+V~uvTRD0|<&3mFplmL@RPWZKhoT0SQT|k#F)(8}|
zmGW$*9nMXNKZrR2YfDojOWhSm`VC$^uo2B!l^Ln+y+hl03tI2%7JVn{hSyYz{-<%H
zm9s(5u)i-ev;JubrER)2XN;-Fv{BNsPWBp^T}@^7??}+zquugLo?QQhX^(#S#l>xe
zWVN=&x(`e|$N)nJ*vH$D*cEr!!Aj7!at`o8BxITmHQ}z31JTfsayQ>zl|ScH{a+g?
zL6v!(V^r=6n`5fNI1lG>o7bn#l4w?zZUPJ7F&TY0sTGZMo|~3>V1z$NF7gc#%@Tcb
z@o7p^!^QWiXjU-t`X;VgO8Ee#F7%BLs~I%Q9V}_aK}G1}YBW1mFww8My?ExLQyzGz
zC!G!lDRdRNp;jXn(H`x0W^MEz#?zKTqy<X1XFrxhf;#Iuq$nbljmUQPWxpDTOjCRg
zLYU`ydGm{p3$U&;AIF_R3#;^wp%{;=r@nJ-F+XWqK6rfFi3soC@v*k%#gqI-l6+r&
zEBEMV3WHMX778q^)yG`bYI`SJn(&3x!d5sfJzG}>XUCx&Fcae&Uvv-6sP96}55dbV
zT52vW(E^9JOAvLXj2iE%*;}fr;CpB2!%pP7{W3MEEDi0oI{%cZbzW|O?<b`cBS=oA
zyZ7$TkZJH@S|Se)o44nX=7-5h9PYc4!9$Z?bmG*%ftI7)&!B&zx%7HczTA*z=vRGB
zjJ{v_7@p#$t~&LQod<~5S}(+795>`Vk46*m+Jl2|%>Ra`<Pyh0x^9{yQ7j$xzRgHC
zTVFxO(siwz(e0(37*^|H=Vf<_l`M*+H9PB`io%L2y&DRIM>JkrG-cF~P&UoXv@#RE
zzE?f(uScyd<$3r|YI@CQ+?B{xifnAhE^2Zejmo$cHzUOoF4HBMkRn9N5bK~afQsnk
zx4*x5TQPtH(J^Y#C9_edB{!)OR_*OqW@L>5Js!?4i)?>F<(e1433V(c=9w7V>ktD$
z(nCrq>``Q>&qWz|vx~0gtPn2r`RTO4I<eiqfWFlnMW+ttI>Rs5xnTLCuOAG@_E+%Z
zbyszehP|A;uC1vb_$YU*jRn)*)f3y1eyIOs6G&<JX}oc$XF+`sVKdj@JrJch-^|6w
zju%hGOs`01T21MIJDw~ZO(!eY?NJ#i14A3%(%DJg;}qQ1dC6Mme`j`8?Kve5r1Uk;
z3bX(2;M{0Qo0U$&{<ud!kYVpaz%1-qg^aHIQnZeW(QqR&wCZBZ=wtyLEYZPTm%?sn
zUq02zX%v*B*P^z8bQt@J3XTXlbLdy)4{<SnHD}Mex>SQ}pOclC$IrI^t^-h=%(+jS
zd>A5#pY&K@b-;etH+-GAeou5R=YU(_2!$>+;5?&mlf0<Cb-(#5hr*OeOcQm*+m4q!
z1)}?KYtNoSj9ek#R{Ecar%d=EsqQonIGTP=f6(>vTg_UTI#Rtm4MqpxdZ`;`Q>Vn!
z>9q7|M43rphA!|KAMSqa55$_Ln&NNgc6}cRCWf$)Lt^lE+Inh#ZWC2MKY&R@C7#<x
zy%##x4Adfag`0JfOdP*pu9VHPo%~6lG^C6N*RE_3x)*Jp6TC>3Hy0-AE|;>BDnw>Q
z*xcym=EEYMx3)S%cSAjc#4F+ZL%=-p`Hw|F$?kfYo}r{~RV1rk{6L7rY8-flQ^d>s
zt@1Kps>^lR4*@~BrRqRN=D;|wyW-BKq#369o6bqczk9}+{RHv(SeA=aCG%OKO6y5<
zqb_nKRc)8NeZRL^OJ!8y%+~eiog`uBYI@?yN%UgWQ@E%rCqG2WgFF5nLc-mD05k7q
zJ;AF5e2o0&4U3_fcFeg0U#peKj{9zNJ%ev8<Dek7!<iGpChczSY3n*gJpG=;W}?Xr
zTmqf*Tl8M{7s2#z45`sDG8+Dmh1Xlhs0M%h&PDscObea5;WdrN9P9y;_aC7Q3OaW@
zUZwD?ZHDhugA8WM2p%eW3QV;%Dblo?tnycCCc$IJ`h*sN=Mg5dr==)S6wi%RdLi&f
zwYuf?iD6{vuN~j-H?{XWw;^|~7*nEWRBUlYyotieFln^V(H?0))}fIkhNJ`zy>6%5
z?PIE5zpq}Wo8tTRir&}NM2*km-9(M=^Xo*7Zs*7OP>rtF*U)wM*S^}}&{gPng&vyH
z+=m)Hn@t5@tNh=nkpsPjD6J*Pe5@Y=B4~oU#El(LhrX=|y`4K2A5l5zvcdiS*%W1n
zQaJ6uJ<XIctp32I4E)jM=&p|OBsBOtwWtb6#o+P=DZ)q1XB`-csd}=y9~pi<8`K6Z
z8V6(_O)QeveT!caEImOgYc>EfzLCb*U#xK}hDvy#T8f{*AJGlFzu@1RKepd*X;WWJ
zQcyW%HwofsW<;xb5+7H2hC+FQ{}|Vd;~SH(T)JNQWsI>mfU`zXi!lMD<V2Kcl+?cY
z|4LLCVIDCE2ifQByzp0T>dGeHv?}$joyEmYK~b@OsK3&dVk@|-Pze_5Dd4(v$n~!E
zaimL%VrUc%8=mw=Ee)ZI<dq4xTB*8t=^VkzB6R4EInX&&rxaN}k7L%RbfhX5Q*;MK
zuUqOE(eU!|zu!hqjL%r#mAhV1M@g}Z7vnHc$?Xtt&`?Lp=Ef=S>oQ4_do3*9FgqWg
zDK)UQHM)Ni#arB_9MT}OQ+^LET{2bUU`#7LM`-Y<F|*R0CLGGNNJcDH)NsBk2&?zP
zsik0x8Prh#HNipQ<f2O*-cgvi(r_kxn8@6lO`}EriEkjzxMhST5shmW{YXEU!d@Lf
z>qe58_B)ze93@G;xdThC0K96>Mz7}VO6?W6jb*Mci_ehBn@*OVSkFU|!(&Aga^<5g
zfU6;6>X4}@`&6Jn(rFmkCmNn>NXeZBkdiwsotcbS7O9EGJQ9IbrT8K&>*>OIF{r6e
z%%6`W6PxUTVH@BH1!6ZYN}}c71yvkr@xoj{8C5h@f<<}I14`XVowLx`;L0fG)6(&+
zge<yjGbF%n9sD?Jxg9>YZpWVaarLrvW5<2JKhO7HK9AOx)?#b=KJNyCy$3!TzWNbt
zch<k(Vi}5GK0}{taJE=62pL6ED(o0VIPUCit^$ZXQej{TndDcqC7^lx8D$UbjfK>>
z`sNMl+G7k2ObZU;*=IvqCPkX~&t5-5TWqy_uD%rHU0MOMqv!F&kI}I9?8ys%eeHlK
zr7%atZS~-rTm9HbX~w6zHc->=x=;q7s2X?XDn*A5Dcoq^s;t3`aFC8mC$8~Hy3NGR
zzCgIUuqdR7kvc59rh@bKIxh|iX39+ltQLJ!U`UIHDu>G2U*ix_!LA(U?j%}f??%~L
z10`)@hkvJPmF#H*ch$5km8NNhxzQ%xb0aliFR?Ff&a;%Zi=7{#n|-cz+#_J9c|6kV
z;^+FfeLwkb_<lRtyDW+P-8dy)UcBj5-MoWZ#}dk&{{l1(OF|SVWEy2ri_=fe5t=q&
zD-Df4^YFLzBFGd(h7_M#JXWBbiI)0&EvZ$+c06@rWW4>{TUL5LO;{nCEI}T-<zDD5
zr}jPH?U_*nD>ilpAsWF!qI+x0o>?XsorSzhu48D^(9C66Cqz)(Ni^`7IU$Z!jKq1O
z*G8ac0OIqocC$qtE&UbI6<6uUZx_jtOR_PZ5t#I{8QxxKBDcvS`g7i?OVz6r!;4X)
zH30HLsIcW^>hbyVq%Bu%$*$=h*EXnoK-WZYAoRj!nDx#h6WPdH_SFR=$%4IFuIgK|
z2XMnF+`Xe93ds^*rjkoTp$Re*7;;2lEool+@;e`pT6N?**7&y@%oe-ghJHZ%YF<wG
z86emrJwI>hQfJLKXc+e#;~joEm!7|Kr@xQt4xOew#0JgXz;kI6>2p|_lSp(s1-||{
zXtfHlQT6Gl`;qH<Th9o_lJfwRAog+M%ILzEU3vJ+=lMCC=Vtz5ud?GQ#1|H(j<u7_
zcGpVHRbZwcg>^>Mp1DP_nu4fF_Ka<GPA9X&Zb0F>e7gT>rs*mm?t#I(OuwB?umbfL
zdPRZt<;Y))HI2*ZUBA6@$s@2&BkV`&=uPv_1}>Y~vCQicn2dQG^y_J?T8#&-GsnQc
zE72<R^*0;#)KVM3(%7CcyCfA`_#m1>%aC+uxQeM<q}KggS9eC`|EgigaKdy(To&;c
zP0H~~=YZYXk(_LnBpqrejH_0r+nV20ar%tsvWm5v|4v=@<dpomgE)B`_8I7Cy4tsW
zM8ZlMi@{kE&mSTM>QH^x!R<Fc{gR7B=NKF&?0Y9e%`+6Z(KM|JBH4#H==+vAGsawI
zOz{zrT(}k7t&bkKl%$vgX0rrjCj-q2*cKOL31(nsaH#q}`Omq`j6l5DZ`U*a*%Kfi
z5j6cJO(2e$mC0lJmMl^CB1E#4>3V9gR9;OWoILX*Lx8M5|KL}J#Rw~s@nED+a0phr
zP$bO=<qqb+CXKl`rR@D$s!ehjRD>&-)C`dMLu%tE4f$%xbp}cc%OL^$>nJc4j;$Z-
z4`w66Tf)qVmfpt_>5fr0f41|l%xj=D6(+Z7=~9`BG*-;?7|?1&3DX}al#x94fH;}A
zU~jn*RQx6;AQ_BY>jEYJS2|OMt4^wl38ZedBlpX}g1#$WA}MAN|IUI0<%HV@SgLpL
zoqDsk@pYO@V`O1ShJa0=6oVxvC4wYBpyB$Lgho(Kq`({S_44xDK;75nm_qD08XurW
zZ7rynkmz~NlSqax;0g|r1r@}>ZSoO!^LaahB_?+XV&5kQd3<A0$cGX2dWK&oK8g-S
z(6baB%K>&25k4I8i4pYcLuS0-nvI|WDeP;6`Zn~1!AR)ly@Z7xafv|wA%YDQcV&VK
zTmRLWnGhijb5)Unem{lKio94eo3<(!iw!)6qAFw0!(9sHGxlA}9QW3D^tCtqs!IkZ
zqqIsa{vLVh=x)IC?nhwidM!blNfiG3W8pb9yKUc^Q+c^X-0_KBMz9=<ae#!9^`y5l
zjf|&X{3($;#qu?(SXv#E1BFiHjfRgu?yxoBK6-jLw#6a5buVK~TH|l^OF+0#*9B>p
zb7yNY*Tdu(lO2XHygG>AJ})=#%Dd-WwpbkO=v{2lOx^)TS~`r_L3DAE67cjdqpTlF
zPm!aEYcnTmlLps^gZ4zF3NUgLLH>lSs^Z^fRLUQ3lrz)E$_H#w<Ebu#x$`l7vmLnF
z5DJV&ppy)C2%9chAP|iyeqRl!!Clr%^Cq4XI%0>MT^AE;6)?_ipmqB3hC|2eY#5y+
zzvOLi@$z1NvO1hKWLAzmKjgbCm!+yfF^#;zsq*PZ=Kb5YB-=DySQ&eRF4NTf*}4l8
znwV*nsd%fwF$ZjDHY|WYX;XDAG~;pfC-<lm&FO43<YXRF;`z;q2(ZdCAnU3%Z+Ifd
zeA9f1j#(>dljnEA{E;TVoaKsGQu4($4}ivUti;pVdcBsJJ9V&DassMpw4=9OomQ0U
zedjgH`Pdtn5{kG9^=8XX$3te*5C{ho^O=P~%w5KU7wmY6{yzYhKxn_$sFT$HTBt;t
z7(!6BwR+}u`{wHTg4(;DL!%up=)QD3hW_=e!v-njT9K@JR+tR{rCJ4SLXCatK;>4u
z&!cESvNh0P|KZiq(d0KB18ki-fbc&VfY;c1mse|QL~{&)#|L$SqPI+vEN77>R}mxP
zj^!RO64v8p(`X$$tVqIJ^g5fyABKTmJzLE+9RYj^=9g7@0YTr6zoQud6m^gy7q>t9
zYx-ApbVS(XW?~fuA|GKsiIH*m8m;*5wN$(6^d={!f!|sw;aT$r>{U4rXBEPE##SDp
zViDRT-7^VF`MiF*=fI0I;J)k4^13p$ex}!2gdg%4AhlF1Y#p<tf)k~NnJIQ`S=?C?
zSn}kOdfM_Y&&+ivh$Uf++>VkC2OcmaO#yjhiNDQEdbLV^|68^^Lf{pvqk1A+(c6Y!
zf3X=^+<i{sfUto9329@hst*2buq<27M;n}QHp?#c*G=x^pu>AbOxn1H7koRhsmBJJ
zRMJ(}GLm^rPk7jTTQA1sq$PLQn7pC9DU<w|oU(*9ebTWx27}nFgICkAA?*#d0$S6i
z8SEUx@Pw*1ZCOj=Qg8P)G0h#IAp1P3`#h@qJgWOVs=<BV=TUvkJgPBXnLm0^pdB5r
zz3pz1O1hId&13tf!x(Moaj!9~^(yJJ)plEF+b5$9j-elj!R$bDeVJRmcYqyB%KNg!
za+e^sOsq1n`StT?1OPoXU^=02qQ!7Pb8>(~CHvE`mg`JjD8f${n2+h2%jo0kYy>=N
zMfhp!cXQ<1zeS3yP4R&o(OJO;TA!lqVSonpr>{>d{o2C-?O}kL9`0d)R?8j+XtnHN
zfc7vzK@#E~251ih6b=J)9FRP&1Ak@pbGsV7@q-Jd<{}0*a*$}#oEc(JuU#TC-VPbl
z;f5L9xvRIAgZc%o6qU?kO}*nyss!{Txq5p!Ox%)UrcMVbKpMViR)XjktrDc6!&WWw
z1eGAN&2Cgv#FcVUgDvRfV%WxMBk>``y<$ok)NCuc4I#7-t8;negl|C^*4D}Y^@|X<
zjAbkjOaa!F|Lf(;mtTGU<=3_RUtfOp`HOx2uZJj4IRBTo&7NEeu>WKG2EUbAz})XE
ziNMOy;E7$y1@=p&$}#!n7GHFE!Tc9?ks7R)p%EA1qWWV{YOYEq>soCzUJj}1$z}Os
zO?kZ@Fq2p1mUFwUrtY*iTKW9={H(m!_SwMp*}(SM!2Tt(ft4q|(ZRpN`K$*UG#nSS
z_HZM_(tl7Y+j9S}^s3btw5+Ap)o=jJ?V%O5sY-j)k~?yYtvO;hJ6{itT-)(vkzjA?
zC*sE17Z=s-Io+dcEjRZ$mGTO;pW8VtUWMMlF-~6Oo-QH!5nYf!rL*)XK{10s=uFUB
z)4>aiYk8PMxTWBkr$*a=f399*k3G|$61nRkSP*1-X&}`$Ayk!$TF~9Pf!hF!AZ09e
z0q-nEPtXQN28=YFA-w&Rryu!kIO1D-b}d_ifVQ@Em_rfWh9kKdoVJdE4gnV1)_8-F
z+J+;vx%KTB@&IJEN12{re6?^2zf(N5r-!4qt(6#vm$oKOS|2`3Ke$sEs8a}-(-0iA
z!T4tmtE!tGJ>)=x@y&+gngw8Z1!8yYa@6Y&xe2fADXnl19@zl)_+jwJc7Qv!HEAOV
zUu-b0Scw|eF)f4e#I`lyaNMx)ZL~X_upQ%r?FbiaJ8RV=Ib}IdBc9RZ9nCVH-dq%|
zsX96{Sp@c@EptVC$W++=X+U5?EE$n|`s)E$ObtHKSweYwJtEgJzhP229HtSuPGXu}
zlmF-z<+_r^L)|UUu(_6pt>{Z*qC3^{s2!AP?UZMYKujH*57l}f?pU7lxHtHtap7xK
zc<YZ(Kmr%$vC-FPzWC_RKfXIk#LbugILcV#^;k;X4R+5Cn4@D7LCPSs9&%|bT4D;J
zTqKE)W;EDzao4he0=2Mr3$)uMT!Q@Z=O5qI@$8E%6S*p-i`687UBN(DfZW1>83(m4
zjbnWf(e`HKZ!W=57@*zVCEbBtu*sZ41=U%7D{j90^S}AL>T|V`A`U8W8J^0?jh881
z@Ccq)2ibL09S2}Cco{YTn9`VKi2x0UR5?>o+l5@#s@r*Yabmt)uvAIlc#Ts5Pot!W
z8KLH|mmlJwcuLUPae5*VD+ZPy&D)YKrb+9q^a<?%B(<At0h7h6a<<HG4}Z9x#<X_a
zr!iIZN0Af@c0w~6akX6S0Zo@58Vn-i9&vHp-RWv%_)0hGRw}9}xq~-|<i9j*_0pPf
z_}Ab5bNu`dhlhW8G5*iL{r2#$6Zpq(p8w(bKkXmCeg6FL@GsxL`{UL5>%Z~m|NKi@
zEN=0ye;)pYz5ZKZCC{7e6CXYA)iF=iSma}z1<z5oEbJqC2_1t2_&O|2wT2a?wQ)kC
z__TK`ULrvPqBkx1V?+4rbV)P0TI4adSOXU|lt)PfjlZJ_O{1XG@4vnRpyMBMB?!3O
zwP^?_`Q9xR)JmqVT9)7OsD-Eo7+B&v{eooi4;OE@A?Q{r>>M;04c*&71z8FUmXl1x
z6Qf#&1um%|+)t;M77M34|KZt;aHs_Hz{VrOQ>hpQFaeCGaL#X5)*eAubrVgU)6Fv)
z&8<XjvS)TFkeDJ$ydu}%%$3T}J@MODM@QdyGnFTkEN3(R@!M}Q5ue51PQHo7g7Wm+
zYh&4lpNUj7SH@%P`o*>0H`m4s^+Xh@BIB1GXt|`$DMVtiU}?-^!e?YD3KF3!nZ6y|
zyj&i?cMgMBZ!fE`ZFV(QT?YM9Ip3%6FUg{i;INi6DUv(LHY%+c<L&ew%vI8y-4d2W
z4@1#gM%Ziyrkok{)9eEh7c?msRWem%n<7A(s<(;%XnV`k*vz*J8WOm#I(BN2C#aBh
zGw=KhYn!+aAM#IBl2q84ggPC09g+JvkLEb(G`XisX-Ju2Y$`{(v!SjaCcofG+2%ZB
zjdgV#9&q!_Z1f{f-%`$bD4hS<4ECkNB-HdskwP*_uBX?8N~Z*_wmKrRi01nF_4Km|
zQU*&Hu0OlR$p_l7K4~Cm%Y)7wIM4ZmmQHz&)Fvw}T`+P_d$Q4P7o$D|WYZj>9u;FJ
z#O6wPM&nCf^gsx;2pVA3x1sC?iVX{zfz*J0%C~F@avJz6cby)}a|w5Ax!paI>$l>t
zQaX8zz*(&En+uwa@vEDhrbR;A3^};l1343X*@eX8Uw(kOla%`JmhJg>Ao;z@>1@WM
zbCK|<L40W(Pvf^OjC0p!!_P^E-#defS=J_f@LLhl<hqN`OJj0vfYUcX=!bSXo|_gn
zS%8F2SsMU4d61)vJ?K5P=4^KHvn{9AH1H%2tS|IjLU_alB$^N0@@=125~7>1iyWS`
zkFqyCdC*dJtAcdVqRBR7CtXjQSPakX$u+?tkw|5+$ol*(8`utaWm`7?sM?UnR2!MA
zLOnZMOVNrC7Dk8v2(?BuMXq1voN2b-$DS}Shn2vqdfA?TKpzu1V9|W$5x1wuD1l=c
zzhkMnjk;wS=6Ee62z(Xp{lV@nLqpC*u0qeQ|4C&+D%jihwVs1;C_DVldQWy0>#Xco
z30=;;eG18%;hlqSP<q|5t|bi3X-u;W0B$1D34^pUl7O6KSJl)U2ow~Fq`V#a24U+#
zT|o%~H@C7QUt|ee*qB7LM9yX`CpnL_bUI~oddCH7OKkhb9H8cGiCBnI(KH~DE%al?
zS)%C>CfkB9X&$d!fkZA-ML+geiX0DyF9O4Zdhu7k{&nxCzac-QV?5z3E@u~lrpcJ(
z%s@-)v7a5kKQ4P~wwQVKkV=yE=2ax*;?2qU>o30e3it%;FMof3KjAc`6OrE>Q7QRN
z3Z|MP)5aLucs>alPdSTYjF*dv8=n^o-dD{*$t_H{IGTSR9gs2k)791a(dQWAOKwwf
zpRoAG<i?2-MsvkJDwHzyKA(cRqcYBX7L8fVmB?YV`7F}^`_Gpzzd(q8-Ni9TzdXGe
z>o3QjkMFsfkD<|!EPgAUzn2G^`}~PbFGY0A)aL#D`pd7rTCXSaV6`V#Z!g#FL&%Q!
z07|Cv<Qn5&AzAJ0w`>@zujp-Ru>>UfbUBH{;%KoPW5%JeZMyFy2WJXQ1CnE|Lut#a
z*$`IHk6ERN6|jJYS*0f>r|&QS{`UC0*Khj?)p3FxnY8s%dz)QmEW$eH^p24t<v$mO
zwoJ%Ra|V&5lE*9{QzogzADeg{+t3IH2Td)gijZA9&@CMp!rU8CfyMg1od;b&AFRVA
zpP|B9q^xq4bDL5k))#n~;A2J`ylq4bZS7*~z-|#KYGP9W3r>wT)gKF(FFs~MTGN(7
z2(I2X-kZJ?k(0NcR5c;w2U*Z0SrWWCO53trO2rlvEiq8Xg7!A#Om8E?(=iBTh^ncj
z4xS>}P}Woe48;h&1n#+HK|9BwDqHRTjPhjS1RJk?YR@1xMUzBCRH1=GPik*NW`9}T
zqSTuXTT&$-!e!muh=3XC4WYp;;7Z4WNf<=RbT8G2SnLgdq#h5{Z*anL&okROu<}Fa
zT;ocRRFFiZH((5frpY0uXPeXX1_CzPvJd(N^v!OkDPa{hXXgP~_!|NNtCwFaB6$>v
zG-6rF+en-2ho?98w<ACr80%A{H$YFzL(*V}2$NX4wE$Qubixq<V2tgawPziUWH?FN
z(U^jT6q9i0>ZHs2pR7qL&(7P#7;=f0VM(4{ot!@#k!L@g>i=l+^X&5E>ik*%Has;l
zH<!BmTe~|H&2N|rxjkB3SE{AYk)`?VphVe2m*jo1n6g~oE52qTGZer$aER3W8cQ=3
z-aQkxr(H{ybuxSvTruROZtUx?zWU;;3E(=F3|0z)*WWLHJo)?k<9Dz7o3Z5G1AZC#
zS5_j#EsIH!p&+bB9UDbi80Ui%K+Z*cAibz{*trwG`PzL3&_F#F9V})M4s?|V<vj(`
z`yoxs$dm=m0!Z^!<+kHDsj!MbONG%899eSzU++a~u6-jd1YA;L!Ij<?P^}{D=Yl5I
z*T5gi!(Ju8RBBn0j{8+rWVk1lU;1sB;6dMgrv+*A`_<TzNy$ZeJOh-vP#aYbxIm@K
z3LcNAyfLp4YTlaw)xTRcOPyde%DKr8t@qsZ#Qz!Xz0%i`pPi4VRD#~I*2+*_tZA>~
zv#@RGfEJFt?RUp>RnTP2GkNrx>FT(@t9=GGJ2f4z=uvH^DXuJX7yb}gRn0bhTgxw5
zafI%ee3uY4beY4nwI%}Ue1OM^{iJIky1TeIJ=EpwoDAQ;;i_n219UH0B+@uQ**BD3
zsJF11T@-$G^Ko`=LY~ZcrQ*@;5-RDx2#6&eMad9+`-1$(e~@qf>-S%O`QpW)zQkUV
zm@c1dsnAG7jzay{f01Xl8v(py$vrwM@$$v*O)FoJxhV23JBBSoxc4Fa`+%FF<E1`4
zCNym|KJ2NxTfb7xu40AEAV=C(LEO7_K<9!s*S!;MduN`G6YZ)G?OaIp?W=F>-uN(^
z={J9C++}}DUVb}5Ke=o8<vPHFmi&9U(C(dE_s*?*=hnS*>)yF_gIQeHS8fyE(9VND
z#BsFGJ+z~lR>#p#$URiE5P?&!U#+Mx;D<-?&e}V*wvAyY2eryzZsUa3Sk{_IY`j^B
zz^7(+Ie|q^O5;%qDso9~gubq*j941Or+EylwVG=lG3%NWVwqE$(SStyR_$6eXY#XF
zYG<~bQLeW|t;bfkUD4pL#5Q}Ye|&ys0-{6Jbl%6hcLchJ4RJ}Xzj*QD#fxh)Cf8ql
z{=2U~?;uKH!uW!xd{Hc3k#>C1AfT$@Zk9b7*9ITVM*quxFH1t+h}>Y!IFwH(hwIUe
z?9l|=P$w6G{~^Lu;n!0klvFv*`cLuRwX?PCT|4)#oqN~Ly=&**wbL(q*Us*;ckOH}
zd)LmrYv<mzv!m=?J6+kkcJ5s}D=+R{JNK@grtDoin>)RC?cBR|?p-_guAO_=&i1l*
z?cBR|)~54`xpvM)D>{GGg4y^|PxHAbR7hq7crVoN6W{K(wrSq(L&nm}IiIzttM*=>
zPsQsq6gm~{1J<i$52U&WQmt3H_cg7Qy|3xs*A&X$*Yw}O*K{2q)mnCgRXkOfjG{}(
zdU(v$y?12W7<RI?b_Awa^1gNhnaB6W1YXCd{L~;8?|BkOG>^CE_g$?KjHLGxI8r5y
zhR#YzXqt+|9i+!d5)kz~Uj#FmO+Mb2#nj%No~~}&Dz`rMm+QsO^k2J+d)!4zz>+pN
zM%9YD!2qrei|qsQUXRGN75lHzB5)0xX^pIae!V>!hL*?ef`0D-eXvY`b4KHYNojOZ
zJ!x}lZ+Ged46!Pgy<woXzV_RpTO{k{*oIuBy~izV>knbyy06!>y4$^9wGv=&jAL|T
z24?5Y_hS^v;((dOay4hNTCqM<3zpxoxb&&!sopxr{#$8`Vt1Cah{Y^zYohmBAAY5G
zaZiu1;9Fs(R@U0oy47Vib+)hYTl2yrE-s|tm-F{RT`(FikK;IJQnoE(U_Qf^I%`wj
z`dX(U*o7b%XT_@iU*!dxw6JyhQOC5lDM&gdoiFH39}RDuCHSyTZ9GqY*b%TzxFWHL
zZdq==salqr#<P-_)kb4%B`vGh%T2b3KUl+ZpZde}`ET#t3Aw}&mX>O-zrk9@IlJLf
z<xBGBf1bYo_UN0~{+tQPmB^RiHvjF>H;x4wL&Ny<t8Wy&`L>0LaVh&IzkN0N?QnL2
zz^ZOCd9W+Ytm%J`OE(kU{q0XuwUGy$sjNtnE@>!~9@$##ta+iW`XN{^^q^#;d~*!y
zSIz9cXLrE$0;hX6doR>^&Lm4!tK8Bo>I8h+#VccnS{_0lTb}vtuDc$X@cn|dxUq#V
ziK~b>F9~NR&Y6-G6)1SSXA~V;jcak!`nBEnKvnd+u6Dh&F(f*TjC$8TnX-r$()FXI
zN|U`}A&OKn>ljZm5s%2UP==1Jw21L=;5Ua(a@YFCPFVX68tCujj;TDtDLMMgg#GdK
z29K`pl<Cu0q+>eHM6)7ycgbD5WGau|H$2s}XwV&9=cOA`#Rf95;hABZFa1@nK4&X}
z2EJ9YpUz&GGfZ=1qU%oHd~XawjjYm@|7l&`$Xw`}CS=AqIb}9~e9Rh^W}5TLMC{i#
z0+0XeOvG1gktI~IiTAW&OLuax!?;(Ug?{8UeOog6o-DD8mGnf4%@z?WYFIyfu-m1(
z{k=571E(!ki2j+c*D*{vV%gsg9kG9N8@A!vGR+C1TC{!Kv8fUsu~ha64d$)7jB0*e
zb^hqHy@aF&@8<hsp0h~vgy&Sv&(afn%WT2~wAER+GuhWPLpiq>ZOQY3y|(R=@}}*U
z0sm(%?1^`=wtQ@_TYbS!B0IhM%Ecfhksle~nWIRIO*0s&ikZ~MrF4<7JC@jYnpuj?
zw3LM0Bw|XFw{072WnC)odvor5AsVyGw{b(xC?n@IFD*3-k(!3=I;<mu6T?Go$aTtY
zjuXkT!9}PZxs^jUAlrTe1NTrnihi^^>WgMrirzg}CaC`l9slxT{GWe2{L9$<>o@kN
zrgZY8Z^L%nCyBUu0_pu%dQm6G;^tp9x&MNxoJW0G{mom|RE#Vta+oXBI!SkQ@a@K<
zjS(7yRZ)eSvs8s^qpBa&)o;~@l{>cOU{^=hB762bxwRYrRz}cZ=d+7Y>;HnOdADO&
zJ?;V&6ARVI``OZGgVmq6KHk{A+8U<XqZiL|p{IitAzJP7<!+7=x$G9gTkefNzx!X~
z^Ri0z5u9&ZoC*5($~2+TZNj@C${s4qX<j5<UNXaQdoGHERYHcmIeTs93|e#(zZGmA
zrSkW5!7fvJ%T8z;*Ho5JS4u)68qK#@-JB&^Uv0rofCD01`#h(x4E3KH*oi=AB`oW?
zEMW<O4%x*lTSnm#n(n@QcGoWG!XK^SH&hFhPd`}OgxdEF{s}Rf)v`gj?3N;3@8?{x
zr*L8Rd4RQ1*((2+)VUIf9BI@CZOD}lQ~0d(w9_r|0Te&FT;H;#R3c}Sf82ukPUVGE
z{x4w1`^T+3r&8XFJf5hJ>YC`!&}+k}in`jU)oCO9J$F>2o&{6`6J3w!K66H{@s}%I
z$)&CY!(y*J_!$Frua8RyXTB{T)ZS>D$|~DH8gJc%`LTI-cFg3eiX|Ywd<X~CJjL7C
z$IUf2hZW(wFv4=nJpSZ(n?G<yyf0eRXy$}=UvMBCeSb+Zd-Pi04ddo}6oidK=?!3N
zRT%pIDJ!EMFg7e}YX}Xfz?h{`zJx)cvd~eVaRusitP(l);|x3d)vrBtZ-(+|8)*}5
z*;)*fTiu=$)X9Vd?7JZ#8r=%&+8*<lav)a4Bk!-Uy%n^tHr`Vk>!rG4;W~Fv$3w$<
zppQ(SBDQf)RcnBl(VBOSGfy}1qjQGXy~$GVHmRs$vm%j9Rqrfxwlv$*ZCcOH)=;-$
z<XrfpX6~+!7O6TieLMOF|A9Vc*Vu;F8)raos2s8M06y41Ie_Lg<4NtxZ8|l>9d63{
z%m|J?gOK>K^|GOItlO63SuPgnaI*{7%~nY!gaW;*?iXhUqvW10frEh!LnuMyR%bL5
zwawC4ySIUwM&5VF-?HUdmzY)=pnVy5c<U4ny9_Z?+xWz8Ik3{iJDQaMV$g;XgkmEu
zWD1Q#n=&@HtRobxY3$Zp!SpK2g<iLi81Y`M#6rY9N}FN)m99^B*8;%4!e6Fb89Xx+
zkDsx8!2u#hIsjOGpn4gr5+_bXiYCSdbIQ~`V<~y@;>8Qt94~(NyWbH&!i`zP7ppJA
zTVK6=+1KFzK7RKW-1{;m$yBJhX;*(<salT6pD#bWFVRP<Pl4fga}gN-UPqHd+oU10
z?{sB8Fl%3>h-A!f<`$0+xCL&J3INsB`N@LioFb5cZd)%-z}k;U!fzRw$v@_z$VSfZ
zJ!ewi3`T0krplesLPN?Dj<FM}yVD1ItH=nT(2!=Z303@#;g3eBfU8Ogh;S(nbMJnq
zOJdx>XiDf*ilk6jap<Rp#YAUT-64h`;N)O3IS8!;F%w+0iy@Q!HEfNwzh!L-K>*pK
zYQ722->2*Al?f`FWq^>`HhUrLbO1BGAuHXpdR^<*EsO;)(M^kCI8b!r*o22RHIzKG
z;ehVU??C+kTN$0xOP_FLjv8ui=B*z-o(G2jyx&GKUw%CmhY*-EF|)VP0^hLuEWnKI
zL{{yYogTKW()l0DKDvAg5Jjke!SqUmnzsxW*GeU5sfTVmlp*XLG=1K4xeU2l&OHva
zsx7C=LC!ngz~Q%+UXj2vbvEJO5(lq3DS8k+$2rJFMsGSid4^9#y<QSCrTNH|NirAr
zb}OPUHNM4Sj0CaC+`2C-;m@w&T##4M5);iu(U<iGk~hGG$<zoXFt5Y!ManF)Z+AUa
z4BshJR3ECBlb0_xUY$Ohcn#-#HGRZ;bBo!NwQ-MfM&l1@(kT@U*(XNug?h&jpTlQh
zogCp$_c>S0%VKaiqlsi%Tqsh<a`zxV8t6!{kHF{sv(V=jB8%xR35TH&a2!gy;Wqq%
zY^Nc?Gx6*hImB8HB*}$PowFFUIn1oQ{+M-|_lL~P>yH@)Fu&}9rsz91r*}*e$rn7K
zc>-emB@PT?%UF8Ha{+mv$Q{i&*xNkj@qZltczgkX=+80bl^p>BHP(CSRky3PBewr~
zVSrfL@qnGRP?)8Jebj6WzuS~Z^oa=L^5SiMLleGEMz=#m=oS#}+89zYklpIyv<z3e
z5~XO=b(-;NsT%+lw#;;qoMjkxTB7Qk!vU(YOvKRN4uioGq*^a>lBP@V0xsh(H{r+V
zy?mWesd)5VBBEQc>TZjUG}T?1my{g;bV*LRymcCGTtqGjRf<M)lrXw8&zN}91BvNq
z7c`m!%o8#wsmnT2ZiMcGI}~qUiJacBBeM%XqxX{GsHb|=VD|1(v;;a3&g4~q=h{&G
zYOK{NW<X^Rd6Lla+KA$2-@?i)MM3Uq3R>_*Uy@WTS3G+~UZ=9inah*7(v%kS>e*0X
zIZb*bEjD5Xr{4Bnf24~nVe%Du#y+YqpN+_~k29(Nld73~HX&z=Ea4GXn(;|zEYF=B
ziyvrq$m4XjpP^y19b;zo!|8`tz}Clt+(UHaoxUDfo{QXtl6%t(w{|2JSuPgbU5n<l
z^fWiXu`^e^Po^PjY*bgVLo_IVNVl;|&t^7d$Eaeg<I+{4_oZnCU?&Fb#5W?hpB}~R
z?nuV;<p{dzUufl+s3gx`24J*bT8^or0Wa&BiQF})hw|*jGjb?$i_uIHM(@x^$IziA
zVT(*HdvV=&lanb#(jjZ?9$T-ma%fq{+D-A!VdX0>mv8FpPkK!fk3j{(-RZHBv(s%)
ztgRQMc1+WFcIvVwv0MUhvm$Zjj^}vsA0990FCrzczq>RQ?I5w*wr07P_=Tmru@lzI
z?)NwX(_f05Y0fE_S#w|1Sup)OIi-psCkCXhb4pD5E4ZFDmo?>SY$#+Hj}^-EL~uFX
zyz4c>)`oiEeQ58CKk43{;O_xuT>@DqQ#K+OjK)M$2J_FKa<16qU|Tn)J{j+aW^lD1
z*}=W{3@5Q(NjPsE+FaMoIV00VOo=%s+Z@#o7iWV9^~1%P9h3g2m{o?;p*1hdE{3yf
z=KD>J8xCh%oWXyEquw4nJ$WETI(Rv5dD@d6p-vF=7g`WR2QV)=`sJKznoSl(qIlM8
z!#CSY??*^+Za12i(}4hzQ-;3K@hhU4>>)KaSNM*m^hQ?)1e`4J&)!<gb90C)-qe0d
z=pE$=o$|zlEkB=FZnr;)tP+TK5O0kD?wsdaQALwO{p<+T+|MUK)!{`*gHW=CLB#W7
zL$)!Lg$v^@?7h(Y(hnDBTj4-7;Tpz)=r0;M5O{DIkdzQPjR#{wcD_I3e}(;NeLx1Y
zGUaFX;&*N!9!N>=SY0+c+)S5-iXIy(3ia!4@_mP&j6dQ4!Uc42_;~GCcDP8^;b+ow
zb_aAXj9!$J-~F2H^QJT-V%dBa9we_{e{)$?rJt~DPTpLuQi0BS1Fet&>H+2Zfg}l^
zF~vIv6-px(BIQcty)ocJX@sp;@0AO?qU4?TD<zRg5*At1FPI+t**d~BGdiou?e9UH
zHiGjJF5S_^>*LdRuP2N6v$?n*D={u48#e$HR!eWhDVD(j@?C+jSo-}K>#U;nR4iR|
ze~_AKGUy|%PX5)B3!z3Nrv_Mx8g*=uB)CK>XKdsv8IL|4hN?0-Pnx@WxE((9p6p|s
z$Qlb&)?8hp%gXQ0&s7O<vIS4onaK4v&#POKsR(A}sE{n5VD(RI#zXGuut3Rm=lg=q
znx@<QTt)~PuC$KHggj2;{DUU`>1^@vth-^rB4n+6yQHG*GSeHNC?Ugj$Kp;)Bkcaj
z<gp&#b2T3$izAO9wC3nD_)k#lXt6tvW8*VdNH!}H^kS0}LNop&%Ow}-2oxM6Qt<c>
z0X07;tPE9R(Fkf*7ELU+ebjWFkZ;t#lyetQKw}~C9lactLqy|6fFAUT5v?%pJ%G&%
z<H~s&cQ4tH<-*#kOuPBbm?xcU2el$Qi!~>29673f9D{u|>g%>x%Ab=l_F$aF<-%=&
z?|%%ZjHjg=egdu*+gNb&q!{cctr2>FH3(;;cg@w6_YLIbl^FGEm^LJ<K1M-CbGl%P
z<z+NyB+|71wgtsHWMo$~y6sznJtwy3#6mc+oqK)QP0nL2(iktM(#;jm{}Ui6Pt17(
z5ft9hPK3*<Ce(gW<Ez}yM!_kHq<cm(krfGr?5Eti>u-S(@?x&Hz1jS5?g~W?ik!EJ
z?0^H(+>WVk0QdAzq4bXxOkWLic=7d@Uj}?(km>+FzYGw`Y=A>5Y;?TkG0Qm40FU7v
zN8;}^7Jpa1kwH52p@$19tuf&v!e}%nw`@5s6H8hzTksRZz`N?j9|b7IPaL_jxC{oX
z!w=N3LZZX3xt|MZV#84+>TSnDplHsFr7oKZjAla4W_93*giGB8fI&1p>usZ<=dM;b
z2NHKwk*?H^fCT|90G)>pQ;Ty_wt)dy27S@IYgfrl^e9Lquu)q~6=rF`i(L1eNl7sI
z-h$@0EOzvF0s(Z=CZY@wZVc!H2>lJ%3kQ?QfkA}GeLRH_7=}Rm(qKfJ0G_W8^Tw7T
zJbM5JPUDc)#KN&<0Q*XUuyGnY87N!q9xKO|N4V&*Jl1uOWhWRqw(R}}$FkFV9Ltc~
z9Lo@VY!Yar#<Jc)+7b4SEgN9))T`JCi>F@Mx|lq+3?hdi0wk7hte*0%PRyQaAA{5g
zp&k<<3ZtR>a6LuQ<0*-Dp&$z0PENudvIzDg7f)7CY6k3J@4!V)G;su8)utH7EG660
z+y?I0^^{(b<l!n6$;n}f#BMzX&r-$m8I9O;Pu0>nc9zZAg5`SdO&vCdc}~+fK>;{o
zIZ!tC5ffW>)_8JxM&g{`v0ReF@0gaj7*$2y9Um2}tAU!guBL%n?KR^gd6lEViNRTs
zz6PqF7MzF_ZgU{#OHt%#*mbx{k;rq+KS0A&5=`~Y@-k6zD_&H!JdKzTXXNV$zv!*Y
zaCjE17#TcpDk(E_XH<Hz@l;9?aZs3*tJd2NN}|9fI>ez$46Sc|6p-$?*R3UZ8B!6m
z^J1ECIqyl-U6!GX($oezU#__Kw3&ti%ucD~z?tbAPqUm{3o`;%$ky&3B>}<Q2~*5I
z>c57|aTt^e%`59)e@L^+?-5Os07;?>!({IuWWg<h1#UR5_oAI0@QXrz3A7s_I-SOe
zm1KcA2DI#!+Swlw>XMNAC@}zh1^az(VA~tm%Cf$JZRef<Wu6i0!F4s~zX`ocdpvfx
zW}(Oa94nRcX`%X$($15rt!L&e2LSvXlZFD1&DumBwJ@p-M`t{`9mqgU9H#?J4*qx`
zNi3p5OTy)nmp(kG1qxfZ-UAUBXx7IW1hp26`}CgX@$q?Qq;NG#xctVqh1#Eq{+&)m
zp?Yr>3&CX3%04~QXp?4C2}p6@W%?{No@=$Rx3=!Bt$S-Lsh?NOzyMN#1*WSIrCx$!
zhSNWx>sY%^OR|Y9emxG?lR82eF=5VnsXwlz>e18{_`NM##-Pps8Lwdu4$2U^OO|NP
zmQ-!oq55<Yzaqeh(KHo!CCiaX9Xm2Ah&0CJ8yOAo%fzCOvb)uL5k^d322CEc;+XHy
zFX{k?__YISkLGMa;h%5xTy|hgHWe<3W;_)`ATO3LBoVVw#RvA;T?iJIEd$M%#BQoS
zaM^09Ov!o0n4&in+>d&Xg`lu_eXqC?0NKFV-r?}WO&0`szuBNw9w3KdSzj8%vTL*S
zy5{JSQ>a&YoWN%H=IFgSnmlE5w0FCn8-sJj;ylDy?VAs*aeB(Ecwq#XRD=-}0%y*e
zrA1!#Iy#t44$$vt(w_;SQe~lL<KGjOMk3aIx`MvuQUQNfYVC%Peqlye@q&VWhVcXg
zZvYF+_hx<0Dwuede3t_QG!x~3jSXw%Qr?k-FE{|j#6WSF41g)Za)_T!qO2I1Y9<S|
z5czWCs?rZDb(=R3NZh1`OqL#Fwj;jGO+W~wNLi|9u(W4_TH4+1nrsYULrkpWs5C2U
zn$FTYaz}F+whPI6tXRzNxa?0=UzVVx^<^2BzJB$)L4&C+&t)asw<uIrC_~VRXiv(z
zTELKJV6ELjsqxG&p9NR=WYg)FWrM`}ezB9a?)fV3xDv43a{4<w7DHKd+qtL6p%3wt
zdK@39pbEjPdCIpIHf`&x2KXqp$V5)_C5ep=aM_7vv{Phz=wi$}(*}kDCb5_oi><>Y
zL9PA_-UHse!LqmRIp#H+q=ZJdD5be64$+xb5W=55Gfof-MpLJQ2S*qYvjgeg#ij?T
z!_j_jycZ8mMb9-K`wkeDokJ!EEIS#5$HISMZ#6U4YY+^%*@xZdgKqJ`k;8Ui)(c7r
zke>}y*^DG2^1Q@+-V8V3YfA${O}UVYn*YL(xdr8OBGJQ!N01~3WO3Lh!F%rt(gJ+s
zi()|vse3BYY8_=q?`@tRz{cV!d{ogx^po#7BbRRGO63>Cwp-y@79dfXUKoi$%)rsZ
zG0xJZRvCPNQ=U{$u+3B9Cbme8ALLUxZ%>wK+kjOIyLqj@<<_oV=fGLHd;NqGRcB6W
zoeAApHpctTX0Dt*%UsyeGBS`{ypo;<o5bw~(N|;re^&2hZLCu^L*FO-26P3oJKhU5
zc?nYxKE_-EA#})Eh&#Qzf8ANd57OAjc@Jf#&nv;;5~cc-u^405lCtZ0k@j?a`rLZJ
z!l_TS$dtIePoQthnO+OPGRwt+$dqPsE)?i{XhtKhdY$f7PNQ301K3odr`_F(o}0)5
ze-l)r^wc~T#myW7&G4-#p%P;QyWIvF>o!^lN#bQn7d&zqKXP%$B^Sp025t5Ymy&ar
zpaE@yCkf>Xawr)iukD$@CzmMepk}u}JB{zcC|q97)WB3)4YlWI0Vlt=!)e^y<>w*0
zwt2832ggC1>4>GVC_Q^R>pVU`LsfSr{g}yl0S^+9-uUQ`?#y@At8cZG@HFOkJT7R0
z_gVk=PA<=|Rem#9<9i0$Zsa&h0%!ZmS6s8XgsV>xCAyCyGu940+IzYL6j|f$Tk%n{
z=?Jj;KK;|e-kE0G^o{r!C`Uw7;IzS7p|=o_ht=Ws9X2mhiTecae@XS`?2)WOrJlQT
z<6W^umQb~Im!O|K>xgHi*W`z$@t7uhx1axbVuC}FXbf^6ys~#j>T*D8*0qsd0Epp~
z#X$2-&qD0%;yz`$-9hI+o{R{eu!;T4Rb}roC2la-#Rhxz`y7aPf<y654SwC%-{?W=
zr{9jh@v=UBd#$g|fCOFFwXgih2$ysB`dq}98H*++<MwqxfR-*SRrzv4&INe?@feRB
zCdg+0u$C)WCZ}GHsA4Iw4jq{u%VHwSp?V-J6z1m;G{K0@G9pR{AalJGSeN6Ju#a2<
z=oC&htQIv<8<x@1t?CWnz{xVv??eJa|4k~?Z`|(pQf@=o!JXhXA*d!BDVSygPz%g5
zPM2iCrJ}cNLM}D4<$Jo|;-&<W3bB|Jsp8!+KE#MVt{*TZ9wP=g1x2J;hb(7f%l6@0
z0jdy_{>;usIhP~1*XI;<6<G{b!+P{M^%8eFS3)23Jcu+Z`8rr^IU(<XT}%3RHTtcg
zTE;|_rYvGo(tJ6BM6g`huma;!uG!fB$)G8wTg_P{QmOJHg4LsBnu}YOma#$oo46YC
zQ2Jzp!;dhj>m7^)S<o1^&i76v>YoMS7KqNYkiiwK)Kv3K)&v^RQ>&{Ul?FvUp*-1U
z^uvNF8dF7g6#?;%x}2xR!3t*DbG$N~h?R~+#(hkV^B+%w+5vG0CKn*_l-{+*NRLqq
zAQaFf5%&hT(zb~7mc=A4g7x_&%?`094pPu--gQ@taaDRJMb+4YM&=rA;w)7>XC4+y
zP*Y|dixdx3bwzQ>Z<vy$$1&chfwe2cePIuQ$Fr+!lt_&O3aT6Ti4^AM)VxB-A`dkf
zV`AWUA`Z7OuV=EaG*t#(VSJwi1tz`#-Yl{LD1)SYPP_A4SIe5(vyz1$yIg<Jtub_K
z{4%fufzGwItYH)m4aB!alh?~ZR?Br4x@^hZaK>55xwo0va>g}b44<UmR9HVFAvgsM
zM)Vz8jm^ZYs73y(zW#j8MuBy0RvrY`cxKXCTCqusC^?vDOi(wRj$9-O%VFw_wx;IQ
z37NUjKHCq^WQ$b*I(aT-_l`5A5&@L09}Orlt$S`$yWywtC#xnrPM0`or`{$(ogBH*
zUDC2%N~eitIJ}MI`cu21mGIuWV6*V404=8fX;>S0#aBL@I1g<rcML!xw#Dp<N>x=a
z##*aB2v}oJL)#wiV+7vc;FlQw#rougpq32Uv*Pa!{9)M!=R`4O`jD1Ta^cfYa0&c&
z8vIDhQ}8|H2{YzZ3k{&Joa6H|?A@@o-v9|%8eUP&c^;25nyV%1qehjUxv1wMzCP=?
z9ff2_^h;%lVT!B?)7Z`jd6d{vU)5cYIy4m9mddF8oLp8Z^a+f5m}?Ng5AhytsQ+@1
zstC(qKcdZj{YjOwJ{*6f$+)a~^C24pa){B33O}UOF~y)|(KU?-pXrNSq+>Ao26v;h
zsTl@*VjSF2GXm7e>y6h$N#w|38WiY-1qdY8`5a>oTC6G4aI`^Eau>cv#UtF7z2RxB
zPZV66plgvu6fx#>n}$Y(^X!!i!A#YHs%Xw6kpi%*rJ_l~VrO5&g%rT?8QWWMdmh6W
zJ~f`6$*6U+gc{}AtVkpD%jIh6=Y6g)@1Q4<phFC2GiPW^@pK+;^T18I#Jf|Abfta7
z0ITY&a7v@wdz#0gF4_c8OsL|Rj&_7xn$Jw72fkMbPuFD|{c#<7leNN5K6h-SWG<Pg
z45x#{IKa?Ci3L?W0@Wj*d4|S?OYh`7T#$bN?#0aaz+=?RfNn5h-W-`#s7{9+rpHeW
z?DrM=_<$Ef&KThfEiTbik(kdMY>PD)cdgkFS@b7xKJaQo{cVzndr8#2a4N3SqG*6n
zM%6|KT<oTHO`7%kdh~Rp&*(i%68+yUsu~<g)i_3elOlEnmsW{sqO}g=Tx6LsW-Oks
zKSpq!$?up1uPhrWrkCo5r7Wik46z1U7_Pp0XF`>OSk{o$dKMq8<;{z2-!V@I^pmH!
z?)H2RSV#bWdrp3kxIFGgaFKUGk~vy|jBq}n@#7?$d#(F2u8W$k&QYabC%KUFz5Qed
zUEIsRrtIb4dfCgrA?05|{v{<<dZ;t~-siNcbkUo$P3D1+_d*$u2w;e5tA3FJ0llZo
zNy?N#Z?mfN3)}V|bInv4Nyj^fmH=36Ij<EZ@Wv}0G~o9GY0UrnImC*SN)m_(xisEj
zwZ>NgtYW4p4?!99i@lVtS}wz#UpnO9PEF$i40o+wDMNleKWsm+pnPFdBjeeOT(C&o
zu^hL^>yH^twTS+P@<eYCyHQH32ILp5x&e45F?Z_CLN9t@gZ<)Q<8-~oV>HXz9T$bP
z;S`0!Yg;NKozD4<OD=9*oWa8-kKM@*?txTP6|$PyB?2S<BN%SoI`5DX#2AtxSH^ny
zgq0eGg({N`!j;MTA<N_`2bWaKmZE~mh77@5j7P#MriMJ(5UMi#D-w&WP|PD^hL8-q
z0tcS63RvjTf~NF_ja?VUW%Sh1;2Us|uAexBh5eyxF8f0_q#GAzH`R}w;T5`$-8y2Z
z;TcSuToSS1N-^si?T*oia8&_fFvJ0D73kp1KDwmHB_ltmD<Ev&bBSzvO86qfL@98{
z$0kzI>g8RpBXFA}>?2rDuw(xgv}f=qi0BXwLsHqu_G1GENvA9!KNl=t5)lHYZ;Oj7
zf+WI{#~4Oq?P0srl7TVo^+(Nw1CZI;l6AeJ5+8HeexI3XbW`iI+33Z&7UNBf!{+h(
z(_!Rbpqn7skk}D&+%W?<tL_QV8Rw|!6!GMiEl0+C+T?mSFAwYr1}v0$=5&=|7}V9W
z&d$UVoF30FZK?8bUPF>Htriz2?j|2%@8Q%An+&q9`U{I)&kd(#@V4~Zu7*$FvgLs^
z_-7)ObDr7c>2NErvth9O2!7SJQIyEf(h+$tl>X0ah&q8yc`BHEFBJUppsRs{dyKU(
zMm-LuHt;b<<P(UDHgj%W7TvmWNzPItax;Z%odaf@#zw7$p|oZ<wQAN%<dvn`Y6nc?
zpfAKHp#KDC3LCS5X+WuBHv_yn%Ccbj4WMyH!3pomvc^S%WrOWG+y~v3p=wMlVJYvb
zU)XIj=(DxN()DHoIGeW+k@T?g?3(Mo32E`himb+hW}2-0Kh06Vsrzq85-lg>m`I-9
zB&_nxSQ)%(1~w1IL%sFxXu>eAk)|#=q?oPnnIn@mT3_?dwd~m~TRs~NQi~G*dec>$
zrO!%8*9yUL3>SD5JcDP?R$0^a*v*HKdA8w>X_UGr2}LW+u1yB@_L}m~U3%}7mM;?z
z`)E3DfB^}PN*a9V>$z(lY(-id_5ybuR<>S&ADce#VwSlax=5=D-aVWPKZ-`=CiZ#7
zKNphWm5G1CQec*)^sC63%mn(cHV)KqCUZ!4Z@u0W$%;G^(quNPZ}LG=LnegFhEZZf
zvD^9jyf{?l;~Ll;8lF5rtW-1)BDg=+u@Z$Ohk1lu!T9b2^k4BzY+9sHzW0+7)qX<I
zIihq0!)O!SCq-I%##pM}?1TppU{g_~W=mP{u<cBU9-)oUcg>p(=>?VXnI5N!s~<AX
zin9?I>vNpk>9YC6l2|ZY321GE^WQu*W)R^-8~sQrIcIn>q@s$AFm2~7@zU5ZvJf$!
z8UMCR&qg^yhy{a?-~&nrcVp-@Zjbike@prj4caqxzr1Egh-R|7x&OnOH&ICXD_b_Z
zdLT)F1y8Hsf0l6*8*%|Z0$~(0@}^8|$|Y#wxrJ8KM~A0TQW#@A(l||Rc0AK-U-ISW
zmW#5H7tXsU+@V1<l2Ql{aJzQUtPh-x0o-q>Ogo0v>v<`#-JsWIoj?wiwVOp%<=Y!R
z%^5kF(==s?hgIFD?A6kpQZ$<5?Ldj9a0%15@?1zo7Brgk)Zucb7KOaC(h?tL8z5Rc
z&AV(izMrtTl8(8z9tYgJQb(Du(GVS&P!ulV5`=gATWC)RP0kk1u*g&Ij%Vfr%|Cb?
zPXN{z<Z+#gdlCzB&%h^1v!~$0FD;wvjT8dTBC*JFvEa^c-0Yg5qZ4q#lcG0uRTZ^8
zDN?<%W#*nYCq&WwhACYaNsGml<$dt&yU8=R^9-_;ardNtB^UN92+RS#ZYDx_Ds=d?
zNoz6lpxz!onk%_T`#G)f%(A$4KmGK6ScblX^1HU}a4+&CzUOiOh`}S49O}xR_idd(
z9q-`m#{C-0`+FV_o1}of1(jB(&&tkv`iP!C!ef>yO=faQ4&jS_ppDlYQT(8ONYt~K
z^0b7LESFE;Kl<oeEx%+60m1-QL8v*Ad{HEdrc4yFKi&Letxy;rkg$(<khX<*T-I1+
z8z4}tM3t@Z4Sm5`Wt3}t<ah`Nx5qxR$N-gONpZtFfv<v7>w-#W(Dp9TPU~vIGOvCi
z1JZO_%=R$Y%;1f)=WbfL8y~XWYd&TfOJm5j_om#|I6qrk7Lyz9X{9hfuo>$rmzk#!
zn2RJJ5Sx8eIn}gwp{c5?b4F;o?9D<NEN49|qZ9vYFglV&Ia2}g&4W`_*ov#uR{41a
z;1i$PFrqTwZ$N9Q<ci-_5S{@agG%YdL%0^q!Ic$Ai~cPP>R>)2si^hR50-K+2$ffQ
zD|d#y1>)_~6e9Vtk`V+u<G*D?=6@Vj{|uQ?_q;g7V=6Qla2;*id+*+~v14J1oPkPI
zamVsI&hC#)WZU?jtNGZ(U>^Ywe)JjqC#ZFlXOH99gsU15Sww}Hc&U*`5Pmfx1&{v_
ztZf>=7Y1#;b<MFM3azo>cQ)ruMReQEgH;t(_<l`WWqvelr{x~|luB*dDMLFv#z5~=
z(@1Bf#?(Tj-gRXNXOZ@hxnPEsDk_-@QPB=PmR{AG==mqqJOVo+156l;+DpdY8Xh>U
zys5d{konTZrqN=~OBvgU^$JG;2;0Gj$Mo)pAI?sP@%-g?mIa1?SEnZg`JPL(1M;5>
zU&4i)4Q>~k`nEIbphI{Qu~O51%H{30<iwSVtLOHQC$EY5wJIo9mB^h<1S*&VmB<?>
zU%H7{X|RjAy!`|;)^%CTCNuH!7cE6W?hPV*psaVrvsdJGDvO+zZqD_lG<&r*$q#Z0
z$X5@h-G0EWVy5&-s?#%?E09{Zy+d8amg;&xq}$k{XEPgxRrSf>(p6GAIKV|WWE;M5
zxqZk{%<hh4Oka+mn>OgXIwmT~vzO2MTe##4p3pp5R#M!T_2|pjHV8h4FP@P@kweQ7
zO-aHm_?jU=OO$_}Ke-*h8<R;E?}C5ATD|MNk{IT+yyAGO@4X56!Q4uQ4Zz)?C&j+;
z)K(*yAnaUKQ&YNZMX5qojayH21^N{~VFDcP*o}Edt}a+6w#G4Hbv3gBSNaDbIV3Qq
zicq9?QISwB3!>qmd%aFypI^K_Ilg**`ilI~w8DKcV?wU{oK{{;uE}iU`Y|$hLyz{&
zWjTf16Er1fDOY8NeGIcpL~1;)bj`-#al@5C{>Fy%V_REilVz3*NbBrIuoY{GO>ew)
z(bJ`-wxC&POf7#8yL#W*G&MHii^wspC9dDWWO6WpOaEYUU^&mk`S_Z9v}|-p!m;WO
zoe=WDMpy$%Z_S<9c?y@=XA#`3y3YgjexQvkrhcc5_wfzCGoYSZGh&oo8?*!b5gF<E
z;_deOgvWJYkIWf2{fWe4fk~3)4qDGGS-`avLVkkB6h^$uN!^%$WA3V1=jk6r!fk~$
zVc-31kQLHW+S_VMdXrpES`;&L+a9@o9bLRWK7IFkvglgdP^!q%I1@bWM<p3b6<x)4
zm)ak^Y<C6%&6`^#GLeXz^|HDTn7Pl;>wiqg{n_;fNRn#4eIZiK?F^RF<b);_5OVnh
zXX;T{?3L+5?Fk%boBpp%XqT~k!7-Zdp?L3|uFAI9Zg;M`nRBYTP}hSfyC$vYJx6ND
z2C?;3>3Wv4u}hOQ;|YXCl?;hT<~u95id(Az#u}1kU4dJ&v`(Ln@X&n;B3({TqZ^|)
znC2)qw!AFocRXP?keisNH?l<4Gr>fC_9UCfxN1v!r~fLEYVc6K|8NBv!ok~OrwVD^
znV!u=$avhn@>d^DKOFu;ODb{loczR0-yyb2<vdd4elA=#Wf*_C1AsoD%bj`aNWYni
zo(%z9LZvRwBnJ6dPmFDdH9Na>ta+&EC<N&yQ9X#)7bSAJNO*cXa;dy#!r-eiq951;
zk~5mDf3a<SYYn*6)DEm1U}ey!{!f;8p;Bnjjr8o<r!|#<`kyUaF<eHHZ|i=6$|{#j
zO3p4%F3&y%BVilw0fXAA#1YMDc3i0WDVKmiJB$fj`Pz$h!zAd&AlJL)xm_Al&&i*T
z&j~H`gesHYbxVv@Ip#~mXIN{*=GzU&Yirr%XdlCgcW?B45Th@UgHP1Z%Tum6RU+So
z{j5^CQ_K}oiG?|NXZ8(nP730nRw^x{^+8&N)i_JFY)B(ki}@Hqj#O-$+jn|f{l+M-
zArn#Z?W=D*>+!c`f>E1x+Graik)|vPN$4HET0ajXll<qjrhmtw|IdOZIAtNz9^Spm
z)Ng$^RTtKb%dH~1w*i4FB&HR@!K$35QZL;wmBoSa95^6{D$05d={t*5Op4U!pKwf9
zxSDTWq+(z9c4T&k1F>~Asj1d2u|MQ<ct+lGsWAKlUj{HJ3>DKH<~b2L;o0A59Othf
z-?GUI7{(Pym%4_g&V%GoEi;q2?ds$lYLevlU%vpB^NY{Fe$l%}9xvwa-^F~t>oAH+
zFa)3oX_oO4V+S<hhrQar!nl|9#&Or#FvfH5^}qM}4*_ArorXkn>v|ZkZooQOrPD~F
z&p#a!y;W@t|GDcJkM-5w`P`r2O|?3GL}19``)+U{v94u^=;`~*zrQ{H?)6((5#v>-
zPqGnzw(ZKj6{-=mC(`X1+tZqvJtgnoTn@Cb@6!B`&bnsn(RK7*N`;C#LQf(jBMr#7
zywe#XPu?o5rwXU<$=QQ<u?%7SVm=gCASmWG_n-&#sYcqG>-$mPj7&;PX+OpNyA`X&
z*bIBqD==$9D%=*)Zmis36k3Qy&%#~_r0zC!v|vx-MF2^+T_(nzSe+Zd3hQ{3fZDc=
zO93j{g(}ijT!;CfL*|!IY1tIx)jI(1<53rYJgGb9ryVH@wyPuvBVIh6V~{947p=#(
zZQHhO+qP}n<{8^Q<2hs7wr$*bzgzeINGjRsbahpCs=Cu_Kg-VCRwnOQDAHxBV5&5}
z3gran7gE~S5V#04sGg&V#`J-0CQ!T#K^^QH*eXE$?7#sJ`iy>khzSqVyNtiu!N<)?
z(-oVWW>%NfHzlRUei`gUf46ovY_5NJu6HO**j<^w<nubo?9A;tEirrN_b&d56z4#z
z=&+&a7e)SdCwDtt_vw%LNXjDvT#@@VO7Zt`J*_z|$V(-Eak~&K=a6=RZQ~*KOq=c-
z5aW8Uc*-wOjajB5lf=tZ^ql;fg+qD^5`p3DFvtvvxn*ddue;1sCT^yynzi51rM*KK
zU<w?3K2<e%rxCEv++;kpnq>Mmg)z&G+Z{yqFH0d4E3AQ`5)qLoa<*+wh4--1{jXq8
zrM&lb>&8!<V8L>ds7J#War^!JXyTjf=jE=eEkumqg+PtG6~_8Volg94CLMn}z5RKq
ztX_8W5o8oL552K2tkepw3D%O_jG6umfGkBpaEuMHHfCqikjoQlg8^{Gsx}+~3<kP3
zJnw8at*gyTdsY}XF=U5{DcOHgG%+<Z!ilU!!X(Mp!1!nyQlM=ub|!$cZE&*oxO(F<
zMu!Ui?@j^~Z!~Wz7}hSeZGP9fW2DS@RubQw2uS~ox3wM<!ZN#kCMX77IO#|XgU~S*
zeerv(!~qEdXrEUFnw*-}AOf^;767X{3S%U-2XA0Cc%{z=mTg^NO{AuB@NjLBJeDjZ
zZ3>1k9X|Fyrnjd$;EQk<EMkesy^Oz0V80|j@;M0mQe&9+RV?eX#ZshyJ;g5lVp-Ql
zy+GNOdt}mn$&ENI1_|FSX;N%HFgryt1$Fqc3?zl@><La+a>+A3g2>;}kSjdqho4W}
z5xIbHx=sF3PvD})j)k{g;;A}sAql^}00ETCE!qDP=#XJJB4f)UBi;c$H(fFpZ7gMW
zg_+D*%*fix&FUIs{viv=Jx1o-LCo)*n=?j3PYnTo3m7=7JBx|nF;D8U5GU$axHAgU
zpqbR<IHfLZlH9ObBdlhW8f1Jxo`<**!m^&lPqmnO<ms*Irvp1%*e4YsYyg!yKIKSC
zPpYzvXm_{%Knhxhz>P_d-o76{`*5PGmXc-FDS^r+9cB0~Hf!P|v?CJ~?3Csi1uNwa
z3{N|iBIw^>#*w2UTs^~3hw><e3JDY_K9CC!dyL$dRPetxJ<W63Cpr1BOO6E3$Nm0-
ze2_`7HjCL}X}U$0;_vAOIm|95&}W8xvzt$_=SF-BTMJ#07wd^dS%uF__}o)UvTvum
zC?(yQuH;d&x+hP_`E*=Jw$CW=2}U`>wp)2xNU6&%_sLZ`vL>h2=hl7ed}uTqzqci!
z-7z4y5%a?1bbTu#r}xJ?n^@UAxAtxJM0&WTfTGEcu5mkIJ&h=p&K@6#h^tCE3IG!X
zdpcAdEjog}*sJOs4n$*{8wHlB>6v{9ij|<52R2>g%8Wo%tRJ-j338tPMacg!5Ljwz
zT1>krKgQjM$RSgo1m9p#-2+tjc@?v=uBMw*Ef+{8<w6xu1?(TNYtc2YxTtb+6tvXZ
z0ynqFti@JF>TA$}E$$SwV|HQ-S9h91-bv9*n^Nlqpg5XWiz9UFf=R$&IMX?t^)bPz
z$`~GU^M)M>@d+;FlvU$74L+W3)WY1O2#HO}%;POK*|&=7N_ZruSstz^Lf18<3}$TV
z?Ob@t2hr;_xAzvUVTqBy*pjlN<VFdtje7aual|Gpi$Gd8Z6pSH7f3XJp9zLXR1(id
zFknrwdUJ>o|1~q9E%T}ziPtGA-*FIj>(oZ;>g6Sewa#pK^D4f}X7aJt>ePd`n4`L%
zWNfiw#2_3!VMW;fm7HX1x4M`+2w1}wQ8ti1axzX6i+0Y#6=UEoqn#EQAS_mX@{mMx
z#sd(`sM~C}RGp<6My&U1V~w#?0dIj_BJ$#qk?t|{LTBwXt~Qt=JJo{QxgrbKGJ4|%
z$rI|TDdf1i!;vKe2UoU6o#AZG8i<M<ZFU!Bil{~%$38Lzywhh;tQ*O=uyCLh&|Fkz
zuPCs#Rb)=JPkrN8!f9zo>4UUOyTTd5mJoCFsoZ0OaVlqmWC>?5Xyf%~SL)$SbXDq2
zn+bqqB`)}ivybqP6>@>z6WFOgH7c`LdtvUUsnYM+X+1H?Fbp)F89q7YJw&;fu3{K4
z2((V}2(=DlvaTTGDRZR~QL0d+xM-Vx>w@RDo_8Cf>vU_~l!Cy4*44V6>m)nW6^Y?j
z3gHu^8>|VWbBLIJD@gS{8LHOv(6vLQ=?YdGczUQ7eQlP!HyR`lnq(<OA#u*B14tk)
zKZgsX?J2D};I8Z@H&)zlzOUow=hqZM-}cxogN2*}{PoJ~;oF4~^|>f2mh89W3=n8P
zXoNAcVoNSp>wFX2nJZcN$Iw=4W#s^4Nn!sDcsBf{#FY@njgt&Z!fHVdU|FqK8Tmzj
z*<#&XR&IdF21GNkPxG&Cwo!aRh2k*)vk<PAJg2mRL*0m8i|@tghzuOKYI6v_>aPyl
zvkl|Zs%G+B4s9nO_BxbF&N8)|-K*BYCrlJ>+RN|_J31q_YS2aARwzl1&FL1I9VRn(
zb!^$k-+}EW5$QwgDd@_3+_+%nnltEKxRuAiGE3hd<X__HkxV0QGH2R|!b5e{HYTT7
zb!9E)W?;9MdENF~o6?QPXJq&GvV#l}D{p)}i$w~rHI67YG&kjf<T<k45>K%2qr_62
zBSR)m0jcqRb9ZP~tUrId*00DRth$6@TZd|QSXvffdde%RITW|c-a4=c{%CT!2iSJ;
zIosA@$XW-Q^yCsLKBK~QEC)tfXE>eQr$4r+wKQ7>F2&G=b4ZFzQ7uL$G#OMo!iUo-
z^*lUPZ4!GXFg7lV$Gk!+4Nv$h;Ilb9&k&Euv|>Jr$&ij>5y!k4t%%*3bM2^HW&TuO
z)2mG_)}19?cm`xGB{c5s7ySKCeAea7@K%!ug0bs4R<Xv=*8O^XxSgdMxbjo9u+hka
z1i>-AoOhEAHGzBag7Z?nxH|potw>E;EY-;K_fv3Zu=o2p|KP-*gXeQ1`p*CRsx90<
zw~ycN;S+x5$MWa(>fz*<Zt?cLg<m(V{}apqbD}?Q<QVP$^>9mn`LqK>?fLx)|6?3G
ztwsWnSJ^N+(mq+&7wZ&Tg<IzD{H}P9)jItI;$&Dn1kQJP0Ucxw_X0T@c%d1a_XpL&
zfH*?FDeM@V-^MX;FubtyhP>|Po8)sxCM&%AVS|{fcMt25cjr0JK6rfl!S?2@RXz4v
zwa9y>O>51&=SnB+znXXFTa;%<A*}MP7xwU9EQ%^u?-%t)k7RcjksFTaABm;ZcGEyO
zN><rEDcS`4nnf6p>C8HQjhcJIMUdu*j<mn{K^d#9pC%2Kll%99g)CC?eIYo>IifrV
zU?G9~H@|MmH8y>@>0ZH2CSmMoveL6Bo5*fcteO|I3Cty35i;ls+1_-RiOz~7jALv3
zH16hN9!G6Q)Xm|n=dk}K38p+OoQPH)_CjKOCq3Y}zmr6XV(~?Gn&&OXG6PHC1U+$v
zk8ovw(;VkLWA+rW8*T4YI&~>0P)S%OoCJ$Fll6KPau_VW28pMeire=n$MF=p%-EAj
z$3h#w)65W_YIQxQ&S$_`qBe8J(-XwRUt{+q-X?#9krId4b`EazEf`q`jJYJ7DF6?Y
z+R`o3w04B9rhL9hGoy*pk@;QMq+e}Etx6rwREs4B%2f`Jpc{8B3&VCXJ@#i-^x=3+
z2SM^-6%fF3Y4j%p{kb(q$_W_H49Pqy&y(UiN|p=L3idzK<NNV%oiaEORQ6^<Gw4)3
zppYN@P}6Swv+&iO^xWc%r+hLBX(naqqV!mT3(WzkT7v$v;$!4o`l*v=KSQ}3X{gUi
z@rQ;G$a<1rb!w|Tj!f`k(rF)FhDoR182qW<J|AN!P#_|YCQ{^)9+&K@$Is~M)HkB-
zP&i)$qA307&zUq3<94xaP!X&JxxF;UoT|{yl%PRl0l<c=;YQi4Pq@GE<|&ipG@2<g
z*WS=<NGa`BTkXfJFH|GCR-ObM9fj>Rw)Dlv#{1#M+G=dp@A(p3=lqX6lM%A4Nq618
zeN9ulL@zF87$>oSR)^QoX)9|$*p~mLveH3$m2A;A`ldTX<6L>MwcLK=#q5-L?7|NQ
zh&h9zBRhQ>V^J1aYWj7~o;_01S|&pj06t}I2XApA-90akfSo8ms0{ja+3bU*Zg~nC
z8%nYR_`X32++e2Rbk%REwkF;=ibO`<)(ehX%-JUX#=_U>;p_8${bVvHik|0WH6(@S
zk<(g2G0H2dG11o?`Tx}VnvvSN_EHONH6?n3sGd&(6)5a-V>$94^l*#ZGyixaK|9Pz
zCf0J(68qN#k?6xiGF1U8qKAln^)k}l;ZG-T#KII5`m@<JH<IOxXNJ212l9plju&}z
zGspXW)kEzGHj{(Jl>wNYrqT{ooA)@GR@6YPNCi&eJFMBRcUx!hOd^&ikyzp~qT+}X
z$Ks`-^0qzb|0$#gofJT2+H273z9mQ^$KXiJ4ns_xUj~pf>jmKd0KUg7bQzI})G=C}
zUS4ojp#b_p5<_f1PnTUNK8SD5#uHWB(^|W?t9%zc;1PWmVcQ9iEX-!QqXyfJG(|25
zO=(toggk>CkX$A^Ik5>FGQ!oDL~*B`@R%imEI8?(4JDH|nh0Me6xPCAoVKjE>wD;o
zgz9$C!1QnjJuY2jAGwzfm+SD{PV7d94@2VxNZzK@<}q{wIvnTPYYbZ`w*<ym3{3NZ
zRKZPtsDAa8yv<Ee_6ov1-E7H`Rz!4N`O0ff!>1qN6FPP#Z-nQt%XIY6;$4POxygq&
z7#w4BA2DFF#5t3dbc;-yUE;3Xy<xr)tF^Tdnsz8q^yfr@9(C7BKY?tg#$OTmnvuCU
zoYc}8QDqC}aX^FW9nz4A8Q-5359u5F^G~I`!uJ7tXE|eMtK4^|=?s=!Y!(1n$&-TX
z1JA@ylYH$r!te`;d5LUCVcR96oX1972!3$x@>+MA%L;2KQzoxa=8}E+5v!sN`-*Lo
zJccp69#9-B{iN&Y^?)weBw{5t><COOZR(N2X~94)K3jmzpSuG(Dg;-EX|nEF+Bj3B
zYvew|65uWV1N$>_n37n<8E-ekYh5+^WMA>JK)`0a+t$A^4|CvCPBry0y*-u|qL-C9
zH{%s9QG$X<j|(6$qNBISsI$0%O<Nx}2o{xN4!mRN4$y<hpp-weTajB=0}J<J0MR-=
zyP&YFlMmkZ5KFj@nPppCvxXe#3?jx&J5+lKMYn|sd>I7Js)-HP^?*BK?$W!&4sQr#
zMUT~&fXb$$up|uO&-`pnV3j!<1(IvMWdze|2+yeY{0BMYUPRC0uvI<`-<6YxW*HAH
z!J&o4x)PfJmtRNavh|O_2P;G>#adLr!~O+*FHAd|CtSw?2gzK}sFQhTF(+^uj<8w{
z9H4KWO2V<%%U%OFY&b5`H`etNt_cW^O&)keToZWEsRx2VTzJ62Dlfzcuz)=e%I>h7
zAsdkFL16+G92v0y9W3ZP2AUT-Ojd(zc}!p;@?Jg0MQ9EW3dnE~pgs@X=07<>Iy|WL
zeLw)(ut5!&*gdHD9jzOJD~voN=mHe&&_Ana0RIS_Fz`gsz!(uR%vzty8yp@30W*N{
zgy*^cJS|+pv;<xX1u8FZmX9`K1hN&41U}x|Qxr;GPU|KI*Fylm_+=o0auaZ2=9A@~
zgimCZ{BD+lf*23ov_AeSP~y#ZcUq0V7Z|}uyqz7)DX01yfsk!c^8_vfoKcmN(V*%e
z-AChRX1uf`oxoPnSQ3-T(w5f;VTx=tH7ilHO#sU;y{&Jzv2cuF{UnlS|7y&-R7b*Q
z#8BgLwO~65Nf<nHYA7kJ3$?o?{%-QC4TN&hnSzV4l)JkxgiWf(LWmlXqD{vv$rhH7
z8!Cgxs-!quO()E7*WG!ddag%|vq%p4W|%FQ8$8ZmG+-#CQ4&Mvoe;4f^Z0X|2A7aJ
zr4`vk<uQJ#941jVMH`?~30g$$Rln~nlj4S1ja{Woo#CR33KY+i>VeHnmh~afi0)m2
zgMxH+tR+`nEN%>a+#4&f4h>Mrj9e0@Te;R=BCW}=z>m`IjLA5|@IQkwsRw6#)m7>|
zY?1P;hnTZv2u83VAUM3LydLw;$SgZ4N_sT&aO=*<g7&t!r@GKly}RGzrUHWfac3!E
zFMr|u%ky)+<=kB;Anxk6emdfG#{TW+?fBe6iRsf_=d;B_+l>sg@QaGm4neDDH<xf5
z1;Yq^;1WUM%F_7k@GET)tGPzIyK)0VI}T8aGh*i2URlRju0Arf|I)4e`<!-lst{u1
z`}e)Lh@Z$5T}GMOYx@2r7Oc?kzFP_MG|)NGBQ7B5P*h4!h-^3JsGy7SZ{S=BVipx&
zX%nV=hgMRAnaenGEf(%&KR7b~aY+|OCzN#<J82*0Df^$|ge-HQJOXsdpuEf13#%>N
zKkjJqE1CEwQ)I04p5vx^eHS~Zcd>Vs%eq{MXEc;7o*eS!S&=yXKqBiz)M<7Mho6t!
z1JriT$^@K5pmdaGQM4Z8Mhsynkh(RsALHh_d5x)%4EA21opr)?7=9C&`}1nQJfC$`
z66p84@RV)Eyi+cqcipePq(0EEQS^U7#s7?=cC#}h5}|F++8WeQ^>iH*H*E2``q`5|
z{IpfuY%8NZnq|$wT}Lsjp*C)I?rsa4h*C6{U<Z(R>hiSC;`)CO_tO|<i7zol5u>HE
zsS!rX+0~?s(nx^>XiLU3qq0u@G>hyGw*E!FSq0*_VQJ6s=7~unGSf~ibp`?NS11PO
z<Y6d+$WfB;N|S2KWXCSg`npW)-g3tFPj!qMMfYneQTr>YQCqvFoc<NvxXJ#%Y5dKQ
z!u41NDm|L$!>Fn@Y9s~|=!}ZL7^()BWE^iqken^G%mH08)9{LZ02Jn%inKDQcDZ{Z
zOLj^a*3EXSk;}N?>}SN(q@CgenIU6eU_4(lZpKnep4!cTsqRzsDVOe%+~hW<z_Qzs
z#SE2oaxwcCx*jO{dp9{Ync7JK!K|iN6o`|Oi=j1Hs?C`?{>E~JZpxEz$b5COBOe`-
zG~>SQfVwD8gKL1mXYzx0Y1H&4K1l!s(96Tdc&$<KwsfTnlWrQpK`x>NA;j9gU$Zsn
zIc#JhN6<ofcO4RhSVE-`hQ*Dx$vF#bagDuu=IxO~`sTh%v@yNZPDJwAt$=M&Dk5l!
zGVht!DV;IIy<|N>aHYt3i)&ZQ{tO`8Y~~>^Y~(uN;-m0D%nz89$5CCfr<&z<8R7vI
z7SHXI<g(0GAx0s?$AuEIb+L|u;|>ZthqxH)5J=t@X}A@{*aN@rSLU2Wb2_m)4GkC5
zj1ExM0PR@EY|m*EG9_JlK2P1aiy!D&?Q<&lqX(zRlTR}{^^D`mUGNX?BJV=?eF*Oy
zq}I{J`Hj47HANczcFVx65Hmy^6m~7_Ce5+v?Pa(pJ2D+y2@ZGTMBe-a<0P~=8y8ms
z)LLKV#Oo9kQ(f(5Thm``czx&vMjLYJ^&$_}1bR^?7WrsKb0@N6r7(=4Ff;z*iw8xI
zo9$_uV~t#(yfe@RsH5zP6M>{q84cv~gLl11{8Q+&nB^?%7TT=H+N+o3$vy<!^l6W{
z?df%a$qiU5GCl3ZNNLp|+5q9uinJ>`$DFQd<r66sbo916n#$btT0s<Kp=KI@KQF`B
zVpc`krI9VecfVyDoe%K{tu~&-!6t<g=Lx2lvvnp=G7ro;fQDZ&Wc=3ZESJ}>0jzi7
zqraYYrgYqBg~5Hd!tF`Or{dnPp9h2fdKPm$vG=Gaznmh{;)9hB)zqUA3!gJ{sr;8_
zrKWgJLm+I22dpJl^L0Rl#E63|duznRAMGb}Gwawk_D^w%<VUsGzwzOC8;up5-NvLr
z?S{`{WQT+6<errpc}Fss3b%_^Zeez=EJDH;I{8I3g@|NQfM#m+EUK4b;wJs~*t1vS
zz{=CGasg6oV{4o|rt4gg2Vo`A*zmoJ%M$49E{A<*e*wdD%7zXx&<lB!m8reSMpAi`
zo6McGCi2GC3hw^b)_Hr(%n5|GNfSeHRSI4*;V)dSzupGf%w+rlo03%(EX_=ncJ9&(
z+@Au$KVs=NJUn_mibf~o_OU=XOh6c&#pQf%PUx=Nr+Qpd7J3m~b+cv$yWGAufoNgo
zQi;K$9VR?6>@tXIekWetw=R4Oip^Px1vlTN(P2bHLlCs@>w#@myCD`Unc!T;o)JS$
zH0qbJ6B532eaX~?a~dUMM@B*)9$eE{$v=<?Hb_Ow(jUcb4;&{1!B6r+NkD;`Y_~fm
z$OTttGKd@Se0mSWkBa)mHry7g)+%={BV-k3`g&lxt%pY^oZjtzIO9G~XQ+wT#qd-e
zSTWQVcs4bX0w-rwatbdj|LVMEM?JTeQ%6OJ?9#rOvSPTRC$YXL68|kSe0vFZ*VTM%
zlg+C>p9gh!60~0~f$IH|sI$iPbnDg8e|s8yzOMb-WR2!d&oXifYs{S9Wacx6mzg=W
zzo9&$<c9*b#M#<V+940s3Cx0DZ<=$jV3=|~<hyl3R)qC+EJa|gi#S11qnwD*!m*3-
z7*L6M(8?3>L-a%@7`fRYktn&p7%>JDB0d!P?yng)#;(r|Tpt>_;89DN%8}ft9U;%N
zxbX;<oo|sM*Qc`9t*9V+Y1zQySlAbw(KA&C7u^{Of5HrBIm`lR8HT4QMq{u^_Rdee
zsDJY*9<~c^v(M|nut$BW^p5x{zz;wgu<XcrR2bkQMxJ~0r3sk@Ryo<`UuQrk(gEyM
zqmt7OB@V><Nh8aLw25*k`LYdX)wM{*Agn8{wB3UYE0qiL!P)EMkc@Q~@HGDkmaBz8
z6@*ME(4j?VWU5-I<kqa4fUEM&l0}=sQkn@nb{T`QDO9-z$~ULlmM@R4pR+c`Ma8-t
ziaD&e_Om9ber>K}u{TDhbk!cm+We*cYONA*=2rZdsNjlYGae;&O{i{+Ym2isu7#nC
z3QjsZczQBwd~wRfZGZ)@W>Yiwyk5!BSj!b-)5^P|9G%#rVr)|H6;oYCM0`;(Hk#E0
zm@}pAz>LL&sns*M32|b*?Pp#4L00?^o4OGT8Y+SPN8TC5;rtu>K2VZY0YkRsXR<uw
zKT%sgV8F@@Xm3&EvHL9Pf*CMk6DpsxiBrg#HD0JS-B^=$s}CELTW;$=a*dhkd2>^#
z%>U`y`lNV&b!}Lipesh~E6YD{?<UMObQPB=H)~G3#%}@LZ?*GTM?tB8YSftAksXCB
z;btmC<+yv2{(p3|OJgX!CX{5Z(IQpuS51&dM8n)3_t#BSA`#j|kCT{=j2JC0?pTnZ
zFVbVaW4vy%bZr}N_ikosHigJ!cHe90iS&`F##kNxQgVjC=j(@O<83Y$dd>9daz-%9
z&mEezShogYw?f!`i{KPYzbBMN@w<CPLk2#vTTGt?4s2_78dF2GeRN^c)7q2=442dv
zBLd8W$cQ<7sjKbS6(?klmhr@CzW+46T<zFySp0ct`hn7MpB}!JYRr`}pD{BxuN{%(
z%43U^zijQwzOp4iN@5@bqyrdNY<uY435JIcN|6w1z2s2-!_QJG!Nc!!1I`iARUr&n
z4;B$D%E`0wDk#r9CO-9zG?~-Hr$`2>SK}>GvORrzt}(iXKnt9O3XNmI?)#5vAIWa{
z#CaNM3Ooz3T1v10=9bs9V>2kjZiZ%Y)=I3T6I8F{K2Xuxx$oCr%1C{9DZrp;-B_sJ
zI>65zr)&8rz>FWB<>ErhN9ZDGjtt9wPOJpVRJh!(#Kh%J9f0}P_xv)Pv?zxYTZ^Gw
zP+E4u<uO7|W<N$kU2)AQ#sJ}z*$)$;N!3zYb3JCi(hIC?BgcSjuE*IOLb~qK-myWK
zOo0Es|L6OwKJBXx%cFi0CM~m{sYw)@h8cUqAk)$^*p#dX_P^M|HrPareXyxn{p2UG
zwi(skVUOv$LI4busYEEMY^8*RKET2v))xto9YxBv>|a>XBUajhw0YYqnv0UH7DP9q
zV?Mr;xW*3op2&16JLnd5I=lh2o6ICC4I)u+Ib^SL`EW<oA4ZyHq;|33&gGKJs2z3k
zH<fik>_2<Lpj3UcrzsKZIu#<6nS#D_G>H_LC=17vVh|!TgS(bRK`rVd5GM6}5pp$g
z<PJ<D4!wmGH1bbR_2brGLyyS3p#D_`<Q4j|pP^om=#)7WsSbV$M(lV?_K=qw4#o!#
zUWhmLqI`ClesuTyn~&xd7jYaB$P|1RB(B<_1TdNBVKS~Qt*)h=eQemJ)fXG2%JZ+^
zO3Q?g!L$K%5sc+&nSVr4=V_+KOvJ7jnh@Pw4+~F%*q0BXwGW2-Ef5H31Jg1jSd>%X
z=jS+mLm&??Y6^VlQ^WKC`fIgUNx5cS__Q^<Tws4qK|{8$V{7dtark-4qz9<z_66|p
zxWN97fj&L^qSIC2f7wrLv9zacf3rKV`a_J~;eWhkZ4*wWy6i>w->H4d;EUK7CaiLC
zoV!&Z-!N00;{pHSlZ+d5Q_g13w;e-#$y#HXk7l>CD|+zgV-boUsDAD^MqD=$>xz|h
zBqwX0p~#&D&YHv<(0N`fMt%o5ZV=DaIPIA<65h@$@cs7mwllr%%&xdVGxyS7yoH?7
z&Yx|5s+iK!2D%C^ja%P_{${IxQ3w=;KY#wl0E*&^totatbMBSLe*uRl@JiS%ls}&9
z0kv)-z1xV(*qICdQWF$v6N-mN$9Y^c9@Pc`g_XGPPduy*3c#ZRun<Uf7fx-1dR$8^
z{p17k!DDMTKMCZ8$6suE2*~SitS^L33yovbKm(f?Fwl(neNqj{gW=OaS^kRvHTO3%
zXrP_jb^&B=^lg<v#CVPtWaxqq`7|12j1(TOGQA$LA-r(}>EQ|YO_0O6b!Zn%&;{wV
z0vx{XhQIcu<%+S0r0p6;ZP&oadjKz6-MLf`cw8QkmQhkknO+2oEFPSlE~uSjp5NIh
z#+SMI2`lDJT_vI%S#nnuGR0d9o8}cV$#=u1dWMbj2x8y&wlov|Xcxi0?PPWTRz&Lw
zKQ-=$gg+YzKeYP?zeBHUzmb~Xp|DT;-^u;~>xja85#`SrP~tGZCrLv54bA{{!KHc{
ziTlYwxRp;b7ig~hp8Pi+Yg<0KFb_5{X^;u|-=b~pXJXbcn>EP9q+#Ch;n6S~m;sxR
z(f(c2zst9L(s*4V)BJb7$}uL@!{Yz%cs{0jS~;@kn|tP6r86v^Vp=^`w-k!WOJiF-
z!mxUUVezVBGo8U^KCZ7PNW%XXdJAE)?q@cW`Hka2!sPAWK*nx@r2S~Id(}$#@6jKZ
z)Cw?1<XRiXl>Cf~r)ReD#N-DGMdrdEmyCxBMP*gIXe6AAr*E!><Aq`~zXRoS%GSSk
zv7V;6rN0s2*Ea#=w=}o?-s-9F|HVO&acH1}P50F5;90$vH~u$eVH;2Ub;20J_xE}~
zv#cH;{{oC_5y#u=9kAKR-3$-wZW_q3hW#67WCacSMdYaHa6EvB%xlc(d>KtpaO!cA
zKDmUBii?5_Vk+gB4<{9MHCvgHQfMND{7az<{0DU;vWG$qlOwco)(!!u5V3D*=2dkI
zA2DoHanelybHr29gt}?YLCYyv=UD|7)rjdIhbDzO6CX!qW+3#YIF9V8B1JU(kW_j|
zu{txgQiL9%wHn*eS3P-4CYM)#^rF!$AccdmN{16&`coRjY=D!lq0n74FP5(G%pR<g
zBPro8C{o2HXm3*=>hyp|MN@Z_c;;Ol?+xQ43gqo+f^f%?vAim4eQ93r36!hS*2+z9
zh-~GRGQ}Nu30;#BWJTn-%v;Ann_a4)3(?RTz|K)O&TO0U0@B^e#C<IiX3n46>+yDc
z{<-uv;jSye2h{<59-$`$AAZ-(4M>q8oME=%=Y9Ki)|J1V)8pp}VG-a%!yxT_K9w>b
z`WGdLhLYa2_5RS0`BD42KUf>QhglZcI@ZOa@r@(K4?^8QHS>W*ZYquBN^KtF(whAb
zQwmy%)9Z#NzjPW6Lw2%Dklw9Q{L{wHfEi>`n&gZg=D$KjHGgiWoQPw<V#*d$WS#aa
z7<u8^i~;=om-Nf^AKTlt9_rlTr$v|%Gqq$v&}x{gaC`TcPo<gIV#2=}47`mbK+WoC
zT4E9joM@I}Bp^{+G!Q8z%u3aq1=EQUD~*iXMGroPlQRJdFWl$|{)2ju+nQY!ZWDB{
z{cgi=vVCtu>!h9PPRE33pCqT%OcfU=-DXc3!omY<G1K}7``C?M;%3_a#xS3EsQv}k
zESImjtc(oU8AC*}_*bjqGb;rgExAuBzaS^XE<~j~2zeRPYZSNg$B|2LNJ|tRBI;YQ
zNZG~NwYQhr@GVcCtTx(-6a2&V1^kIlmfz{|_`u06t)S)AlwzW0)~>e=auDn#7gCxQ
zJI!iz36aYBwp;-pgdRM%_vJ_@=&7~B7zb`1=4WAI{sYESHq=&3@0F-L%^dXM6R<DZ
z>DTg%rq#7!eF*^4D$0P^Rx%(cHe*FE+rMxkktW(7nv_~lMChsVgWQZl{MgUWaxHt4
z|GAf){_{3M&hH1|4;_-Q8@eqy9z=pXtb7kP9L`Vs<CI16*JS*=pq}dJH${`H_tqbc
z$M$>4+F%o`TdmFM0^7J3TH5~@<NHl2e;8ElYp=CaG13l16>4+OCWAdcHitX2@MI#H
z!gN=y-RQWq<7xg$+-?i(k&0blkYSiI>F@aE<30}Ul%F5d*9^`5A|8k-$J0oaw>Yle
zoYBmJG|^0~=)Z7@qL|}Ft$o|vb-ySF1HLR0QO-tO8K)%YhI{`cBSELB!1$7Vpqa5z
zcYD4E|4evmWR0Ko2y017mYswe9HL8g8oOY&PqOX~SmMVa=)17QdjY7w4@u^xawa*X
zTXWvTObsQ+%}2?)#!)GB6*0~N{Wedn=vs-2?RJS%WS>Oq0S$ruh0EcQ=~B?mWPmel
z<M#IryGSDZ`J4q|<?_$Oos{)TBK0SyKe(SS{69>5p9}r{9|w26->);^KfHndKAx{-
zgZi8JKRzBF4!7UgEBgAne?JrPzVGu=-&)=-(t}?PkKz+^aqzy++BUSvD3y)rhRr7O
ziAl%5ZJo56zPcS${qxl|#*ou+fn9lYBWSk12uuW%L=alA9hV-DP<RZyV%oU*ksw#d
zsRBz>WJYCfeS!oSF<q<5Kv>K$Wp(veNXDIiIX2)G9fYj<SO82!&duga1WfkqB0EvT
z4jWukIo)h4Y=gGTduGp&)irCK<{IIJOCFKN$4gaF#B|3QbNR8J%>7Z59R>VtSKEOy
z9)_}o0e0}+-OSS(E7mtG)LsnA=KTxONhv{<smGIJBWX4%jw6l@%h+1CG@v`Fj$&!M
zllFe%8kB-%B}8J?QXYBEXc)mHicyW87sGn@n^L>O{jlaq+}wXkFH=#Km&;fL#iaLq
z&a|51Tb=<BeY~neiVY}(JPI|t7htm+JSo3m24(zcJv5t*>pdzxtythWfcIuSnD!^Z
z=m);ac~%HIOPR#6iEaA1OC&i^iH8B(rHogA&TnNoNi+9UW9}v+h}k<IKxtthN5=iO
zLy7xsYWbTL6~*q_+E(tSBJZLP*>_zYe_dawaGV8atE5-=;%@S@Zb%iKv;I(qLZC>Z
za2XteO<9PMNP+YV#-wh6vB%}t;a=7oH=CO^2SwxrSy$lA^}TJl%U9P$v|~nR-+Ay{
z>%6|fq{<+%R^|rE*I44PW04oqo3OUJ)GC_^>W=(`Q6rg9G-tA`1XBs3{wBj12|`O~
zj@xrBW(#(%?)=m~)nGKN>y<JG^g-v%6$gXI_iA8ww!p-SC^z;=kB4rH2l(73TdvuT
zj6H7$QD$1MGm&<(lV>YOkT187fFWcM2ONOqruA%77kh}0v|L!nET|<PszsJ+z#peO
z%mQQ#(qVA6&9?PP2Vsbtuq`-2n~zdApDQPrHVSC)wcU@6V$nP6xZJIINg2?|T9)Bg
zMfTtMErDG1n%;1z({Xs<d#&?N+1*NA2ZslSnbq~-zU{COShwyc>m)#w>Ze?~xTlC5
zkjILluHb4nwINX_1GZHtE~(HFHZBC*<&x|wR9NVVrYJ}Ebn^Mcs)v1U;1<KMQqu1V
zeqe_rvA?C*?IgQu@l|f#0h@lmkM>cI256oR5XMRjyUCM3dhTikw6o(}FVGoW=ajHC
z^k*z@^aL>=5VKMkLE`<hq2W+}7jv^ac!N>##vUc65UpqWB@f)?5LEL7P{lzcm(-gJ
zbb$<{ARqJ^mc4AfLA%7jJ$}Lgc26=)#q5xwO}Wlt{(<T|)dbr_ruCU|ARCi7P!q^?
z!_8{t&?_bo%6DR~eXp)n#W%ZDLjx%ABbN-%^XHy?-I8N8KHVwa>*!$xW65p!)jhoo
z@J|B%WZjmM>?o=E`DnYmwieYG-rtixLUn;~!+_(9U@skY``IWr2)IVLQ6SaFrv0!?
zi(x=cD&^Hp0bjarz3o>8Z=qRrVVt6Q^Z+lqLDs-}_|Yg}o7VvxO`)}r_JEqgr+(MR
zK93BYhj@kY#ZuP|s<r9yD?QM9EE~s^*Bs%_L?|+L{yT-k8`Iitd2P|Di5k{&0gpGK
zH6;hs(~d4(d1?W$^?|XDoZXjBBH^K@1IeGGbJ&C%+0d)e9ASi!lU7qd?r5JFiE;A?
zY64BKbkA<xsFd|3J}-f;E(4#@0RcYc+k-Ukd6hwcTOxlU_U5bAH-DIa1Zc)A37BV7
z-H9r~rmOwndIF@V_cFTRFl@o7QAO@x8<;|l3?jtsYmWqMh`SYaJ^)J1#iS7;UH@6W
zI`4sv^L%(7?`97!R;0GRUd;D_LRp2zFr&r8hylCIV!CCry-rUqr@>xov!y$T?#R_h
zu&ZgY^An$Y%>#JI-CL<n2^^-q%uya|r?g=ob%!aCoAIm`U3k*_)5-uv_HNrVTzD?`
z%3Yrypkzz#^IkDS4?vdLVgkTSRqRAW9Fd*^_@I-EzUb`un^{0Db(NEEah-CkQ9ZkI
zLJu=?@z@RSqITCEPKF!WfO$lck45T$o(WsfQn(4Qw)Af*g~c{KK3hn9#32TJ*rGQ%
z=(J32(XdLPynJ*MxDLvUG*yg93|=n1*xJ-Y5@UA*RPzl(cRZ<DCRhhSQ$DTSyXd?d
z6La6>aMj8GOYqo<6nQBXo&4KMFRQli53b40gP&mq_T(#C`@#wg+9EHLSXYu~-DX^a
zjy$;R@D$;JaEh>_cp1l}!&v77r*9{7T^DTs_+LwyB5NXyF@-?T>BxDXz~oEr&KTFm
zXh-f1jJxP91hy2K+GFF88CCno>-Cf#_c6L_OF2e3rCd7EV^9r^o7n5S-1FX9G#vM8
ztdIW3a|@mQZh5ydJZGN#VW7U|(2%x@(0jvS-Wb(hr)NW#%QkWPOtj4#Dza(k$eED5
z;y)Z+G!l){p1T(->19vbfb>FM*xkwR?jg$Ny}g7BpeHN5xp*Am3!JLaPF#{6cphP~
zq`4Es&=<zte}zRf!6+8yfF;Tij(XscWj>*HVRnVQUoxLafrw%xU~wW%mgUR&eTv<r
zXqlTK<us3ge6qV4w32dZ7O7BJ?AxR<KBbpvrC2j30nturL`VW@j;;#iAJa$u-bvKP
zLT4@0FteNiBRhbm5X<TMJcT<Zuku`Lrkdi3PTdS}DuPHP-WdwqW1QX<X9zEuGr&pE
z4s8Cuoyei1fV7&>6URLAg>6}sBazZ1^uyanbnfl1SM##)SrAG+f<BFOQhQS$rnwiP
zd-V}nek?_7Cw6UVQYa2eK|0M`)1+E7wKxSwA8lQxo)*T;TbO4Z=AlCga>_6cDzy%(
z!sadaK;9E%!O$POr<|fU7cVgRst3FW1OXdP<W5q4q}6w5@raXS>z5l1Zy(&vj2!rX
z-R*v@eqTtxl+zAWnWsbdmpOV5logM+pAGuU4x?2tNH<9I2M#6NrqLpTlwr9}6vfa*
zev2=$o|<qs*L_VUTsWiqH00;6ph@2l8>d;AU-PyA&S0!;)3ro8is>K`T3AIy&}Z(e
z#2{uPwh?w(Vs@Y$S`kJp4t&rtS~uB`Bpjy9{hciAgGLF^M|!EPRspX6)j_zX8bmmP
zor{N?=S(#wF@(}FRh#LY_TL9F??NNPJ-eqX!nuI9$huOR#-cOZ^pp(p5w+bfOm{q*
z2>x31>}JKCtSvymtm1=7V=hguLnrMmkxFt%yN~PGo^CUzneveiP<`)#^C+{eR}dvY
z)5Kn&F}CPdThry#HHTh3As`m6_LdscdLc7Zm+3jUpU|tTqnic0_qU*nC=h&ffz@b@
z0AlLiVh@>*qi{BEd!Wi;1dyx>(sB8S&t(D4=xYr6KqR+v1NP*xqdakE7SI$vcoWi3
z^>mF!`?lrxtfHHnnkB9Q(X+w~&E>W@=?75r=lGN-5&Chw0XW~{fDBDoerlkFNjf~d
zj7>ehz{6-@Wq4Lx@6E4xUlWrK_u%B9PeqFSy^J;deliFwFVL7!zX^JJ%KdlW1AM_<
z-(z9m3%=}b;LGmLQ{N+qt+5mMg!^B$1$nXY5G22hR(Mc*kDE2Z#u>D|rUdFrX_YE&
zUr`~)B-6DSw%>mZ;|1hjJ&pmBcIWkn>!cDK58|5q!7+U#7m~ywbV3(#yDx72sJBb?
z>%{KhDH?T<Q+9hTGT&@kxl0kd)19k_0dwj>DU%88gp3}}1Og(b#rUsotMiW+`n7k4
zNFK9wu!|e7uT)DL_f`DMF#=j*Fbs`}0cKbTAZvKYdLvYx9Gif?H&|BX86UmJdAHnv
zGYC1MZwO}wKA=Gr7L&A0)3(kBgb1JnZs3702;O|Zjrg^3HdWF|JBEI;D)`~!WNpo;
zXWRzUc*bYl6|kLlegpfHh0plhsY+2iQ}Rg-v&XRhyS*%(fjAMZdK5p9dbqP57J3xf
zQVOGLPpgcChOt$g)8uVV%vXRaA-<;z`%;!92T#Do2}JG9<rypBaulI1zy*SPJa{F3
zpwy6aWy+J^NJ|Easx+DnJz@)GZ@I{!apGKv(Dr!-20R2&S7Fj>V>OHW9*39maNHg<
zt9m7;R=UbPBOyu4!t11+$qclU``afQ`NIR{r&Tm7_!>kwb4i>RW|SFSFG1`Mn%@+1
zh@S?+gXDw&f~~MnINjRu$kN5|(u@<(Krh0t{}>ZFy=jo_(`znBRLdi5HmwJluaVlN
zaV$$T|42&V-)@$C&CDyb3`wvt9cY@z$X5dz1k%zRbBdB6lK1uZL`!sjYa<kYqr+oz
z-Z+sa7<Jbcf?!$Z9IAnzdROioYVt4~-C^)<#Ofu<N;$Y(`kI^WiNM=4LW`jpIeNd&
z&zXsQx!;6F|Ao7E-ZJ0|H%?iHz%rJitwpacfv9@<_D@T%6ezt6)Ap=7M@1A_f2A@n
zV2sSA@GR&_m7|#+H2S9q<4woT*zHFYB8<TncRy@Zq7Jsc%nL77R67xLd-|ClVm}oV
zLI?JHV;fF0So4kICjw4=IPbM@xiW=aOA+u}yZ+)d!*l)dplikHh3O0HUr`h(d=IoR
zD2U)YD#Y8UT5Q&L0@*ZDF6d2M4y+?mvF1m}7+zOH*KeW(t9@_u!(DD+3PWu*3}7VE
zD~zA0SX}*^SPmu`++4UDD%BRA{wrf_W<iSJ?ZWURh;HraXs2sHR8yaop$s!;+6oCP
zd}o=2X-OlfZB8~`@uDM_hJjhk8suYVJO?&K|Cx4L&9-B$-dxORs!DOuz9~=r=Por+
zNR-oVGy@Db+fwRdOZHnLv0bj-`$3OOZz)O@Hfa4w674OsJOBrYTnqK5xMa?Ird}GM
zyOs9G2<O2J5TW0nnDRMKKzvQ1ML?8nTM6g&wlu=2GvFH2|C)!~C7d;$=9tCm{+KTq
z{I5x+Bug~ZyOQWb-|~P$;nv$j_pLv4*`^q8g&)oNJZ3Q*CI(k$E~9;1CI+}n^=#|H
zCI(-Z%KcLyGr8s`34paFu$a4HFb=|C?S#Oazy0n1+bKsUL6pu)SRmOWRZgVb<<b$#
z?zZjgvy%y#vhG=L4Q#n?BzDAWgPOP)-%5*t&QsfN>38N%Zpa-w7WAI(C(uS1??K}r
zME@dOXqmeF+_v4(`7sJE)pi>mUgkamTnZr|u1S3QT7Ti2>e|O--0o(aunEm9!1ng`
znKKhWWztM&1_2x=f}<5$3pqnj2HkVaU?LSSPq}IX{i_5*%M`@-xtCQf=3puw#`Sd<
z4EsT%T9(x|6b1db2Y;RKZv#1U<?<8tZ&>~Lau-SG%@^=1Pf5cbgh2iQdQnV2GZlLo
zi)_2_9GcC*_si@;i>*M*f8$@w-q4i9++F~$%S8z#tPJo4YeSb|6&ST$8j~RXgHVlv
z978f2oIJGU-URRA1vq(*hUAnZv7qHH`{#VnIfSmjt<e*R!3C`UTOvux`Ot@=#!r?@
zO3AhzdM_b$xXGlOPO|C|xPtC<!K3$!n_jZ&j9wl#lY^~T7}I1C)MC#0)sZ+=>L+_y
z(^MIn<htS3+Q8^FiUySbvn-)i{8ort%bfidP<K-qr9-_JQ4LiBbNQ=nLr$dZ+2y=t
zmCOhj)KqJ~+TYK7B=cmf9aB74ed>ikzRWD*L)fW#5NPCXV+Qb~&2<a_ThiRks*%TH
zAT&#Abb~?*B{K~I-{cdW>T4e#)I%{6rqyGdx-8sq@Jh5eDc~kxJlZE~7lX%Cv~h0n
zedh2{o@0#AMA;{gE6#(U;&4FMTX(OZ@4rsx{k7$kvcoy;pn(i-wa)`<3snlCW*liE
z1;HtU>?V@Pt{j3tq98X%#h97cPi@_Q<;qGx`V;6S{usLe=n`d}kd$a7+PI#&AbrIJ
zcF~eAXlEN^6TEL9y_B;pjKafOG@$4bZ(*dICsL$7<E@w=(|>d4To|6&6SNZv9y>r!
zZFL^t#-PZq=S-o}dkmjcO$Z_6<T;Y10^~Tdn>CdzP*wa3+99x^=Do`_6!zrQ2S7@>
z#T|&;ReIl67<ZP*%pnlJ0S$1@URq!Toqa)>7;jEdVa^JOEAbt`TFdY8oEzR5VJ=pu
z6=rE<dRuA}3N^<z)a5uy%gtFJJ#=Oo+zbr_X?i9dlV}tk__STEkj@04`$X~S3l??N
z7b-tcVcc(BN7L9ZxzNkU8qG3;sH?Iz8JG)pCAJDcr&1UQC1~6oZd?r*)g}2C(DL`Q
zTr%g9tt3Nj<NbJKShZhur1C~qzPCJ26D*|UR&pn_TuY^V`Z<%YfKUIcIruFz^+SJP
zeOe8bN<0jo<t?0{s=mXI)5v3&h<0mbvgLaCakGv1Zq`66{!_7K9ZygFPuN;nRyiUp
zSSjef#3K3}p+f0Dhac4qJe2`PBNCuXAZ%m!#b#Ng0Z!~fcAc{y(18JHxkK#Q-LdY=
z^2}G?Yx7iBSmr^s0C51B*{cmQxw9NXy2~^XI8>2{?7*DGaSm)?_ZCNzt{t7l){p7n
zbwEOxu}`2o2~n_6@C76`fQ#JOc~n`Vk%`C*WR(Cg((`1AAuIJJ+}ELD&n&cL)zRjL
z9tTAG4&zH-Rw{JGSF4|>fGD8s`L3=FGHpn5Bv-Tzy(xq1Fpy)6*YlqzsL|dcAmze0
zT@uP{^Wx`h+I%b*WJZ&Q+MYfb#AG0m`0YdK=JJUW!fd_b?Ow8~FU62Kj3v6aZ_W*T
zPgAF>0k0r<M!S#Ojc;9zObLT%pPDoWvXRg!l~B|f?gTMcmK~Slv2{2%y%jIl&E&>O
z$A1DC*nqciscQlBy5FPIj4?b#iABnMBplM?F!zXq6@9;i;rxAygU?Qy%?d93Ts$@2
zy^d6Z$-jbBZM$r2jUAqPxPKY#7Y}pswzS$I^}L=Shp;#1J07P4b#Cq2shZRc&f9pl
zW1=Z#m6M0j$@XY#V}qAoipc_9gMAJzVDUs`9piWbP1W4nW-;skP_E#=QnII?!&M6Z
zWw({ek&+{3Q!~pX`w*yz{WNa23V^64@~%}3uEh6pA0H+NC&@x;VGJ(T6ZBn~UIUfC
zQ1YjhHQ^P(#BKMN=|*Z;@Fog^ULAIBPUmYSUA++1#;30vo4US5by<-pPEG0{7}mt7
z#nl<a5yqQJN+g{d$ye$|UT9>8=E5lCv!M8ildLY!QS@c{`3~yc8?VUYi>XFqpX5<T
zFm$#raWPx4dJd@TBxJ*uD@iN2_PBgf(3tFB`d5jEbChlF6UCe^UF~hEZhgbf%;hcv
zB*C4#U@2C;U8G$@H#;NZpiRMh+CB%lSrsFZeR9fbN?)B-*Yu(Op5;H}nTV)tgU^fo
zGl?lEsU{^lG#VTw$xt15FmwwYN)K|aQ^qA;NeES!m2!GEw@{RP4eepaON&Hf8*}}B
zo$pfjfL^TbYV`B7`2B<VUUEY15=dwDv+{HCW>pPOz1o_rh)cOLzp(BNaJVi5d5d}I
zyR7~2xYL;l^uSx}t2TTFfaV1-!6U+6ATo2;GPjmXRymZJx7y!yH%7Q${p@w3AU)37
z?@G<hadszVZ8x|8yP>cFn89mCoiTsq5G_nyX5$*Hj@QBAXCapkLVM~1=w~q9P!X@%
z&>qy8;LN-WHHXLKTbq}`g2)En<|y!lN#L{mh}<qW0=v>Lp{;0ccFm!!c<uOadNlf`
z0S&w<4mVqZW`EJU-e7QUxbV$-B268mQOmVW>>#LY`!s;&2T+Ya^7+ET0>3&yFQbtS
zX`)<d`q5|0Gy<we{4}LRHLp#(HtSP9l3C$kvR{L;Rh!>H54Z}tns71GlM}jLeuin1
zH^CIlZ2kLb^Ss!^bQ-92RlC;dz^b&X@$__{(;Bm%4C-~-d@0tnIV!{Xxr|bCw*<`D
z!354efES1$myr%BFg>ojv(e9G1aYM}i(1{Rho7aPWMy=Tqmd8qn+<1hLD5+F@}bUc
zN`mLgjKpmiG~?%mDH1ir9^|qPu2Pp1<R^tS255RCHChlpLW@sQNp*c6A!ZYxp~lwU
z7#g@?ac=)QnvE2auB5Isfv6&WBl36#F0YW0i*IoyAhQch9M6dhq22sKfu?z~aHjCY
zOF2EMWIFs(;`kBVapwNmPLlnAk~4RTqR7g%pE>Jta^ZSPYX*=~{}$WDcn}qk$JRiU
zBbWF~JcSJcBB(4mjr);hQqKX_2>FpM#`W^tIp%u+6MY7@$kxY!*ViVu^k0XhTIn!(
zk6^#I#1KYqFw&9d4usxPlBt{B7qGi9XNEmbA)F-2EU8sWw<~GWH>w*XszaZzkiAFz
zFd2797Y1Dxb306@JFLiwmuixeSwZ=Q*A$bFIy;^-X>H$`$qPEsW!nQ+MuGLg`#i|a
zw4xj2d+G@%ed-J62qrjhWhwYOqU2RHGoBhFlxWNJo($dJacCQr;3HeQn2q`fYA5}b
zewh>eb3P7>cQbdrRdv;LxjR?cfPz6rtda*1HEU5bY+&<Cf;9BP#+8hUF_zHXVGwgd
zeVj!>=EK!LGP`!~K5a4|h3BA5D47Jn%%k|S?R($NGPRLT&x{R0O#UT8$~lH<r`f<T
zdTl`V$146&*?}^3-A&AbZxGtsb25|;e5Eo}ywC@!IBlm3GWUtYs<jWSrp1`U-y0d2
zv`-{M8P-;<y?I{z7oU-_F27b4*OJL&IG@N^25tKAC0Y&@7}I0lqnC|ge9rt=M(wn-
z2p!5ap%UZA1>YC%r&<24#K9~sABpT$vDZ;x%Pyu}LSPq0rnwBiZwRez+wI%xYcPT`
z?B~sRq#%xq^++8b7SgiSqTq4d;!!4<{aUHR0?-16uWI>r_A%#`!?C$xxbG6|U<2_J
zG4uZ?cn^p0=S?#$6`E5h?6{`4+@zZ{`rZY}3M5EcCM3ck0QigU%MdC$Oj06;e)nr<
zzi-pB#Ip}{1{eX@bUH(1NyG{jTuQ)6Ku@rgbk4vTV&<F?L8gVZT5+&*kbNsF?t{{b
zN7IN;ZykAdbkb)Xxvf&;0{-(RjVRN``E1jD_iL}+xEQNPpXwb}1jdPHhk;?_+0oOZ
zlLNgsPY?Aj1!j$>fmy?UX=mG$S1d4WfR`O47P{dgwQ&jd&|xJ~S#1Z+9WyY3%j$1`
zx5x_$N-)b%g}%(WAYTSuJv@Qvb3q$B)oJVR0iW6W&KePFdGk)e7#$xAQe-s28|)nY
z6wiI@INp><*!@b!=ib<K6sN8PD+n4vu~rZo1=o^e1!C(xbgPZJltof;f#>8b!<&+L
z^shVoJ_xdKIT6M_$((%=CHhTZ*cjh*dR4x#5vtWf3BUKnAlEwR_Wf=zidkDJ3xfUY
z<LX~F-=&<gZwZ^L#dCDB@r9}^+j~6z`FQ-VKOVdv+kbuO9<>!w>%61wx3i_3W5*p(
zo7^(%G5%Teps&8YtXIg|_E>PK_}7F%NM3qI#NFbe)_beX*JTCQ)0sKrqag6vc<#RQ
zp-gQ!XhG1~DG0U&rotyv>`J@Po)yJZmf~V{fz{%iow@W5ciD!vJ{yPUUxQ43Ub*Ps
zhTKmrLwvX<D}6u6<ZsvV!w7v)qLeCpqIsPUf4i0!SV~PRC+eg6P<bNeCVHriIyL)q
z2CE>apdP@w3RtC3WkLL4o?PipE_Eko@ZE>XE7me5dK}V{459a4_mIySE$#%(`uoO_
z)vM9*8G3boaS7&@jAEwHpLxlW6*|LGWwv(7U-1%yW1!xKs(5@-RMo_vw6Q<>db`wc
z6Zq?rB!Z}BdL%ei4-wO3cC9(1>ICf*ePRuW*o-fGeZH;wEHWRSQ?^xm>FUNoo_^p}
z^)mEkc5qAe&4=32!6x3Rszx`LHFhiLfWlUuX!A|D3tVpQv6joy@2+{*rtEO=P~XWm
z=(m7cmBII0eLGAWKwiY^gSW#H-X_FL-vNgxyQ`Z2^_xpnIC#G$u$%GTk&bGz@p>8G
zS#wqO)J7Xt7_k=9HY7Jnc_Jr?JIM*<M=sRhC@F;?OdTbB%uN2VF=2^V!D1#0m1kd6
znT~3V<yd8M91`=^Ipz4H!{pD7+u!QL_vo&?9Ey>-`f!0i!P{Vi9$1QlqgEK&3^(Bs
zZIKY`6T(bCynI5Qzx9MS1I`$wSmEz^R_5dk7dWA6)p!9C)-|4GeBSX*%N(S_s%+q~
z8c3NJtdYUM44+COmLMi#<uTBIaehrmLBwXsw;gF>F{Mgiv3h|O?vZC|?^eF%g-;>v
zUw}PCSW2GIme`WYcojvlYVQ6JH!GH8T(WD%Z`jz>3Eo&A8<%Rq1^pRl=heof)b&L+
z-**eG{a|=SLv!h-OA)oG4!E_)xH&anZNkBuo6_!86S>H+nsJd=Guot7Xj7cT%~cjS
z*<!-*dN^zIpvt1_XTM>p>+A8FMJiog+3gm>nTez9lkBS(Ysu>%5MLp@#54mg*<4oK
zRs+E0)HLYX-01ZQw?@{~>x#N51!YBVGpE>D^>bnwhTN%Baz)z{m)6!$`vS=YWFv(&
zNL8g(@|)kvGu&W_$P#BI?hu)sCNRZ{jCJRoI@AsZM9=O@U?yQwTP?Q!*&SD`d}kyz
zF^ZfKM?%0?5H#`kz8^V}63^o{!M<x(j?tpbF&hhlQ{z}`e+FWa5`}3;ATXYSdk%<B
zZYSCn8^Kj#*<O{swg&TRaCr8ClgP|j`YE-}zsj(i-fixi*ov09Tj;3fZXYz~G6GoY
za8meiB}(#Pgg(5&nbiN_0)6<-kmnYCQN&8Rib&K|t(qKHtMK#gtY^`e;<ZaOXg8c#
zy!kH9MACTM(?V|yu`gsRUn#xaJaT*EhJGp-&aA%bHujB17vAk&KeLjKM2Ydi-thT!
zh0b1m<5{XW2C9`bMo0vk&d$yEiWd}8$@lHV`UkLXlh3W7i4B?ZCFt83FTHTTT^sYx
z?|QNM>O6frn@O@EH)|b9`xk>N_Ih=mB5t1cm^5w=mQL8QMhdzKBiE+7{(+ZMxKv1x
zL_^fP`qh2Vaw74d*qwH;bCFg||DFgLvBLV>Zh0Pbmi9TH>HD-5`&%rq>|@?HUVZqm
z5d&QlPrHN=o53c*3=s-?&?!MrF5bQU{`~U%?VIyAUq9KzIt%pV-FI)=ey)G-a#{Aw
z1Uzy)x}96Ya!QJfudD$D>dq3JuFz_;=b@ie?3fEI(UcH|WSJyH%2}CZD?jK~=LZvu
zq&u~DJE;z=_C9D%q!U5YUm(U$;4YJrs!iqJn3j9dP3+yv%PVwxalUSKs%dDp5xRSf
z!Rb=}C`tPAqq+SrSqjw}V(e%gUk8>S<GfS7+rml_|EZ>TBSfGFtU+0$(QokV8s8#g
zWgLUpnkxdAYGIt7+m%1-`?B^?K=tZBc9p9NEU%XOXH+WET4beXsl=YqDIkf+rL2Dx
zEXDnZF#OuJ7T{sLIJ1joI8fVS5$=<QiPtZ~fnXabaeXArCWvpbl(pZ)h_yKqyv5p@
zpETCyiTWpB+eT-XwdH`r3jmliX<mJMY5iQ?W!MIc+KiJOl9_Bx6C2^7<=jT+M1=_}
z{c|T3FKCvwl`FY|U@$>{=1k!Xf;LY}#btssA`bp?ae8Q6)!;!;ePQdNT2E}_?yMU-
z#sF-4tzQ|wIMAtE|E};!ITb|mQY00Df^}7+=rJ6dae>w1IhsJRH%Ggx7eVpRd=(xx
zU$*)U^uK@K`_0hqsd-D{c*aFwd^vje^7O^)my<lb`xwW^$H%|_-S6Q4$H&Kw|DPP6
ze0B1hli&URU!I<Pb$s&G@o$b#zWUu)$G<_xyI5dfE2YBXH^+A#tGT$(q*W9I7&w3a
zd;fmtwzt>TIXXCd_06G)`AITfrekKR1tgp)!8253m>Ij9k&qz8Ddg*Bc&`7bdZrAm
zcqvdJ=u(TK&>tdfNd<=>hzUAZ&Kpr`q{31xjF=~BUSyX3&ajCPNlK}BPJbpNJNBp=
zd83S{7J`@a1xiVhVPV#BdT~DKSiUGBIb86_xc0hYuln`+day_qRFOoLf<SPy4d{IH
z_Uh$x)H;xprO3y+He?oj;!2lHAbex}IXanqL@7^7y_q&-RT6^UZ+i8|g9tx`lgYnK
zj*s|~h$SUA;Fxd-n&eU%otjf_6g0Uu4pURXZzQp~l3jV$KnDVjo8cTMdwZ99lII$r
z(lV(7O?{iHN#ESu)aN|S`2461M~?YyMuZ%PAUwX-GSC>8isvwqqeB<t;}^WQr@4n2
z&oX|a=T$N53p!ue(Ae<A>j&02V-1}fz><dGHQC#H|9{^91Rf3YDB<I<_esI#QRn9T
zOFH^F{PCdc*S)=0CRSJOjkj;jeZztvS>`zwAi~b9qXK0k#JB>>k_`=(T{}40+xy~+
zFTOx$aMRwH8~mbvoA>s<gd&I4!|Hp7yiPC95iSbBak8+yy5WXnF-he#i4IN+oGgfu
zsQ)|}>DPhrzv1GV2suL6@_(`ye;z?xU5?Q^GN)3B)hOur%wp3sq7mGo&EjDhIdot&
z*CQl&My3=>49G)|&d%9PV5vlDAP`G*##4e0&hgpd1a{-X;nZnKGc~3RRZwsIKtt3n
zZMj4=B~s&KoG9w~$uGf`LL*}Z<?t9p?7sW+>Dj0$i|a*bal?8zp~}O__jFo!Twn8R
z((hcBMZtvug`gs=IUI<cGbL!`2+1;8==J{v%LPriDA4y%YX=-TnP#MsBw+PhHhefC
zfniQ^ZbG4}lQHlBA;I;n1a4de3ZW7D>-Vn>;C##Hzx!KL>$D_7P?wIt(JqhWah7!h
znuGoCin+ikk$d&&*aIaggxu&mR~9Kav%+w-shEHrIqC1g3}vjnj3b&C*od?M?aqgR
zW>l@*{4Nu$KW<FVW|U5No@17dg2AMD--3KbZFeYHkmS074cxZ4vEC6$GfG&pGQ+(i
z)=3=O39csyGS8=iYjSn|VpQK68{w#_l@^Ap(48f?lG#eWGfXqU^+{5Sj%~!rHNrPo
z5C-ZTU$(|8P^+q2=E9hAHZC=&f*vF~;KF1PIvnW}&;#lH3ie)i6fVq=nvCXDIcZi<
zc@62Bu)-+gQdZ~XGM$+{wAW3Bgv(_`hI$wpVVf(XxZ~C|KQJpzxpk<p%Fzq5d|ODQ
z2+qxyB;n?wBE`AMtkyPOSc}qzoF18gSsQT=Kuu;dno!s$iz-p6Xyz`J{SZO=ePA!`
zieGa^6&LF(&WRE<kqFP{0;*zhX7vGoef=Ltf8`m!rnoU{_by5O=j0>cE5$WX<U}n<
zsdxKZnrPg^=C>iJnxy_GFTp6Id9O$wqfS>0dxM@Gk5jxtN@z4{tE9PHDi~!jO$dpY
z?CqV-^mosWQHob`)H`fAm{o8zx(ww3DN7=&<l*Jin5#rRmx}>0eG2cP<3dnLEbArB
zF?6tnw$~zH@HVL8n)|lKcAU?&>|%ngf|-ttt8k)%ZymkD3ca`U`@i9oemuxA%@lvW
z=|?le+&L4Ayv8Db2Pl0LoiM;femqF{*lxFTBX)m}ugMBhm+6H-<clB)p-YmQYA21o
zS=)ktN_esQH+05}m7w#5LQjvMo}d6GM(CU+6ZHN<%R|WunG6^mXH#+Oh52L*HcEY0
zj}Fl<==~KDxkUd|xzcqB07}0+=Cg4r$<g5i8NO_ULjG*z2$#)`Z2rploEt9zP403m
zu04<X-hO?_XG&vo^oo}(g+nn@u`|K&+JuWa44q}xPE++ba`l$&Ul9G}_OfzPu>6Ee
zB1iQ-(qa^_Ec}KM0V2XhMzGW;Xh4mv5M@}CBb)$-?J78H+QkKu<$MlKhYXRFs)>g|
zEko1+aBooIJ<isu|HDNA4thDcvktIZ|95=+`)AJ@`oG_Q_3Y`O|9gn`#TONFepS~1
z?){(%WgG4e$@WyUJ!{H5@=>z^ka-0(c@Ry&P|kq`(!yKDu}SjI*|-oSr;^A}btfn2
z&#r(XFNNt*QE4hJX9Nod0~;?`P*Xr*Yb`>3H99^%cE&ImBw%3lG&}eXqt`K2+9;!(
z0Vh@oZJXr>6G~0k0{h6H!u~XUA`!{3R5YP#H9~-9`OM83YSdWi+=?C(G+@l34Q*)m
T+x~w500960k4Ow>05&%OI%>JX

literal 0
HcmV?d00001

diff --git a/assets/speedscale/speedscale-operator-2.2.419.tgz b/assets/speedscale/speedscale-operator-2.2.419.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..2a4ab7de91e794ce8468649db47ef876d17570e7
GIT binary patch
literal 16996
zcmV)dK&QVSiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMYef7`Z_Fna#I`V?5DdlPp>$#$HiM|*nqs<zU4>)5`Q(w^S7
z*M&$(LQDcI0NPR0KA-*hVemqbqF!w0rQOFoztdPGFc=I5gPFkqBXdF$8RL{hJSPGx
zE_#P^EL3-av-EH8<=Nfc-F<#=0RQgp?$-a^+dp{zx4nbsFZTDI?e0C>{oC%|v%RO!
z|AuzoPxI@aLMkl&wtMfk>Ye+GJeV=Au%evFehZ-(E1dFKH^xe(q)T}(CPL9EB}pIU
zSSUtBW3hzFJjIKM;f(ar$a57svs~3!>#CTL=$Z&gIqRdx|NIi|b@yI$ccb0MjpYSN
z36{jR(!jedoYU_dyz9Ld&U62Bzq{W(*!z1cAu<*;SMYMA1d$RcA{AQjLZHF<u|zji
z&5<BDMK@fe36e2kSWqsz2p#e?C9y)7B}fq6=@vpt;OUgcP>~l3*%sKW+nRHY>s+Z^
z_Ite&=Wfii7L7F$Q<{=~uZN{1O7`?S*=y)rH)pff6<OSHk;r~43JB1OpbPdN%4V$y
z2{O}tqnyEyl;R0ZsamumlyaQFOF%zDjHnwfu5@+Nk(M5r@0tfD!;~pZ84-X4$uLd(
zNEUg{h5CPL9Ykn}BSxlVYxN*r*N5y=&yxSSPm}z=#%V$1`&$4u$p04y&-d%{|6q6j
zLH>V?=Mfq(E%VS7Ss*HrAiow=kOV1?V$PVBbc!Q2C*c&1Q(h$9)+2O0)lw5NLK1`l
z28e?d(x9uw^S5NtN9}g2^#~1+B(We0WCV&aLlc4onG!)*OcF$yR0Jo8PXPg(Q-h|G
zB%SK!$8+L9WQA0^x-C29BEzcRdenM^)FLN+be7{^3(|Uo60C5)^#~y}Iv);?Mu&rw
z;pO1``10G~4}J8HE3)|K^4Igr*B2*!^befpuSNP#+mR8p?Ya{XDB)U4YRVOo=x*y;
zebmNz-mTIEYU+Lf4fxcoLUCG1MMSq{|2PF%+0GV`eNk^P=2^}eVM-#J;h83j((8ci
zw&1s3+y$9Ysl=j>X0g!AX|R4Er0}eduARh1C@<3VoToHi^wA)_!3(LIJmE8xl53J`
z3O6IrZKZs6qRaGAo3befTy+m*j$<M<RVD=8U=`0vf+mY5bpc_CFiNRZnkJeyvI{E)
zz!(v|1ar|xKmM$NA2X>$5i5zD5Yvq$Bv1JQ2_ktRbi<6qL`p0c`YUCM2plW3*oRa{
zQ^B)3%O_aQCmf5U+wy-7Vhyj4lqiTs<0VaX^@}1Ux&@r)>7rrwyyW5ri-d^Q6e{TQ
zebkl;vjmF-$aRDjMkicKbS}s>VOm=W#xzNDJ)*06P8gm5&I+Sc1IbGuQ-W0?h-@KS
zEa{^uP9<ppz(dZabXEv#3Ukp2MQdkJu#We!nSLIboF}~-GMRIJC5@Ocqt6+Xn{%n0
z_F*P8m0ApOmM);UmI4N3%$X8AMR|%D2n)uQ7f}fnBvyvnSU1{w1h|t~SJywpDUG=X
zTu3dcBpQA@dMr^wrnpEw23l`=<W;qV$Fi&Fj0g;hFu>?N?e0J8&CEbVdhJjo0X<eQ
zqKNEenBf^oqP&=-G>$-0_Q;idq=gwy(}-NjNV8mI07gOEni{9(rymm|C1Dl>y1J#J
z<}hk#iqkaYF+ozSNMh$ersrj+^$1BKu4znU2fg7F+0m4e9Yj>z1xY!4i?ci>S~`}E
zb*EHF)kmNfRKG|PbC$SIvy@M8ItVNZ^zM&J4^liK=|?~w+Sw~nhTr>DJWl|Z62)ne
zrbsKljH(6VlQ*E`YaUUU!Ypx&QI0lPK0KB^h2@p(#dhwHDCbF}85Y!Jt=Q8U(=TPj
zctT`UNX<U_@5nXTa(_6K^rGMdpyDYJcIdaoDdsFDxspAp<!q7a7Rfb@HI$ylOhuR_
zQ3<-&3Yu}Eb$|e4D{wzBU3xA3Pbu9EA&!h3$0#8gNL7Rtf~i;JT{I#JDJ?cMA2CF-
zTrH4Pg0h)@rKN=7BQ0OP!zoP+8|WUk-{5Q9?x1%2=awmSL^9q-=DlwFT=2IGCuTw!
zti_5~mL?0cfH+B}$4(M$OfjihStH`aB+3CKVb@e}rkT6-2wh`AwJetCoALPk^8DiL
zUq5u<?~(hV?ak9O^Q)yvehGj;`G64!els5YXg%_>lTMMO35l^ln$?gW3W?;L7ioe-
z!OVh~3wljcG9!uZa;y9~G5};Cp#tz)QoANBNVCfH5-MR)Dx_D^WQK)836m)0{Hn;^
z+Jv51%1U%P9A6HOULBwAv@8JI{z%uoAlg(UN2j9z8?Qq6<<bsEN;9e?!a_@!m}ePb
zdVMKaN~8omc8;$J!cGrpJu;-g=$eQHO0k#`#ENV}gzkYJX>CYL^u#SSd%IWvQIT3;
zV$&FF!`_Ihoo>r5jz%Z5%8CAgEQ;oDgyOvDqi4Ijnf;xSjBEAn+1~yu3hy+Xh^*Dv
zTduLU{{_@|gy#GPrQFPo8%z}}lc1oy9vi_N^Gp*6C*as1QeEbP<d=$OgcnMK&j6Br
zVRQuOvz~JQH!AX(z={65wq$z^(P$6)(<OW=VL!`SX2zR!*>jQ~$w0{4k4BXb==cbQ
zlr+CWTDmt?YPz>1pOcIToJLY{p*3esPhX%Ucm?oY1Kg)ugQYXZ1-X<WzSJs!>?2~j
zsSSjV|G~wqUYzE#kG|-_|2k-|3;zoXB~sl6rY^n)CX+;{OD#Gstx{lSo&Km&c?n}!
zz7j+ir8uR(kxQB@kZ`Vm8$K)Ky;AH4+o*8n<^2bFclXu$A$;0YZU5Qst5%7H#`RNM
z?C<w!^8YB3<$BeUz0<StaMV?A)xFx-;Q!fuu~+y1KYxC(_u&8e7|(c)*%hpPT8vv8
z1yrZ1&FU7_e`~c)$y@N1KTcC`(cvVi*D#usU9EK)(2#<~vD+FEQnj|Ku92Q3s>pj*
zQ1mQvy;kdZ8Z0tepU_PUo~C*^5(HF3z1(D4XM(jE$8+Sp2iA3OWJyaca$;;|sa21l
z2ex6OF%)^CZIZsWlC`26s}w~H{li23=Mn~GUt6s+7Lz&!z~5Fd=E&_<J1Az29dtv}
zRBKW<sK^m#El00qPg1XY2idfK{^KO0u!C?fXYl&@zqh};`>Z<u^_zo-`TsGVckd$f
zS&U<$Q2$HRZlmarKU(JH@~bPdsK1i>#S^Q(x3BlwsBN60ZPdLmyLDaf`a|u2-K<wA
ziiuFNz2iaBsfJpj0l0mMC`-s&^qK5}JE|SyZY)$A{qB7@PiiGpDxt^@`W;Q4A0#BM
z_H7BItI$whcf7Iu6<I8mM<kU5xvDr-(0@%Qu;!m=(~7BSg&2N|@84x3;dVAw>&okR
zMb&_o8jBfWhl55iZS?f{v)!OPF+4CMY(!^_B!~J%b4^CmptAr+x3@HopT)QfU}}Q_
zjn%#wvYRj8l7;_3SOR}XQB>LR_2SBUx{Z_S>I?8kT<^86C`<b2RiUs}FuykpSaEo^
zGNQ2AAV4S<1YVA5rX_lo_Yo`7)bD9FZCxT%+fhddiy4oTuKp(%{Efy%x7$bOf{Yd{
zhC-I}yWg3;w<TAa;U}c{4>(KL6#E^xlqq!Z#~&WBrq>^Tw45Kd--=37U65-^ZY&7_
z;|N{v>E5T5FlDG?Iuhfr3YMg#kKVm=0}8xPSd46QcG+_F=sH5V@4%)2vw?dpScGz{
z=6%%5^x%;eLQ_oBLJ+q@aSZlLIW%S|?KbX4SGN!Veuh;%AHL1)hPk(=BXmU;eN^>q
zIUeb1V74IgF7G~SpK^7~+Ww1mH~HTHwwRDeE~Fya@_X<L0wtPwW2p-zk?w}>dR%qu
z0<#&}1_6VF9!m5(`nBMSRKEq>xb#z7i`P5`M)t!xJ%vpG{kceq<xiZ`uLUo1i>H2(
zOZ(?UkEEG*UNZP{z}T+u;fKSE;b1(pKVF|7l|PP#Cqw(A=BtT9W!AotnmeaODv5uU
zV3Khbym-SW?$5wG)ZDRl`y+KF=gA5b0=cycm-grF_lk^Fq%}f%A`hoi5-Zt9r<}n~
zrSTSxVDmxt(cbQ#a3zR*Y|z7k@ZlGPD1aFAEV|x{Y$TH(hT4Mh64P@0OreL>;;*z?
ztXU40#_|0~&?PxlVX+S`tzhr!L0<jE<<+$r#RrM?AhABY#9FUry)W_QC6w{}R3y=o
zFqxAy>&m&6Ah{rs_3JKujS`X)MWWpD|Ab7rAdztzSpoOaM9-~cYQ?qH+D=HAAjK+Y
zt5mkUNC$`4YRP52SGGXoXP7(s^A%ZCK7VQ_<iqpHp7s8J6S$M%`~&*`cb^_S-COei
zKYj53f0SpXEH`@7E1Xxv`8suIJ5}h<t6jQ29-h1&jfWSPr-N5R(-jLYh{ZO2Ies<x
zdU$#M`sC#D{OsiT@P|rqh`a8VVbn`?M#IC4;ds<HULNz|V)*s(XnfHG$%Su+aK?kL
z8%ioXvxQDa<H70S@bdVmj~*Lud$zn|<HvgArj7Ua!>+=+cd%O%X9)iOEY4tSq#HDA
zzStd+ckhC2jDMFAY<4sdw<u_GeSmgsWf-2vErd?azP>yeem6X+^w~w5n=S`Y`$s3|
zmxpJkFORD<O47V*1lv-Lm&Yf1<S$;IR7bvy(>7Jc!;|5w;rQZ*%j47W@Z!6{NgwU$
zmHzwV@i)5Nr3P)NbyaJG(#NNx^Wow6?4nwy8e?9qXAdh_23ls+@Nh!4=F#x{<m`vb
zqv5NwYI8pLv0DD?le4b|CzpfM)3fnle0+8~s#I&5V2b~@<g5|Q$>6KuNfQJUi@Tz7
zZSI$$kLGh3Fj)ayFILgz8bHcA%+U&<a$Be_2-AFYp_>(W)gl#O=NHG{9iI%p9v)qe
zj*o_igNrKRmIE?tBYiv?e04Is9K9M`jE`#Lwl<Wq3dc6yG?84qLi4b_JiGXQaB(zj
ztm;FmR#YAjN8`)$i{bg@`1sZE?De=(+i!a=MJJlthi9kbi?fr<^OM2pa6N>^IK=;h
zbm9&ApGah{Y9`)66I`$VJ>T8ids@@~_ID2+&i{Rsr{adpDS4|11E0f^`|+@lif0$r
ziEu>VutMGOxTM|L`IQn8%?Rsi`*u>$G$C*R%^&o=-tF!^>+Wu0X4kl}<~Wf#iFLy>
z!Hc}V>{bCC)nI0NH8$WboX-tGkjA&m-%hAh@I6lpfzvu7#&<a9!URC{gAG0lS5h`B
zQY>mUTL{URYun#zTuBR|>xw@UCkfCRr{@CBtsU~T$V&gu8_C%@_!qlUVO7X3jupKo
z6({B(d}Z7X6V6kDSp$@u#NCW1RS2)j7pA^BX0Z~9m@|X7{4v_=|J==plz3K!If9~F
zLG_NlB_65vb5=z%F#!Yavvs1$cuq3x9DzJ1Y;b=3-P2L!HA0ok0xArFs5BvuP{W7O
zSJ^_VY93ZDw1`!->VFJoVDPrq^6ydQ8>oP`7E1I~BnBDFHYBnAGbb(JTyHLjB+N`s
zbDGQ^=IPczkBGPqPK3mqT@#_;$i$4%-#l#TjyA$tq0E6whEwBXg##-!$QfQBLEr#U
z!2)>pz<I6oD=rA4Y|6_MMl-6MT#9*?6^yDy4@3-|6p9PkOSC1>lXMng5znb2u_^@V
z;haX$5jedlyIJzcyF)9@E^(lFKv>*jc(ee~41(QBB<Nx}3NGaHVmKOm$E+DCd&0^W
zU80K{A5BflrbL)}{?IC6NzN%#=F}u?f*@H;;OvWweMgGd!5*3ul@lN8S}$<S&>_x9
zdZ^9Ak2_X+RAi(FVXM&!SEPDjL*C$nTQXJ*ZDr1nauQeOTS6op0E4&>J*$@26ZbUF
ze*M6LIL5R3`%O%ypRa6Plu~x3`K@5|*McC0XB`6=&9R)Dvqx^i&Ir@09;weyppw1G
z#0W6`4;QM7#&fLD4Tf`Wa8lo24lpOSkmlneRZc84z_!xK9si1XqIn(wn=4qBnQrA6
z>nGNWSCQX^Zil9-6XNdhy@iPM(r3;J8@Wzp1B}X8FC$J^ku9SZAquR`#iHSx+Xtz>
zWo9d8d%Bn_YEJlUiPyHGO<CO@-jj$6WQ|6NQa*D{z!`B6JXp+#Y5?X=$#vbKF2f(9
zSdt<7IU1f{3=aq6;ZYv~`^QA83&VngSQR)muBz^#y&oY!bp?S!6(^*S26H$k@s(^E
zrEQ25Lg*lS?i*!`$^rO}R};P&?4j5ew=<vtY#i?C-)=I1e*XI6<W9YDl|dZRDJ5E#
z7?4Q6Rvbyf67>1t<m7WNBoyx=^jbD`<a;;n4)n2yQP$S$qiHXOR`g_pqyJhetYfCz
z5XMS7E>8H((bB509euv8!O)n-b`9|GwFacSG^ew90}P@&O$mz^y_DaWYZZ8*@<M^Q
z>H5nLXhN{LUqeGe*IL(aB5_UxTyw&->Y!Kk>Kub(cIzkEt>%nIas%zOflwEzb|G1o
zsCSj0(;`hHvAn<{YjMe(vxJC9Gg3nVKU~cP)-V#&#-x!(8|ZM%5*ll*7~RZ?niGL=
z4KYU+fC*ng$lYo{z;*a)^Qbg(^tr3-^%>)d^uYx<4aN-4K~ttxC#~(+=<2)hRwHFS
zZSFBeFKRHtDeB?>51*puE~E=Gz0<ls^0m>Nr-`MUy^YCRd!`M|*)*QJ8w8q^JuE0M
zq%WV+D}tVo?yPJ4BvDGQNrL|S`?0$a1UPN7s0!5v$eQf9P;)NmZ^oPj_WWi%K1VT5
zQ@OKDQmRPSK$LCBg3t+%ae4-Z!-b=V>$z5ucrlxU^&>KakK!ohF<kr*(y&S2M(A4~
z^HExY&6YV@Yetv{oE(i`YJEMm@;Sh;u|c$c>LPohTAM*l?MA2)mQ{zjWR8U&u@Fl#
z-k<tk+qq``w)+)M;Q8AHoC>l*`C3*_oszSxe6AlRBT1WwsnU<fVT*~m&7_dzabwMO
zk^z|r#CX0%qvyJumU7_hhubMlUGL;_{ceP1uU<owg=!l2johTt6|B99^)+2reOX$d
zHMDD*5Lq2{=wf+C%7hn7UaasLpNv+`nQibjrRX(QE9Yzj^5>?8Q?&H>uwXKePexl{
z9yE=vNQ3$nJ{v~N!-G4oZqpN}@E$s1;JmMXm?i5L{jgi@#^GoFh9$}M;)*P!y$o<e
zPs}NN=(Dqv-b0tx%3AYeg*LCZoIbCh@HSJ(fc=ZjAcM3<?XNw7w(rNEc>a`~fNAt`
zW&<zQpudgEXr8k|HG0r=XLzCPEr{zV=~R{ib`iu1Q@Pr+)f&K7T36#o$#5>`Tpb_X
zN%Qix9jj7*tE=+{xfbr>aa}X|+W0aqySw#Z9MoU#gEi)>Vz4x78sOE<9Cs&)HB+6U
zb&n3)E4A*@R~rRmyQv{nZVR)$g-t(g#8O7(yfkc^R61@qz%0Ffu`xNnxXYg02OpPn
ztFEeaFjYic5S%RT)Zy_-37}lnu>OFaxc+N<bq8f6o?}L3W?p5qNrb?zD4i0hTHh6N
zJAAP70XNPW3KC;+leZ);fPt1bP!Skg81BubO6rO@wVO{*2nA15%(FZtifDl|g&P_h
z%;7cEbUxM#GQA5ezb~sh2J-f=b0L_`0^bsPGI~AU(X6#`%EP6Y<@pzLJI;hSKMUL$
z?Y)mCe08O(-D0uY)P7&q-l`q`MxqYRkL&wn!Hw9fk=?lVEpK5rwhuekD;q`?_f`AI
zAAoP)38&T0itX0e1|LQR*$a0;=gpkhKnX2uz=34sm%aQEuV}#UfE;UPwvr*~B6}lt
zc>`#*fsDsjD>RiYC}M)>H<RVG#^X&SsBF5eR5hyd$>VT`9;|i+t#Aab(K-ADoA;4J
z(z<)<LPwTTM+^F@lzD~O^3Fhj5X4?+v11vcqlGQwjC8|>ZJ~@OkU(XnJh!(<SCu?_
z0l&F77ug7kIB<6cI|}dF-RXJ|#GoJ?x+%TjHY$#x>{17syNeK(lE)M-crGtAUoN)E
z_H+B4$6I+j*Qn{`2Blj~+{#c@P=jm)<#ppwa-FeJ?tlBu11~h_6k%i+O2(Dndu`a?
zG|xu!hBC{^-;xGRsDUnzn|9n~vw!iH?XR@i?}5NdzTOhQb)IGOfatz2OTE%S;Mzcg
zi@kSVaYPfs6rC=ROlhpG!l^a{jlaiRK;;Jc$`&-5<xZ-fklKpKa4u^X;ycKXCHm#8
zP<D)dSqXhgNvb*4*=@+A67q=IR2?!;sX{mwTuPJ`siJvGT+eRiM65P#;YLO%S#G4{
zSkxz-UTMqTX@P3y$ig?bvIX$D0X-aIRq^cr!Jd}ZBf$I7S_$vW#3cj<tLdj%UJ|6c
z>m`UD9-}9e*n`w&tA`X2cF+KjmI*M>m@NW|oMS1`<If-Ku{EF5v~(7(?t$h?&ybn~
zun`Sc15{|gf?G`Pl~vlbd2F;Jz$6lpw-}g^GechVk_&hBaK{i+D`6Y_HNQ+b?*_LQ
z|AKBHGSy%X_GBGRK3zR?7LmK-p$51A#qJlo9fYO1ARB9;j5ruoFg8J}+vD0r=#^tY
zkS#t_jhFT?k3E;_rdEQt>MEoU&@8ZOq4@A}l6#8ZUDSh^{B)vTG+DR}c&`!kcJanl
z8`s|;?<ar9Y=7hM_E)WVu9-;wBC#gT!I>?A@<Qci{b3t_`X+0&fk1b+S<SPR*LJo2
z+JMn5tk|{w<jofDEqbtSYksK*YyHX}!SXfF`?r5@Nv}1wa0Ah9V-c_4N8rou*G+cu
z);(JnE`ipCOrUKxF9a{NL9&%(yD()-LsLS2h*D9~z(`H|TP>1#X_BrYZ*x$e>-U^X
zg;R=G)z*|*wPmxB@GB!n%(Lz68=oDW^^MwX%{HnRdo3bJ(m{|tV}e0xvk5|DqQ$--
zG1$B=3I)_buN?Xq6rcTIRr~jkVnJK31nZ(y8fbQ_SQYbZ-mgOI<5n8bxM%c=c{awd
zg!pgTZd?`5VtcpM9{2j#7V~_N2p99L-KD=>KhU;2_6?od9Qm>ZMC1c3w%)!s&z8I2
zwu@VA<u~>4Jw?QXNPLj~ZL`PU(7$aWWwz>?iKe-Iyv(h;x<#~rc{WARnCEVBG#k5A
zMoIhy=IO?upz_f?@t2#Xx9#6wYL?!zbDLv!Zr!b|XXM%_9`oGB=0fiyqQ^Y9jO#Ja
zcG}Wb^x0TMg<0k5&(^9k95vq34eq4)vKPEL7RWqaf!0&eZN_Zl20v!rVQ9SFs}*jC
z5M_7tf`hkvwX0`4FZdN%7}p_qZ7cpm&f?W9XA#3`TH19TG$|Cq>pkmc>Xz>2b#|X|
z#p*W9d|&N^9+wW^t)0-pSpA88&^0XoJTB;UqX9PuX#R(+%eg)HWrJumN9fVD`iaZx
zZWR+YOG$LI$(GVnF(oq`yCZLw`PO*BJy2HzH6AcB4~JW%0wfcnh{!0TQkBQpx3Y;p
zw8!~QCtjMJMNtrtS^E%1I<~fG-rUtvzX1V!WOZ8biDp}p*we5e{-eEG&6Rg2Ks%M&
z6CAwzU7ujCy4esTVlKZybm?HGNgZ6h^ngkf7eWxG8V-meRIr4I8!fs7V*HkeHp@G4
zmNDKgYNLJVK$MGyNyaSg0cwJ<o>pF#+Rik4#T@B@5QFn$<gR$?{=}jv`iX&zFj?l|
z=p$1mZ*FtE9<pmLSZ7!w%nVZ_tgNoAg-wptyy2RlF4EGu5vr5eKQZ{9g0y`vIk#+O
z@O!7f=+eC&x+sHJR;?C>|7<8BpCXK=oIm!1Z)npEV1CQ^4Qs+%W7F6K7Nn1UY7ee4
zO|_=@Q@ewHYM%=Zssv>-{X)ygpV~)cCU8QMpW0=MjWGWM+*z-Pn2~SE;!E9jfTQ_3
zQUWV7TYQ=6V&UhMN;O{O<jV}_`h8;)KLv$f;k@3A=Rk>m{5c~EU+;BGuKeYV<gEWw
zyQEKtXPUQjwfL#s*j@$a{!eX#bsJTB+W)ByNVK&uP<&EM`#-fO3q@pSuOmp_(KgtZ
zWvf56e{tNhu9IeY1-_KJ>>o`iZnBzFEY(<GCaJra>b}bJGDK%?>Mu4b8*Wi?bXUH#
zo}GecAPNk#n(XM%)zzA=nd#=*rwK88I=TrEc<I9K6gb&4$7}|BLB~@Q%WU1@S9+3w
zX2tAAwT~kA5Vf2!lE8uiTQiP{NfNvYMdy}<1PU7BUH1a)O=R~SBMZhD%JU+_3=(HU
zo^$`rEIFDEPD<m6HWjUcZ-;EdsMuJ-T7vskl`{PHgs_>K_tDe+7tg=AE14P={CiSt
z8Dbb^s7X>@^ENBX0Do1v{RT@Ui9!>sZOS5FN5Ypbw=IiF2kvNXY9w6t(cZq%Qvs#r
z`|RHS+->LzmFVxC8lGCOE?_D47tu96;9n8MtlM_`v9b=i#oYB{(;T5pJwI5*AC%Fo
z$ogn^EobPZeny(tV?nUIKRXyGr5=N|pq&YvWms$P)=fa+;s!sB%*HNMbXz)}+>fOd
zk6TQvbHS4$CIZ&}aQn>3(?w3q%(EfH<ZW&)z%Uoq88-vL3~X5+j0bY9v(_Lgl~3Yf
zL6k3(G$Dc{2%}kn1!jtnL`%zc;=#fQBsVT^YTF<wDkh-rs=Wgaq|6rLWp8(X4U_p&
zt9Bu=Qbe#m`u~3%ME@U-e*5`}{bM)!`(>y9^XI|OpLhQ2v%3niCL^bOD%@(<OMge1
z<%SL{reLBJq=R1KRFV#Q&0w`#MX2?=-E9r3Ss#MW(8lWTw(Yx;1Pa`9`hpV9r=he9
zE(t^+by3Y7(OY?mV9>c}O>8Y@3sj0?P`#HXkyKi4TGyAq>CpsXd0pHH_z8(I*eYT|
zmB3;Vm}u6;w-T2^l4+5mCz24<WjrCvE5(jk5AcMhRDmBdAu(sulv;Bt%ehc^_1zn0
zh6^$yZxL1Atwkkzk}$cqxBqlhOcI`9%3fxwxAR|5el2hcE|pW9k(Zg;*+NU$d%kgs
zKKap1#Gjx17}>u*cdvH->&Z{uwcmF>*Qf>4`{y5{a&C8j{(R@Zf^R!_oayUtB3V|c
z8;e!1sjYr9>rUe*8Qx@D{j|b7yyF!p?zmvHl~IcVC@-b)%6HA%F~`z_TxP<}D)*Wp
zfh(eMN`JctvP3FG*fkZLLD(edeFbDim=<ZHgC-Xw$Kt*BMzha11Pe7GSZ&dtN<fSc
z=$;U*wk~_q?}genih2dNvqt6BTbJH5SE|RWiP@}au2Ug}7J)HM$xD;s?oKDXF6u!1
z&2vRIAp%x#npsz4jpxg2$r}J`HBV3zHK+|PA-LbEGrFf~m>Rm}f@@~%8bQ4}NX|Cx
zjtH3SW^f2dagH**tU*%}@i;CT%=G)vTQ4#jPri>E59U{Hf;IQE-}0VTQ+4yzl)C*w
zr2d$2<5je`Y1p2udyj(BLVT~1rEwWpdTAzPAFfU{FBBJeM#4A6q?Y8*Yrg2+AFWae
zHl7xvAXKiyxA~^s9ry4v@L0R6_;u4H@#zW8>rb7^;NiK$vp)Yvkl_3t8Q|9E|Jd8z
zd$wQC|90^7A^*omd6rTU=eaC%ew3#l)@S+f*LGABZuIDkaY6d1t-PiCagueWkWk7X
zhx2@O24AZPK>D9L_A$?L&InU|RH@V01)IWZ4fa0C)jGuQn_$n~X0Mkl8e?gEFLF5<
z@JT?S4K%t7m89FtX_brF1u@D)3n3?BEJC&W`j`0YgD}n)LFV3C-rgz$Z9$;BG17Zv
zrZt@j6C7AaD-l5k=$L024$oFasJDbBVb@^+!=~qFN059j&}P69^HT7d+Y9`Q4L8cv
zQcqStLM4;?r8&oQ9gorZ;P7K312ZoqQ?<RwhMv5_`BICUa*HGM$Y;~2CI(J;EPMWJ
zQ_tsf2#Q5Gr@iaF?*7x>BR}fV^<EV7;8^w}^u1PgF+?npw^S;LC<~(4j566NJ=Nj$
z4L&9mY({%^E!Z~-UlDDF$0Q+@y^2T3u(3brJXvTPYsjwMtrkfElFP*VZh&?t>PGyU
z2tkvohVEjY0(IK7;O|s!0{{5kJH$wH;>C6w{f;0dj##WH5nzXNdPNp(o9VI%FSsn)
ze}hb)27#4nLj5%EuSgO4xC-vv=PKPIk*Rr7dQBLS@?7vq#m2J9>&J6J<eaBTA3Y1c
zYPSBm9++%1<j)CC)%>^WCoWVUnJ*D!QK)=|ghZqdS3n0Jto!MRq<G;Im_H5oytJXu
zljd*M$rSV;lnM2`=w<H=XDrQS-33__3}#lIL+1_-p0?`j<r0a5?I%{({bKivy`{>H
z)Di?IbjtzT+ud@+G|<Hd8?a}q$Lra97_QP{hJ~}X+Ir2l+(h^tF}vvQ?S@l9lDH65
zEe<(T<ZXpgI8FJ@xy#r&)HB|O&s8V2IdNgqdM<y{WIki*;(~MalBPs1q#{{OU?C(5
zHjt;B>0--39-)hZAuN&L95$LKlqH(^!o*GUVgiawxtxT5QYi}}d(WOfeQ{84_q8M<
z+*UR><G<nst1^G4-<ajJr+fl8<e4{ow^X`!^@WV8bE5|VwQS~d?pMLpGxFC-x+L|(
z7Kw^`Ql`C9S}(y51i4CO#0#~lkvW&@l&BjnuBs_!%l9R7tz@n0SO?&3eDNTTbw^G&
zXc{JB7FhCYfn#!Bon~GTn9&S$N7yDlq5}L&t41(dI|$21RLq+toSUjgo9Vwb{19$U
zE5}pFb{VXE?hTAxO=kGgrKI?xthr=r)Y?)!_17EvGQrEH7Q;GsYLxMWjI5DZ77E`s
zHCw5*sohWQ>3DdWp7s7eJ>Tx*`7_UY|KIMx!SkB`Z|}wa{@#QC?_)f5|K9|wcwRaH
z|C>+Nd;aDm&AM_9oYL1eS_JWFHjQ2QH8LAsQEm;437K+1A|ujmLf4L2(X}Q=5_@lQ
z1;!1bv$^V{_QA*WCT_|}++<`{NwJOVE_6D5I2WVy22F5$#i!E~no(sGHl<R#;=^Ug
zFKtMGwTk}q9=p|pgc|&LpWf|;#jK(cSN6CcA;M%Kz~@5Cdot~$F_CF=3^_N!u0%MD
zi9q2TZ0xVr^)F4rub>AA?6J%9i?e_I@MWlzmZi%q{phC}_{wOkXj86gbky9cynnNd
zH??_sw%njEd7IW??#C(x+Z9FNT)Gid5fnv?M<Slmltd<_ZUtHt;haWSWPv^#oezgc
zqr<_;@N#f|eEIG0hozEvREV@z^8E7k#YwBeHI$(kOM-65V@Sx0s8lq(;wsi)qJN?D
zv(XqVzJ9N_xBsHM+uiN%_4l6b?(X(}EvRz;N5B7GHH{j)#d03}h~jn5(7&=XEi@HU
z`r%w^OKVD;(nfEEt72~ucFmlU(pU6g$Djv0X5F)1{}&S+-&_6Pr2oIz-G5%!|95u}
z9`yf@@znKy81YJSMVG|g+XOcE@&!*x#WuKumb^;Sttp9B{jy;KH|dOS79SW0!3-8f
zN@TwkA)M2%1ut^Y!y<@%XoVsc-Ucx+Ef?l%Z{{>F5==7A?9Xc=CbpvA?2c@#U+`y{
zKD%Xd(kl2jrPBP7+Y|ngO~wy@-oVQ((RKj<OK5#iTqd?`4VgE5^2vxp$y-Gj1gcq9
zUdGQ{bLn21Yb=3}sz_HbS#B!HsMPIPr6HU>%S~p5g40aat690A!0;8Q{%gx@joQjt
z-9QR6y9H0lgtEk5MOb-%tEM4@u-1mRhSxz_GpJ244RJD@+gWO|&KiE<iF*l7@yZWu
zJmjB<J)3%>(e0&twmp@bA%TDXn$-GM!U~YSC5BpGy5rDgL<t(No{4s>?g04~Jif%-
z4P5=PIDnbG9?E82u+<t7ChVForZiRNV%5mqAN7fFcH2>FFwO}PdN2r6HfzZz!Zqex
zBzA9WB}0HW?o$!75-YZhn+-y@SK<5>aP0Y$Pz}>KXe?i`WQ!Tk1%I<@>ZZJ?i|bo;
z?p_-2S4M196yHCaddpK{JuHs0YkJvoq5q*;zphWRfHMi8K%1JQ%3kw(2x6@d(e+*n
z7mCB4e6_JLzaq?Td^aMqoq_TJ!-elli%-HrpV}&Ycs|y%-v48@=zF?=Hu!&bpTF3v
z`+uGtJotY;%A-Z?yLS~IF*wz=6sU<{Cto#7tY80(`+aKxcb`pVzajke<826=(+p=h
z{<R=2M}*})oQlKWQuTK<d451xY&yQYn^UWkzZPkw&bxQ-SwwG||Hfdxp8(i2|6jaV
z^8dcrfA%o{KgQFbYE|^82L<X*3Y6RY_d(y0jfi$p-f)9m%+o#^AD%Cr(0Z>VERX%B
z94BAl6tkF^h|Nv&U#0ht{@Qr{bAR{6)7t!h{`|$m{QoGA=Go6;p-}%z)NZ2))|d!=
zc10HTS5m)tl5&1k<fwhU*G6rl478hOUb`My+ure@=u|`VfOYd<!g~7_eI~nF+Mu>(
zy;!KWS^g3dS8;1B4}1Q#@`$98Am0=*U7ZnjI6&=@$FYr`K7Y1b#|g@J4|Szl>*kAI
z(%lC=^P>ji^{*09_w3IeQD>Z8(VHvz5K#9Q38?!(xZNwX4ic>@&Qla!kp<jjfqI1$
zy_8ORZ?3c68$sZ2=jHCj7z7wXk-4l3gh<4AE_jwJ6e&?iRTct}IhNAiZAukF5o9$B
z*cwHUn5yAyNzY2YD$2!##41G*L!Z5?9C!W0x_e!oj$r1zxspraTbqEHN#=mT!BQI6
zfkx3(@C<tJrR{h3&6WIeD>7Cuqu(NA?c)ZmZF6AhgB%FjaK`#idA9kl9L|R`{2OO6
z7lJ6o-&fdPWs!2DeXEeYEl+MmkncbbXnCE`(($Z^!%=^cpu!Kd<MF3aF8BT%%H^kU
zQ`9HwT{gh(5ta9+VS)YjolnvP^jj6X*A%8w#sGbaz_U*o4fdfr`QEqA|1{kB5w{QC
z$1M1uTm03w?z7+jK4jmzou?1XK7US@aH`lg#57w~)ysoaD*djNwKV|(_`IqcRMx3x
zK3~=LuRgWw^5J<8Pm}+@tLKTiy6?TTv1$MB+0$n=|Npb62TvdT{~zOdgwD+c?~ozL
z47#}hcT&()uh%HY@fDsC*=;?t8G=k2K#Am>q$$#(&fF<T*{p*ENipPFgB)Mwd(4v7
zBgDweT(bKl7i3D`x?9BlZKsRQm`&4Y@0>?D5h$gMbX(n{(d9^SL0XT{A<r_-(07L;
zlu#jC-5FIq_^&~~)t&q%dhlQOVm|BX|G1y>n)OOR6C7U^IVACwt<SsiCU1S-o#3n1
z=UtWQzqz2Z*607L^$2~31?7cA$45ii>gIyO?Yv!@5Zp7x1%K1(Udxy#r1w{lkWKUd
z<oIxSIvT#WHrCJo{pWjo2etWsu)p`>Vg7%N2W@%=IgaN9ozR#txi+z})!5K}cejK7
z8?yq71=`=;U6mgOIalt@%}p0WGhHrbz0@=%d*CS^4=-Mg(BSk49iE*Y9gmOCPDkkF
z*#&w%8g|gd@ciQJ==Gs~-GNd^$D{GZ@mH_)8vwA^MMvd<p00C0w{4HwNX~JZLLMKR
za6n`xwNH=-WXc69B<Vo1DxMTzKXv?GO@b0_<Izb0vJF?RHyjyjOQJob=7JZqIr_U#
zxR~&`$Ouz)ytr6GEav$_XmbVe8%6};0uiRDS|F$NLwn9C)=<M`X`2bmd?qDJhX4UG
z!zmg9=p`fyraNeFh{rKNaagbfm6r~fta|W?!X5lrIj>5`<!Lcj@N1+yx;OeQq?!YN
zz0a~?3%c7Tv9b-COuibAybw8;M3z+b1MbGCZK1TGD-u1SJEkhXA)@1QR&tYPO8?!_
z>!HaEQ>KqJpMU}aWtia^ft(b4iewSbEn*#?-)Ukq4PbyBQs#zgZsGzxp>)R#kDSw7
zLz>d5TIjVe)}Ws}+x_<)Xil%pJWPGe3ndi>qgoG>AksmkJ7_`}nbMfzv<f}IvmEjt
zc+o~rxPZSzdnX)q%z!4>G$}MJfkOVU0LWV+VhXwbaw4qb!}6J#1TZX1tTqB4NE<HC
zuX9=s_nQinXf!j~f$<e&cIFA4x>F@?fGLa90!T3_6eQY6X-1VvH!k^9-9R34b4RIO
zo;!Z-m9`$T1v+m2mmU_QAC#z{fmOVWI%W&=P7qn7Fh3v_V@BdRW;FJx^C3f7nRGz2
zvVN1=pHqa9ArFA-R6FQ>(3Nh+Jj<z`P$q4F?WVsSw%XxPdc~Yw+sphl95Z(_l2B}t
zpq1VJo{Os`p#YcFX^cS*X-+Gr0A;QlegYWM*=}VxAqcyaOm_YUatV@QyR^OLx>zq4
zoOEMc(U^GgW++7x-L@7hO6j#FacLzqwid(_%v@qwUD2kHPF()$L7o$q(6?wpQhu{j
zQsIaQdTq2^O%U0xbAWE6nFhA^7LuWXL)@e?)XFgzDA8@$M4m=g>84<~^jx@^Q<Hey
zO~HgJF7$L4#JF5!C-jeW5J~Zb3-^l)H_YK|^4n83B_mKDqnkNTVNxKi3sZ*EhB053
z$4*X7E7QM&>g2Q3V~}GX#ty*SRYQ;r`vl;U<X8ZwXu3c*G9pO2(1yYl5DqT1oGidU
zvf~DwGDXA`$FN9rf;G|;bqOg=9m1#Os2^%kZrAw65wFhyKV^gVJOS;5b8D%`Lj$Xf
z3Gi@|&~SjDS6G=^T&zUC6HE%Fr9Nl4%$X#MNk)|w9!~E7?gGrEP3Y#)13A8=R=80X
z_Ackut3{}&XsHa%Ykr@QIZmf#%KU~_wp;B{+xN*O&NJ)17t4H#U{g+TM&k}R&2b8R
zbR%><2FgdlEcKBr6K7ji@`TcKQnH*ZK!4d;yA*lZ6}G`yfD_6vO?BmzN+mntlI2w)
zbMvbVML1l_s+W)$)<|2z48LCajJD!+t&r%QK#WwlAfPtnFQqarAZfK}F#~yN)yVHb
z;+0DidFzN!?W^O*m@}EvxZs6M7bwHxN{c>GYDZ4xB9hJ+$bQOTjDWC>oT!CW`;;q$
zQ8-t-?d2(4)31HE-3;8Q@`MD`@-eG53fY1tgfJvXOhA%P7L|6&Nhry$g~>WgS<FSw
zg}+`sn0`hO?RU}FTCLK}9{TP(%?gc-x8A2vYBFYmX%<Rlg5x;~2!yl<nJkPJ2YSH|
zyg*oMcsWr8P96K*aFHfARO=dyvj|3B(rfq`#d9oX+Hm3voT^1M6@+vU6@pyzSPSx{
z)!f>Dx<O}ck&eshwk+vNah?~Gl*Z{oGisjVMW=j|6JeHG32&@o5!!8`n(t*XD9cMN
zHZ12LTg(7G4F>2OLmtY%{^&d*Z)1`xWHMkWry@~_q%nwgP;UAfj9!MXNC(aFH32Qp
zAp~|bpH8)&$B`sy+OhvN;dN$Uyd1EKvegPf%($Lu5|}Y^t>QdSwYkYzx-eAMvdf|t
zr<i8amJK>LSr{N8b-mnVBqmZ~L1A`I1!Xg5(Gcp^zHs6{kvj;dkSx|3fZ4>JKeuZ=
z74-_PLoS~JFreaA$*Uq~n=ok*?ONAG$5TE2-WHOID$Ub=P!zR(S3JY|GYC0rxIZZu
zEU#M&E@cD+)7^lLJ|fI-$`D2=zL5o0x~nOfnMJ^+=>ERcueG47O2u^o4%P&NxU{Br
z2`4TGXW_c##v=nw6%x+tZdEzasZ7oowKK&T8s!|bOP<rJ%<AB7#&*1deP&>|(9bfT
zr!J&YPDx@!!9f>YkkB*Kg{Cu;%+5%*x)h3ePMvO3kw<H^JQxzKHj;!ES;z2^)@Z1j
zm(gBTv)L@+D<oN`G=+d5C2M7bm{FecH03vDefRm{THdbOF+DA$LNkr8M$gzAg2XhZ
zknTNHeR-I(aH*ph)`z+!@t?4ax;7_4n>MAdSEaQbrR{g))DfD61kWhbd}6G}@K$)K
zT%vK)cN@r?n2u{W)t2L+WkD3CtmE|Nz=Q|ufGw6f7c}e}EE%GsXIQy9b}V;yv{+1t
z)|)zkG65{A%IRkNW?T>r_|!#eRdX}a)4>4b5)KM&PK55JCa0NkLX`^_vKoB7qgA3M
zJ6dS@@wbMb9_se#+4%Ty*hY%HRX}e&?Q9!b<qp~jXICHs8fMB8WnsJmP|ozk5T6S+
zX32D<k*qHGJS4vrY9JX*N1zLxZRi?+X{K-^U4hxKf?G_qITd>8ZIyDi<|&3yREs8d
zIF__7DOBMqxfX~2425}x$-;SEbwD9HE#-_}GH2xqxD20*&N7v;)Aa%`m$eNVs5Gt3
z6i^_pi7<nu=2Rq+?&QLc4dWuy2D4Ty2o_yPQL0DXUaM3ib1>eZJQ!2jJNa-L7_VAG
zsiI@&7D%i`#W(Ml4V)zUZ=vm-kRt;q4s}bRZDvBpP+wMaB5|;%Fw>0^mK2#&TPqyn
z1dFl%+;G-q8W7kyF>u;EnZR3xCMJcu5=EW=3}II7TQriWv?@St1!uic0BVk}U??;Y
z+m8@sE>J?Jka8=~avL=G(zVyHWn{nvdqsTOfK8{IHd8Pb7b{GW&^za+62Q|<2j09A
zfu-H5$|~%&?wDsrmDYSzam#p1rDh3K2ILtSJ9a0)*s7%#D7)x2ONo>)Xyk34(wJ)V
z7a#^3B;LQVsB4jdGb?aot#n<Ln!awa?#MB!-X!!s-^MhvY8IdwFpL3VRM*7qKAQTc
zT<J=F_XgIN2{%TWp0+bE@ANVPsL3KHLXw1-jUYV@f+4XD8STP2NEInfqM0Cu@fUW6
zfJH{$k~k3YAb34N1esxB_Lb_khusT!-bG`lfXJ?i3vqgM!a;H>qjCp3LYnY)L(Ql!
zZW{w<kYmmR?6^}9$o}L4Sspfp9n(6DJEhmjnyG^PT2Q-tWV80ek`6-(*F9pf0Bk6;
zsh}rzD7?`@XLQ*=>t>T1H@g}%ECGg6FS_W6N-&*FQu6Py&~#b&N#IePEQ|pQmbW&s
zN-+SV2*yk41?!XpX6L>vQGKFuB{-hfP1LY7RkAv`JBY)MUwbe@$D=m-YA`w;IpThQ
zJpShF^%#9WxVRXcj*o{UbaoML%b&eOgVP_-x5uYP9Ym<v0e+hc-AUgQ3UVb0+@$3U
z0zWBsa%zEY45`2%63Zf%Pto{zd@}5y)3ej)`1Iw)@#)vYSHshB2fZ3z9DXx69S^=b
zJ~<x$04((Kczik>nec&ug>gQ(7#|<LJ{eq~^Vb*WXQQE6ZOv|BN>XjB$(%DuVb=k6
zW{g!>Wfz?1g6D#2^&C1pMFsduf&WU08~96&w^7O>16#$3YbrsqSJNzlP`CT6;EfG8
zT9=Jk!+T$J(TOLiu5?22gr=~0eymqsb3r8FVPG(hQgC*vIpJavxLVv!mf}K%E(1np
zDV-4(lbw#=?e0`ux!&`$k>8&fMM0v3q;vub9UwOoTuQ%h;hIzk$4bKPc=P-)(zCLB
zaDgUn$WjUoTaN$?Eza<)>ciKyT}VI~93XQN)6&UCSxghH*qW^bt-u(cF2$(>>LheL
z$C^Y$AS}$Dxn9NnS}luI)eT*sX5nQ_Vct+?2Q!eXp~v9K+C6cHmF{-R4a3ejPi|-$
z`VOy<R6Nh|jC4RJC^X_WSD=Z4NT&rWl^a+D8zMnso@JVOLwcBoiQMS`A8G}??ufH6
zyfYmq*AzBMr#5^;N@|JVf*UM&GXwtKMFU87uc_c9uWorzF4V!K_<pWc_v&=5Zx*iI
zZgW~_Jm=haLBZ2m*=z@&E5c|>K%R7LI)2PzVmgr<H>j0<3*bAFF{=E0^t-pI!yWNS
zYQ0dPxAe5w(VDN>YM~MqDQjO*S=sI(UGxpV(Uy=gB|X7_o&n&pe-P2a(qK2l>)du*
z1f00`wHBnM7zKPm(<ygRN{L>2iUKyUK4EP$(W#NodcvFe4z!ti+9YI3SYm3-d73o1
z&aucq5;^7CQ?Z=Rg%IU#ne`lFDT&b2$2w6v%YNg@!YUhOhZdRwB~86De-m(Hpf-A3
z3<D2OkMz3Q6b1+12j}O*)1%{m_4N>fw;<2cg$-W_L-+JIK;_2oB_V{yTUO}UFp8=-
z!Ku}prbNJP2G*MEl$JakE|!R}IOWm^{fWTw6;TqkfBd;!8YwA`-D<aR%mh-^T77{f
z-9=B1ID72l1%f&1fdAVL0&5-2R5|BGnrIc@<6*6XVA&4#X7yZ=3#RZ}zYz*Xy+NRh
zz9$H$k|RM(Y3nC-QXI+}zL63%R%3R7nwh)B*ln#&NExyMJET5|qpsM_1qH{omcebk
zR#bOBZSadmlVC~xe!Qie+jsTunbOIDMLeh1PEwYeiTk_zd#Jn`1-@FINCFe7$}OER
z{u4dX1$>C*&VOnU&iv5x-mF&ETkf=W%B<B1lF&1d*JuJGpHIL!hASRA$G2GdI|epH
znA%9^XurD)Rkl&cSE(8{#H<xMB`frD=uufIuu9>+r?&0%Y#`f+kO~Tpr$LLE(io+f
z%?dmtXvVLJVD&&g>l`W7bGh8F?q4C?{o$!SP4WL1!@<$3VK+<OQyZJ}ztqqF92~rO
z$p83Jo`3uCYpT8}CTNUjKR<CPplLSi$~i3DUCM1n=-zct;aPZ7jX&l&Cuz3RYPB8(
z%LY1ghvQp%8UC^SQnsVza`klmj<2TWBt}1e>(4Iw)AnWk>cPf@$Fdi5rWX_0gR~z>
z6y&Y;48GHX)fx^pTMH=2@&ZY*T_}N%8nyW^U>#TZib#llhvP%iNpT-+Y4!>H?Eo=E
z#lh|>Mkd7^>_g^C8&UT1bVQl97QCTn7oIX)Qxa9=5MU>{jS^NwDn!^d6`X<2f(0*F
z(!xQ1jIbwCFH=>#5LJ?-Q$y&Wf*}qyE>WD`;Dtms#Lem_o*J6iE&W1sfK5pV!G>_?
z7WTm(JwoS#z>+GdBC^$rP%x-_-TmGFXhrB74dAK%Yfx%r=tr9#!Gyh1L2k@$Xb_lP
za)TcK`eh9eL{3;tdS#-89Uw`-sd37S1e&mC>)n_D_Fof)E=bPNF`M#M>z7}CnP53@
zL63!gkCP<4*~y_3U}96MQ(m1iy#R<kZ2!wIzqDGHdcFS9e=B?F4lo0!0|fn_OI@gE
zdS!1qs_wLPFQFsHW>nCj9;Q}nz|i3Q7+sNt9x|u%bkT^;7%FmO9HAel+Rh4yr3A%k
ziBgT;x^x6ZdOO-w(@LM+*8;aQXQW%Bp=Fk)^W(w0Ueo8FTK`wXLfY#W?xHw<KH9vM
zL?Ls-(3k)C;q3KARNlTD4bG3FZ-+npvn**D{1j)z7C$_BJsJ-$qSL{v;Xjwg$#!Dn
zP}y>uM+;_+JH3wH@QHJ}v|8UA4^UqFu0_h6#8>4;kQ-jzgg=RoB+uMIl2X(4_fd3P
zExRr6+9U}|3gP^gwngitUGU<u9y+UEmfOrk2rX4jJzJ*_1K%3zPknTJIvNj7P6k?;
zMK1@(C&Qz@YcJ?pKft4pz6vhc8@{!-I>1;!m<GsMt<;(rm6Xq<b;5$N;jaPn3>aL6
z7H|>Nd&4J9JXcBV3oXOterQVHIub$OJE&l8bi9BR=8S&F-Pr~-GhKeeCoNc8#KO@F
zyah8%S-&=8s@Rt8G~H&?+(X;GChb;zeDnyt_RU!Nac7hOBJ3CmlJRT3lv*MM>w>>!
zXW12AX1_H?bqW;>JDWQYDpS)VvvG3zlAEUI;l+`(m#mbhn=DEKd?2=K@HHV*T%-ou
z(h-qiR>1aUoD$5mrI<G`rX8qQB()?fwS}%6rhFza_<Wm&DO_rr#tkZyJBVV_{)Lkw
zR=I&0VbvQ@D44aJCj{BEe~P1=##eg5fhmi%s?rM98=LB=i(cEELz@D|-J#|I3<C50
zN6C0V;(2*72H34mvcXBF=BfV=U*n%k&`Z6@bn$!5fuO8hKkc9`7{O3GWQ5iVMzAHj
ztwYXW7XVyLy30R8gGV77YE4YHzJjR%hsz0(>M|EvQ;mu2nSIYoN0G}Q(cMmM&KO46
zJY!6`ZI-i=G2ze^1%(vZTT8%ki5R(Y$6{Ko0m|?j4HT&9PRp1`JoF@`R|H+}b@#hZ
zQS?uAz2DvK?(X=5V$z4B3UIh!)}l;{6s%wyZz6~}OK9O~zJ#NNFcwy|*K47kQs0m?
zZ-p$Wi4b}tgY#=xp&uLc(6ve`Y+$|Nl%Ybltb+YxsGgbw6l#G+DUPp7Sh`ME>UW@f
zsbFIIIz2cUnp{$LO%>_=rlPmcL@a(|2hqR2`FijF{WbpP^k2uX{@1~R|8^mM`(m*3
zZx4=~|8t%u{}0adND!Q4<o)=7Ztwqj_Uz!{{)dn9JotYe{67!=p9lZXga7Bj|MTGg
zdGP-{_<tV!KM($&2mjB5|L4K~^YHx7f13P1zZTkB)ck+{+<$-D;{M;K&tBB?|Lr|}
zi2wO0k00xPD?-;;z=?>yHI!P&Em?ikp5EqZLscK`+DGkXYt!6X$5?PFO5HB+n#>NS
zyw8|qE;g4+m?&gO?9qo74Bj(yC;p&NbHbGMqqH6*+r#tlJUkDNd;WI-00960lN|h?
H08{}0oUdD7

literal 0
HcmV?d00001

diff --git a/charts/codefresh/cf-runtime/6.3.61/.helmignore b/charts/codefresh/cf-runtime/6.3.61/.helmignore
new file mode 100644
index 000000000..bc71d4240
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/.helmignore
@@ -0,0 +1,3 @@
+tests/
+.ci/
+test-values/
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/Chart.yaml b/charts/codefresh/cf-runtime/6.3.61/Chart.yaml
new file mode 100644
index 000000000..0ec115a39
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/Chart.yaml
@@ -0,0 +1,28 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: fixed
+      description: "engine image upgraded to v1.174.12 with fix to codefresh run --local command"
+  artifacthub.io/containsSecurityUpdates: "false"
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Codefresh
+  catalog.cattle.io/kube-version: '>=1.18-0'
+  catalog.cattle.io/release-name: cf-runtime
+apiVersion: v2
+dependencies:
+- name: cf-common
+  repository: file://./charts/cf-common
+  version: 0.16.0
+description: A Helm chart for Codefresh Runner
+home: https://codefresh.io/
+icon: file://assets/icons/cf-runtime.png
+keywords:
+- codefresh
+- runner
+kubeVersion: '>=1.18-0'
+maintainers:
+- name: codefresh
+  url: https://codefresh-io.github.io/
+name: cf-runtime
+sources:
+- https://github.com/codefresh-io/venona
+version: 6.3.61
diff --git a/charts/codefresh/cf-runtime/6.3.61/README.md b/charts/codefresh/cf-runtime/6.3.61/README.md
new file mode 100644
index 000000000..06bef5a35
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/README.md
@@ -0,0 +1,1228 @@
+## Codefresh Runner
+
+![Version: 6.3.61](https://img.shields.io/badge/Version-6.3.61-informational?style=flat-square)
+
+Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
+
+## Table of Content
+
+- [Prerequisites](#prerequisites)
+- [Get Chart Info](#get-chart-info)
+- [Install Chart](#install-chart)
+- [Chart Configuration](#chart-configuration)
+- [Upgrade Chart](#upgrade-chart)
+  - [To 2.x](#to-2-x)
+  - [To 3.x](#to-3-x)
+  - [To 4.x](#to-4-x)
+  - [To 5.x](#to-5-x)
+  - [To 6.x](#to-6-x)
+- [Architecture](#architecture)
+- [Configuration](#configuration)
+  - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
+  - [Azure Disks backend volume configuration in AKS](#azure-disks-backend-volume-configuration)
+  - [GCE Disks backend volume configuration in GKE](#gce-disks-backend-volume-configuration-in-gke)
+  - [Custom volume mounts](#custom-volume-mounts)
+  - [Custom global environment variables](#custom-global-environment-variables)
+  - [Volume reuse policy](#volume-reuse-policy)
+  - [Volume cleaners](#volume-cleaners)
+  - [Rootless DinD](#rootless-dind)
+  - [ARM](#arm)
+  - [Openshift](#openshift)
+  - [On-premise](#on-premise)
+
+## Prerequisites
+
+- Kubernetes **1.19+**
+- Helm **3.8.0+**
+
+⚠️⚠️⚠️
+> Since version 6.2.x chart is pushed **only** to OCI registry at `oci://quay.io/codefresh/cf-runtime`
+
+> Versions prior to 6.2.x are still available in ChartMuseum at `http://chartmuseum.codefresh.io/cf-runtime`
+
+## Get Chart Info
+
+```console
+helm show all oci://quay.io/codefresh/cf-runtime
+```
+See [Use OCI-based registries](https://helm.sh/docs/topics/registries/)
+
+## Install Chart
+
+**Important:** only helm3 is supported
+
+- Specify the following mandatory values
+
+`values.yaml`
+```yaml
+# -- Global parameters
+# @default -- See below
+global:
+  # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!)
+  # Ref: https://g.codefresh.io/user/settings (see API Keys)
+  # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write)
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!)
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Account ID (required!)
+  # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information
+  accountId: ""
+
+  # -- K8s context name (required!)
+  context: ""
+  # E.g.
+  # context: prod-ue1-runtime-1
+
+  # -- Agent Name (optional!)
+  # If omitted, the following format will be used '{{ .Values.global.context }}_{{ .Release.Namespace }}'
+  agentName: ""
+  # E.g.
+  # agentName: prod-ue1-runtime-1
+
+  # -- Runtime name (optional!)
+  # If omitted, the following format will be used '{{ .Values.global.context }}/{{ .Release.Namespace }}'
+  runtimeName: ""
+  # E.g.
+  # runtimeName: prod-ue1-runtime-1/namespace
+```
+
+- Install chart
+
+```console
+helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace codefresh
+```
+
+## Chart Configuration
+
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
+
+## Upgrade Chart
+
+### To 2.x
+
+This major release renames and deprecated several values in the chart. Most of the workload templates have been refactored.
+
+Affected values:
+- `dockerRegistry` is deprecated. Replaced with `global.imageRegistry`
+- `re` is renamed to `runtime`
+- `storage.localVolumeMonitor` is replaced with `volumeProvisioner.dind-lv-monitor`
+- `volumeProvisioner.volume-cleanup` is replaced with `volumeProvisioner.dind-volume-cleanup`
+- `image` values structure has been updated. Split to `image.registry` `image.repository` `image.tag`
+- pod's `annotations` is renamed to `podAnnotations`
+
+### To 3.x
+
+⚠️⚠️⚠️
+### READ this before the upgrade!
+
+This major release adds [runtime-environment](https://codefresh.io/docs/docs/installation/codefresh-runner/#runtime-environment-specification) spec into chart templates.
+That means it is possible to set parametes for `dind` and `engine` pods via [values.yaml](./values.yaml).
+
+**If you had any overrides (i.e. tolerations/nodeSelector/environment variables/etc) added in runtime spec via [codefresh CLI](https://codefresh-io.github.io/cli/) (for example, you did use [get](https://codefresh-io.github.io/cli/runtime-environments/get-runtime-environments/) and [patch](https://codefresh-io.github.io/cli/runtime-environments/apply-runtime-environments/) commands to modify the runtime-environment), you MUST add these into chart's [values.yaml](./values.yaml) for `.Values.runtime.dind` or(and) .`Values.runtime.engine`**
+
+**For backward compatibility, you can disable updating runtime-environment spec via** `.Values.runtime.patch.enabled=false`
+
+Affected values:
+- added **mandatory** `global.codefreshToken`/`global.codefreshTokenSecretKeyRef` **You must specify it before the upgrade!**
+- `runtime.engine` is added
+- `runtime.dind` is added
+- `global.existingAgentToken` is replaced with `global.agentTokenSecretKeyRef`
+- `global.existingDindCertsSecret` is replaced with `global.dindCertsSecretRef`
+
+### To 4.x
+
+This major release adds **agentless inCluster** runtime mode (relevant only for [Codefresh On-Premises](#on-premise) users)
+
+Affected values:
+- `runtime.agent` / `runtime.inCluster` / `runtime.accounts` / `runtime.description` are added
+
+### To 5.x
+
+This major release converts `.runtime.dind.pvcs` from **list** to **dict**
+
+> 4.x chart's values example:
+```yaml
+runtime:
+  dind:
+    pvcs:
+      - name: dind
+        storageClassName: my-storage-class-name
+        volumeSize: 32Gi
+        reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'
+        reuseVolumeSortOrder: pipeline_id
+```
+
+> 5.x chart's values example:
+```yaml
+runtime:
+  dind:
+    pvcs:
+      dind:
+        name: dind
+        storageClassName: my-storage-class-name
+        volumeSize: 32Gi
+        reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'
+        reuseVolumeSortOrder: pipeline_id
+```
+
+Affected values:
+- `.runtime.dind.pvcs` converted from **list** to **dict**
+
+### To 6.x
+
+⚠️⚠️⚠️
+### READ this before the upgrade!
+
+This major release deprecates previously required `codefresh runner init --generate-helm-values-file`.
+
+Affected values:
+- **Replaced** `.monitor.clusterId` with `.global.context` as **mandatory** value!
+- **Deprecated** `.global.agentToken` / `.global.agentTokenSecretKeyRef`
+- **Removed** `.global.agentId`
+- **Removed** `.global.keys` / `.global.dindCertsSecretRef`
+- **Removed** `.global.existingAgentToken` / `existingDindCertsSecret`
+- **Removed** `.monitor.clusterId` / `.monitor.token` / `.monitor.existingMonitorToken`
+
+#### Migrate the Helm chart from version 5.x to 6.x
+
+Given this is the legacy `generated_values.yaml` values:
+
+> legacy `generated_values.yaml`
+```yaml
+{
+    "appProxy": {
+        "enabled": false,
+    },
+    "monitor": {
+        "enabled": false,
+        "clusterId": "my-cluster-name",
+        "token": "1234567890"
+    },
+    "global": {
+        "namespace": "namespace",
+        "codefreshHost": "https://g.codefresh.io",
+        "agentToken": "0987654321",
+        "agentId": "agent-id-here",
+        "agentName": "my-cluster-name_my-namespace",
+        "accountId": "my-account-id",
+        "runtimeName": "my-cluster-name/my-namespace",
+        "codefreshToken": "1234567890",
+        "keys": {
+            "key": "-----BEGIN RSA PRIVATE KEY-----...",
+            "csr": "-----BEGIN CERTIFICATE REQUEST-----...",
+            "ca": "-----BEGIN CERTIFICATE-----...",
+            "serverCert": "-----BEGIN CERTIFICATE-----..."
+        }
+    }
+}
+```
+
+Update `values.yaml` for new chart version:
+
+> For existing installation for backward compatibility `.Values.global.agentToken/agentTokenSecretKeyRef` **must be provided!** For installation from scratch this value is no longer required.
+
+> updated `values.yaml`
+```yaml
+global:
+  codefreshToken: "1234567890"
+  accountId: "my-account-id"
+  context: "my-cluster-name"
+  agentToken: "0987654321"  # MANDATORY when migrating from < 6.x chart version !
+  agentName: "my-cluster-name_my-namespace" # optional
+  runtimeName: "my-cluster-name/my-namespace" # optional
+```
+
+> **Note!** Though it's still possible to update runtime-environment via [get](https://codefresh-io.github.io/cli/runtime-environments/get-runtime-environments/) and [patch](https://codefresh-io.github.io/cli/runtime-environments/apply-runtime-environments/) commands, it's recommended to enable sidecar container to pull runtime spec from Codefresh API to detect any drift in configuration.
+
+```yaml
+runner:
+  # -- Sidecar container
+  # Reconciles runtime spec from Codefresh API for drift detection
+  sidecar:
+    enabled: true
+```
+
+## Architecture
+
+[Codefresh Runner architecture](https://codefresh.io/docs/docs/installation/codefresh-runner/#codefresh-runner-architecture)
+
+## Configuration
+
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
+
+### EBS backend volume configuration
+
+`dind-volume-provisioner` should have permissions to create/attach/detach/delete/get EBS volumes
+
+Minimal IAM policy for `dind-volume-provisioner`
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:AttachVolume",
+        "ec2:CreateSnapshot",
+        "ec2:CreateTags",
+        "ec2:CreateVolume",
+        "ec2:DeleteSnapshot",
+        "ec2:DeleteTags",
+        "ec2:DeleteVolume",
+        "ec2:DescribeInstances",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ec2:DetachVolume"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+There are three options:
+
+1. Run `dind-volume-provisioner` pod on the node/node-group with IAM role
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: ebs-csi
+
+  ebs:
+    availabilityZone: "us-east-1a"
+
+volumeProvisioner:
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+```
+
+2. Pass static credentials in `.Values.storage.ebs.accessKeyId/accessKeyIdSecretKeyRef` and `.Values.storage.ebs.secretAccessKey/secretAccessKeySecretKeyRef`
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: ebs-csi
+
+  ebs:
+    availabilityZone: "us-east-1a"
+
+    # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional)
+    accessKeyId: ""
+    # -- Existing secret containing AWS_ACCESS_KEY_ID.
+    accessKeyIdSecretKeyRef: {}
+    # E.g.
+    # accessKeyIdSecretKeyRef:
+    #   name:
+    #   key:
+
+    # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional)
+    secretAccessKey: ""
+    # -- Existing secret containing AWS_SECRET_ACCESS_KEY
+    secretAccessKeySecretKeyRef: {}
+    # E.g.
+    # secretAccessKeySecretKeyRef:
+    #   name:
+    #   key:
+```
+
+3. Assign IAM role to `dind-volume-provisioner` service account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: ebs-csi
+
+  ebs:
+    availabilityZone: "us-east-1a"
+
+volumeProvisioner:
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Additional service account annotations
+    annotations:
+      eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+```
+
+### Custom volume mounts
+
+You can add your own volumes and volume mounts in the runtime environment, so that all pipeline steps will have access to the same set of external files.
+
+```yaml
+runtime:
+  dind:
+    userVolumes:
+      regctl-docker-registry:
+        name: regctl-docker-registry
+        secret:
+          items:
+            - key: .dockerconfigjson
+              path: config.json
+          secretName: regctl-docker-registry
+          optional: true
+    userVolumeMounts:
+      regctl-docker-registry:
+        name: regctl-docker-registry
+        mountPath: /home/appuser/.docker/
+        readOnly: true
+
+```
+
+### Azure Disks backend volume configuration
+
+`dind-volume-provisioner` should have permissions to create/delete/get Azure Disks
+
+Role definition for `dind-volume-provisioner`
+
+`dind-volume-provisioner-role.json`
+```json
+{
+  "Name": "CodefreshDindVolumeProvisioner",
+  "Description": "Perform create/delete/get disks",
+  "IsCustom": true,
+  "Actions": [
+      "Microsoft.Compute/disks/read",
+      "Microsoft.Compute/disks/write",
+      "Microsoft.Compute/disks/delete"
+
+  ],
+  "AssignableScopes": ["/subscriptions/<YOUR_SUBSCRIPTION_ID>"]
+}
+```
+
+When creating an AKS cluster in Azure there is the option to use a [managed identity](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity) that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the dind-volume-provisioner.
+
+```console
+export ROLE_DEFINITIN_FILE=dind-volume-provisioner-role.json
+export SUBSCRIPTION_ID=$(az account show --query "id" | xargs echo )
+export RESOURCE_GROUP=<YOUR_RESOURCE_GROUP_NAME>
+export AKS_NAME=<YOUR_AKS_NAME>
+export LOCATION=$(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query location | xargs echo)
+export NODES_RESOURCE_GROUP=MC_${RESOURCE_GROUP}_${AKS_NAME}_${LOCATION}
+export NODE_SERVICE_PRINCIPAL=$(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query identityProfile.kubeletidentity.objectId | xargs echo)
+
+az role definition create --role-definition @${ROLE_DEFINITIN_FILE}
+az role assignment create --assignee $NODE_SERVICE_PRINCIPAL --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$NODES_RESOURCE_GROUP --role CodefreshDindVolumeProvisioner
+```
+
+Deploy Helm chart with the following values:
+
+`values.yaml`
+```yaml
+volumeProvisioner:
+  podSecurityContext:
+    enabled: true
+    runAsUser: 0
+    runAsGroup: 0
+    fsGroup: 0
+
+storage:
+  backend: azuredisk
+  azuredisk:
+    availabilityZone: northeurope-1 # replace with your zone
+    resourceGroup: my-resource-group-name
+
+  mountAzureJson: true
+
+runtime:
+  dind:
+    nodeSelector:
+      topology.kubernetes.io/zone: northeurope-1
+```
+
+### GCE Disks backend volume configuration in GKE
+
+`dind-volume-provisioner` should have `ComputeEngine.StorageAdmin` permissions
+
+There are three options:
+
+1. Run `dind-volume-provisioner` pod on the node/node-group with IAM Service Account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+2. Pass static credentials in `.Values.storage.gcedisk.serviceAccountJson` (inline) or `.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef` (from your own secret)
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: |
+        {
+        "type": "service_account",
+        "project_id": "...",
+        "private_key_id": "...",
+        "private_key": "...",
+        "client_email": "...",
+        "client_id": "...",
+        "auth_uri": "...",
+        "token_uri": "...",
+        "auth_provider_x509_cert_url": "...",
+        "client_x509_cert_url": "..."
+        }
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.:
+    # serviceAccountJsonSecretKeyRef:
+    #   name: gce-service-account
+    #   key: service-account.json
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+3. Assign IAM role to `dind-volume-provisioner` service account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Additional service account annotations
+    annotations:
+      iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+### Custom global environment variables
+
+You can add your own environment variables to the runtime environment. All pipeline steps have access to the global variables.
+
+```yaml
+runtime:
+  engine:
+    userEnvVars:
+    - name: GITHUB_TOKEN
+      valueFrom:
+        secretKeyRef:
+          name: github-token
+          key: token
+```
+
+### Volume reuse policy
+
+Volume reuse behavior depends on the configuration for `reuseVolumeSelector` in the runtime environment spec.
+
+```yaml
+runtime:
+  dind:
+    pvcs:
+      - name: dind
+        ...
+        reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'
+        reuseVolumeSortOrder: pipeline_id
+```
+
+The following options are available:
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'` - PV can be used by ANY pipeline in the specified account (default).
+Benefit: Fewer PVs, resulting in lower costs. Since any PV can be used by any pipeline, the cluster needs to maintain/reserve fewer PVs in its PV pool for Codefresh.
+Downside: Since the PV can be used by any pipeline, the PVs could have assets and info from different pipelines, reducing the probability of cache.
+
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,project_id'` - PV can be used by ALL pipelines in your account, assigned to the same project.
+
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id'` - PV can be used only by a single pipeline.
+Benefit: More probability of cache without “spam” from other pipelines.
+Downside: More PVs to maintain and therefore higher costs.
+
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id,io.codefresh.branch_name'` - PV can be used only by single pipeline AND single branch.
+
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id,trigger'` - PV can be used only by single pipeline AND single trigger.
+
+### Volume cleaners
+
+Codefresh pipelines require disk space for:
+  * [Pipeline Shared Volume](https://codefresh.io/docs/docs/pipelines/introduction-to-codefresh-pipelines/#sharing-the-workspace-between-build-steps) (`/codefresh/volume`, implemented as [docker volume](https://docs.docker.com/storage/volumes/))
+  * Docker containers, both running and stopped
+  * Docker images and cached layers
+
+Codefresh offers two options to manage disk space and prevent out-of-space errors:
+* Use runtime cleaners on Docker images and volumes
+* [Set the minimum disk space per pipeline build volume](https://codefresh.io/docs/docs/pipelines/pipelines/#set-minimum-disk-space-for-a-pipeline-build)
+
+To improve performance by using Docker cache, Codefresh `volume-provisioner` can provision previously used disks with Docker images and pipeline volumes from previously run builds.
+
+### Types of runtime volume cleaners
+
+Docker images and volumes must be cleaned on a regular basis.
+
+* [IN-DIND cleaner](https://github.com/codefresh-io/dind/tree/master/cleaner): Deletes extra Docker containers, volumes, and images in **DIND pod**.
+* [External volume cleaner](https://github.com/codefresh-io/dind-volume-cleanup): Deletes unused **external** PVs (EBS, GCE/Azure disks).
+* [Local volume cleaner](https://github.com/codefresh-io/dind-volume-utils/blob/master/local-volumes/lv-cleaner.sh): Deletes **local** volumes if node disk space is close to the threshold.
+
+### IN-DIND cleaner
+
+**Purpose:** Removes unneeded *docker containers, images, volumes* inside Kubernetes volume mounted on the DIND pod
+
+**How it runs:** Inside each DIND pod as script
+
+**Triggered by:** SIGTERM and also during the run when disk usage > 90% (configurable)
+
+**Configured by:**  Environment Variables which can be set in Runtime Environment spec
+
+**Configuration/Logic:** [README.md](https://github.com/codefresh-io/dind/tree/master/cleaner#readme)
+
+Override `.Values.runtime.dind.env` if necessary (the following are **defaults**):
+
+```yaml
+runtime:
+  dind:
+    env:
+      CLEAN_PERIOD_SECONDS: '21600' # launch clean if last clean was more than CLEAN_PERIOD_SECONDS seconds ago
+      CLEAN_PERIOD_BUILDS: '5' # launch clean if last clean was more CLEAN_PERIOD_BUILDS builds since last build
+      IMAGE_RETAIN_PERIOD: '14400' # do not delete docker images if they have events since current_timestamp - IMAGE_RETAIN_PERIOD
+      VOLUMES_RETAIN_PERIOD: '14400' # do not delete docker volumes if they have events since current_timestamp - VOLUMES_RETAIN_PERIOD
+      DISK_USAGE_THRESHOLD: '0.8' # launch clean based on current disk usage DISK_USAGE_THRESHOLD
+      INODES_USAGE_THRESHOLD: '0.8' # launch clean based on current inodes usage INODES_USAGE_THRESHOLD
+```
+
+### External volumes cleaner
+
+**Purpose:** Removes unused *kubernetes volumes and related backend volumes*
+
+**How it runs:** Runs as `dind-volume-cleanup` CronJob. Installed in case the Runner uses non-local volumes `.Values.storage.backend != local`
+
+**Triggered by:** CronJob every 10min (configurable)
+
+**Configuration:**
+
+Set `codefresh.io/volume-retention` for dinds' PVCs:
+
+```yaml
+runtime:
+  dind:
+    pvcs:
+      dind:
+        ...
+        annotations:
+          codefresh.io/volume-retention: 7d
+```
+
+Or override environment variables for `dind-volume-cleanup` cronjob:
+
+```yaml
+volumeProvisioner:
+  dind-volume-cleanup:
+    env:
+      RETENTION_DAYS: 7   # clean volumes that were last used more than `RETENTION_DAYS` (default is 4) ago
+```
+
+### Local volumes cleaner
+
+**Purpose:** Deletes local volumes when node disk space is close to the threshold
+
+**How it runs:** Runs as `dind-lv-monitor` DaemonSet. Installed in case the Runner uses local volumes `.Values.storage.backend == local`
+
+**Triggered by:** Disk space usage or inode usage that exceeds thresholds (configurable)
+
+**Configuration:**
+
+Override environment variables for `dind-lv-monitor` daemonset:
+
+```yaml
+volumeProvisioner:
+  dind-lv-monitor:
+    env:
+      KB_USAGE_THRESHOLD: 60  # default 80 (percentage)
+      INODE_USAGE_THRESHOLD: 60  # default 80
+```
+
+### Rootless DinD
+
+DinD pod runs a `priviliged` container with **rootfull** docker.
+To run the docker daemon as non-root user (**rootless** mode), change dind image tag:
+
+`values.yaml`
+```yaml
+runtime:
+  dind:
+    image:
+      tag: rootless
+```
+
+### ARM
+
+With the Codefresh Runner, you can run native ARM64v8 builds.
+
+> **Note!**
+> You cannot run both amd64 and arm64 images within the same pipeline. As one pipeline can map only to one runtime, you can run either amd64 or arm64 within the same pipeline.
+
+Provide `nodeSelector` and(or) `tolerations` for dind pods:
+
+`values.yaml`
+```yaml
+runtime:
+  dind:
+    nodeSelector:
+      arch: arm64
+    tolerations:
+    - key: arch
+      operator: Equal
+      value: arm64
+      effect: NoSchedule
+```
+
+### Openshift
+
+To install Codefresh Runner on OpenShift use the following `values.yaml` example
+
+```yaml
+runner:
+  podSecurityContext:
+    enabled: false
+
+volumeProvisioner:
+  podSecurityContext:
+    enabled: false
+  env:
+    PRIVILEGED_CONTAINER: true
+  dind-lv-monitor:
+    containerSecurityContext:
+      enabled: true
+      privileged: true
+    volumePermissions:
+      enabled: true
+      securityContext:
+        privileged: true
+        runAsUser: auto
+```
+
+Grant `privileged` SCC to `cf-runtime-runner` and `cf-runtime-volume-provisioner` service accounts.
+
+```console
+oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-runner
+
+oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-volume-provisioner
+```
+
+### On-premise
+
+If you have [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) deployed, you can install Codefresh Runner in **agentless** mode.
+
+**What is agentless mode?**
+
+Agent (aka venona) is Runner component which responsible for calling Codefresh API to run builds and create dind/engine pods and pvc objects. Agent can only be assigned to a single account, thus you can't share one runtime across multiple accounts. However, with **agentless** mode it's possible to register the runtime as **system**-type runtime so it's registered on the platform level and can be assigned/shared across multiple accounts.
+
+**What are the prerequisites?**
+- You have a running [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) control-plane environment
+- You have a Codefresh API token with platform **Admin** permissions scope
+
+### How to deploy agentless runtime when it's on the SAME k8s cluster as On-Premises control-plane environment?
+
+- Enable cluster-level permissions for cf-api (On-Premises control-plane component)
+
+> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) Helm chart
+```yaml
+cfapi:
+  ...
+  # -- Enable ClusterRole/ClusterRoleBinding
+  rbac:
+    namespaced: false
+```
+
+- Set the following values for Runner Helm chart
+
+`.Values.global.codefreshHost=...` \
+`.Values.global.codefreshToken=...` \
+`.Values.global.runtimeName=system/...` \
+`.Values.runtime.agent=false` \
+`.Values.runtime.inCluster=true`
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+```yaml
+global:
+  # -- URL of Codefresh On-Premises Platform
+  codefreshHost: "https://myonprem.somedomain.com"
+  # -- User token in plain text with Admin permission scope
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key.
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Distinguished runtime name
+  # (for On-Premise only; mandatory!) Must be prefixed with "system/..."
+  runtimeName: "system/prod-ue1-some-cluster-name"
+
+# -- Set runtime parameters
+runtime:
+  # -- (for On-Premise only; mandatory!) Disable agent
+  agent: false
+  # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`)
+  # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster
+  # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters
+  inCluster: true
+  # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty)
+  # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty.
+  accounts: []
+  # -- Set parent runtime to inherit.
+  runtimeExtends: []
+```
+
+- Install the chart
+
+```console
+helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime
+```
+
+- Verify the runtime and run test pipeline
+
+Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system) to check the runtime. Assign it to the required account(s). Run test pipeline on it.
+
+### How to deploy agentless runtime when it's on the DIFFERENT k8s cluster than On-Premises control-plane environment?
+
+In this case, it's required to mount runtime cluster's `KUBECONFIG` into On-Premises `cf-api` deployment
+
+- Create the neccessary RBAC resources
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+```yaml
+extraResources:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: codefresh-role
+    namespace: '{{ .Release.Namespace }}'
+  rules:
+    - apiGroups: [""]
+      resources: ["pods", "persistentvolumeclaims", "persistentvolumes"]
+      verbs: ["list", "watch", "get", "create", "patch", "delete"]
+    - apiGroups: ["snapshot.storage.k8s.io"]
+      resources: ["volumesnapshots"]
+      verbs: ["list", "watch", "get", "create", "patch", "delete"]
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: codefresh-runtime-user
+    namespace: '{{ .Release.Namespace }}'
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: codefresh-runtime-user
+    namespace: '{{ .Release.Namespace }}'
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: codefresh-role
+  subjects:
+  - kind: ServiceAccount
+    name: codefresh-runtime-user
+    namespace: '{{ .Release.Namespace }}'
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: codefresh-runtime-user-token
+    namespace: '{{ .Release.Namespace }}'
+    annotations:
+      kubernetes.io/service-account.name: codefresh-runtime-user
+  type: kubernetes.io/service-account-token
+```
+
+- Set up the following environment variables to create a `KUBECONFIG` file
+
+```shell
+NAMESPACE=cf-runtime
+CLUSTER_NAME=prod-ue1-some-cluster-name
+CURRENT_CONTEXT=$(kubectl config current-context)
+
+USER_TOKEN_VALUE=$(kubectl -n cf-runtime get secret/codefresh-runtime-user-token -o=go-template='{{.data.token}}' | base64 --decode)
+CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
+CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
+CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}')
+
+export -p USER_TOKEN_VALUE CURRENT_CONTEXT CURRENT_CLUSTER CLUSTER_CA CLUSTER_SERVER CLUSTER_NAME
+```
+
+- Create a kubeconfig file
+
+```console
+cat << EOF > $CLUSTER_NAME-kubeconfig
+apiVersion: v1
+kind: Config
+current-context: ${CLUSTER_NAME}
+contexts:
+- name: ${CLUSTER_NAME}
+  context:
+    cluster: ${CLUSTER_NAME}
+    user: codefresh-runtime-user
+    namespace: ${NAMESPACE}
+clusters:
+- name: ${CLUSTER_NAME}
+  cluster:
+    certificate-authority-data: ${CLUSTER_CA}
+    server: ${CLUSTER_SERVER}
+users:
+- name: ${CLUSTER_NAME}
+  user:
+    token: ${USER_TOKEN_VALUE}
+EOF
+```
+
+- **Switch context to On-Premises control-plane cluster**. Create k8s secret (via any tool like [ESO](https://external-secrets.io/v0.4.4/), `kubectl`, etc ) containing runtime cluster's `KUBECONFG` created in previous step.
+
+```shell
+NAMESPACE=codefresh
+kubectl create secret generic dind-runtime-clusters --from-file=$CLUSTER_NAME=$CLUSTER_NAME-kubeconfig -n $NAMESPACE
+```
+
+- Mount secret containing runtime cluster's `KUBECONFG` into cf-api in On-Premises control-plane cluster
+
+> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) helm chart
+```yaml
+cf-api:
+  ...
+  volumes:
+    dind-clusters:
+      enabled: true
+      type: secret
+      nameOverride: dind-runtime-clusters
+      optional: true
+```
+> volumeMount `/etc/kubeconfig` is already configured in cf-api Helm chart template. No need to specify it.
+
+- Set the following values for Runner helm chart
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+
+`.Values.global.codefreshHost=...` \
+`.Values.global.codefreshToken=...` \
+`.Values.global.runtimeName=system/...` \
+`.Values.runtime.agent=false` \
+`.Values.runtime.inCluster=false`
+
+**Important!**
+`.Values.global.name` ("system/" prefix is ignored!) should match the cluster name (key in `dind-runtime-clusters` secret created previously)
+```yaml
+global:
+  # -- URL of Codefresh On-Premises Platform
+  codefreshHost: "https://myonprem.somedomain.com"
+  # -- User token in plain text with Admin permission scope
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key.
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Distinguished runtime name
+  # (for On-Premise only; mandatory!) Must be prefixed with "system/..."
+  name: "system/prod-ue1-some-cluster-name"
+
+# -- Set runtime parameters
+runtime:
+  # -- (for On-Premise only; mandatory!) Disable agent
+  agent: false
+  # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`)
+  # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster
+  # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters
+  inCluster: false
+  # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty)
+  # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty.
+  accounts: []
+  # -- (optional) Set parent runtime to inherit.
+  runtimeExtends: []
+```
+
+- Install the chart
+
+```console
+helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime
+```
+
+- Verify the runtime and run test pipeline
+
+Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system) to see the runtime. Assign it to the required account(s).
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| oci://quay.io/codefresh/charts | cf-common | 0.16.0 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| appProxy.affinity | object | `{}` | Set affinity |
+| appProxy.enabled | bool | `false` | Enable app-proxy |
+| appProxy.env | object | `{}` | Add additional env vars |
+| appProxy.image | object | `{"registry":"quay.io","repository":"codefresh/cf-app-proxy","tag":"0.0.47"}` | Set image |
+| appProxy.ingress.annotations | object | `{}` | Set extra annotations for ingress object |
+| appProxy.ingress.class | string | `""` | Set ingress class |
+| appProxy.ingress.host | string | `""` | Set DNS hostname the ingress will use |
+| appProxy.ingress.pathPrefix | string | `""` | Set path prefix for ingress (keep empty for default `/` path) |
+| appProxy.ingress.tlsSecret | string | `""` | Set k8s tls secret for the ingress object |
+| appProxy.nodeSelector | object | `{}` | Set node selector |
+| appProxy.podAnnotations | object | `{}` | Set pod annotations |
+| appProxy.podSecurityContext | object | `{}` | Set security context for the pod |
+| appProxy.rbac | object | `{"create":true,"namespaced":true,"rules":[]}` | RBAC parameters |
+| appProxy.rbac.create | bool | `true` | Create RBAC resources |
+| appProxy.rbac.namespaced | bool | `true` | Use Role(true)/ClusterRole(true) |
+| appProxy.rbac.rules | list | `[]` | Add custom rule to the role |
+| appProxy.readinessProbe | object | See below | Readiness probe configuration |
+| appProxy.replicasCount | int | `1` | Set number of pods |
+| appProxy.resources | object | `{}` | Set requests and limits |
+| appProxy.serviceAccount | object | `{"annotations":{},"create":true,"name":"","namespaced":true}` | Service Account parameters |
+| appProxy.serviceAccount.annotations | object | `{}` | Additional service account annotations |
+| appProxy.serviceAccount.create | bool | `true` | Create service account |
+| appProxy.serviceAccount.name | string | `""` | Override service account name |
+| appProxy.serviceAccount.namespaced | bool | `true` | Use Role(true)/ClusterRole(true) |
+| appProxy.tolerations | list | `[]` | Set tolerations |
+| appProxy.updateStrategy | object | `{"type":"RollingUpdate"}` | Upgrade strategy |
+| dockerRegistry | string | `""` |  |
+| event-exporter | object | See below | Event exporter parameters |
+| event-exporter.affinity | object | `{}` | Set affinity |
+| event-exporter.enabled | bool | `false` | Enable event-exporter |
+| event-exporter.env | object | `{}` | Add additional env vars |
+| event-exporter.image | object | `{"registry":"docker.io","repository":"codefresh/k8s-event-exporter","tag":"latest"}` | Set image |
+| event-exporter.nodeSelector | object | `{}` | Set node selector |
+| event-exporter.podAnnotations | object | `{}` | Set pod annotations |
+| event-exporter.podSecurityContext | object | See below | Set security context for the pod |
+| event-exporter.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters |
+| event-exporter.rbac.create | bool | `true` | Create RBAC resources |
+| event-exporter.rbac.rules | list | `[]` | Add custom rule to the role |
+| event-exporter.replicasCount | int | `1` | Set number of pods |
+| event-exporter.resources | object | `{}` | Set resources |
+| event-exporter.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Service Account parameters |
+| event-exporter.serviceAccount.annotations | object | `{}` | Additional service account annotations |
+| event-exporter.serviceAccount.create | bool | `true` | Create service account |
+| event-exporter.serviceAccount.name | string | `""` | Override service account name |
+| event-exporter.tolerations | list | `[]` | Set tolerations |
+| event-exporter.updateStrategy | object | `{"type":"Recreate"}` | Upgrade strategy |
+| extraResources | list | `[]` | Array of extra objects to deploy with the release |
+| fullnameOverride | string | `""` | String to fully override cf-runtime.fullname template |
+| global | object | See below | Global parameters |
+| global.accountId | string | `""` | Account ID (required!) Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information |
+| global.agentName | string | `""` | Agent Name (optional!) If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}` |
+| global.agentToken | string | `""` | DEPRECATED Agent token in plain text. !!! MUST BE provided if migrating from < 6.x chart version |
+| global.agentTokenSecretKeyRef | object | `{}` | DEPRECATED Agent token that references an existing secret containing API key. !!! MUST BE provided if migrating from < 6.x chart version |
+| global.codefreshHost | string | `"https://g.codefresh.io"` | URL of Codefresh Platform (required!) |
+| global.codefreshToken | string | `""` | User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!) Ref: https://g.codefresh.io/user/settings (see API Keys) Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write) |
+| global.codefreshTokenSecretKeyRef | object | `{}` | User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!) |
+| global.context | string | `""` | K8s context name (required!) |
+| global.imagePullSecrets | list | `[]` | Global Docker registry secret names as array |
+| global.imageRegistry | string | `""` | Global Docker image registry |
+| global.runtimeName | string | `""` | Runtime name (optional!) If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}` |
+| monitor.affinity | object | `{}` | Set affinity |
+| monitor.enabled | bool | `false` | Enable monitor Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component |
+| monitor.env | object | `{}` | Add additional env vars |
+| monitor.image | object | `{"registry":"quay.io","repository":"codefresh/cf-k8s-agent","tag":"1.3.17"}` | Set image |
+| monitor.nodeSelector | object | `{}` | Set node selector |
+| monitor.podAnnotations | object | `{}` | Set pod annotations |
+| monitor.podSecurityContext | object | `{}` |  |
+| monitor.rbac | object | `{"create":true,"namespaced":true,"rules":[]}` | RBAC parameters |
+| monitor.rbac.create | bool | `true` | Create RBAC resources |
+| monitor.rbac.namespaced | bool | `true` | Use Role(true)/ClusterRole(true) |
+| monitor.rbac.rules | list | `[]` | Add custom rule to the role |
+| monitor.readinessProbe | object | See below | Readiness probe configuration |
+| monitor.replicasCount | int | `1` | Set number of pods |
+| monitor.resources | object | `{}` | Set resources |
+| monitor.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Service Account parameters |
+| monitor.serviceAccount.annotations | object | `{}` | Additional service account annotations |
+| monitor.serviceAccount.create | bool | `true` | Create service account |
+| monitor.serviceAccount.name | string | `""` | Override service account name |
+| monitor.tolerations | list | `[]` | Set tolerations |
+| monitor.updateStrategy | object | `{"type":"RollingUpdate"}` | Upgrade strategy |
+| nameOverride | string | `""` | String to partially override cf-runtime.fullname template (will maintain the release name) |
+| podMonitor | object | See below | Add podMonitor (for engine pods) |
+| podMonitor.main.enabled | bool | `false` | Enable pod monitor for engine pods |
+| podMonitor.runner.enabled | bool | `false` | Enable pod monitor for runner pod |
+| podMonitor.volume-provisioner.enabled | bool | `false` | Enable pod monitor for volumeProvisioner pod |
+| re | object | `{}` |  |
+| runner | object | See below | Runner parameters |
+| runner.affinity | object | `{}` | Set affinity |
+| runner.enabled | bool | `true` | Enable the runner |
+| runner.env | object | `{}` | Add additional env vars |
+| runner.image | object | `{"registry":"quay.io","repository":"codefresh/venona","tag":"1.10.2"}` | Set image |
+| runner.init | object | `{"image":{"registry":"quay.io","repository":"codefresh/cli","tag":"0.85.0-rootless"},"resources":{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"0.2","memory":"256Mi"}}}` | Init container |
+| runner.nodeSelector | object | `{}` | Set node selector |
+| runner.podAnnotations | object | `{}` | Set pod annotations |
+| runner.podSecurityContext | object | See below | Set security context for the pod |
+| runner.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters |
+| runner.rbac.create | bool | `true` | Create RBAC resources |
+| runner.rbac.rules | list | `[]` | Add custom rule to the role |
+| runner.readinessProbe | object | See below | Readiness probe configuration |
+| runner.replicasCount | int | `1` | Set number of pods |
+| runner.resources | object | `{}` | Set requests and limits |
+| runner.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Service Account parameters |
+| runner.serviceAccount.annotations | object | `{}` | Additional service account annotations |
+| runner.serviceAccount.create | bool | `true` | Create service account |
+| runner.serviceAccount.name | string | `""` | Override service account name |
+| runner.sidecar | object | `{"enabled":false,"env":{"RECONCILE_INTERVAL":300},"image":{"registry":"quay.io","repository":"codefresh/codefresh-shell","tag":"0.0.2"},"resources":{}}` | Sidecar container Reconciles runtime spec from Codefresh API for drift detection |
+| runner.tolerations | list | `[]` | Set tolerations |
+| runner.updateStrategy | object | `{"type":"RollingUpdate"}` | Upgrade strategy |
+| runtime | object | See below | Set runtime parameters |
+| runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) |
+| runtime.agent | bool | `true` | (for On-Premise only) Enable agent |
+| runtime.description | string | `""` | Runtime description |
+| runtime.dind | object | `{"affinity":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true},"image":{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
+| runtime.dind.affinity | object | `{}` | Set affinity |
+| runtime.dind.env | object | `{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true}` | Set additional env vars. |
+| runtime.dind.image | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"}` | Set dind image. |
+| runtime.dind.nodeSelector | object | `{}` | Set node selector. |
+| runtime.dind.podAnnotations | object | `{}` | Set pod annotations. |
+| runtime.dind.podLabels | object | `{}` | Set pod labels. |
+| runtime.dind.pvcs | object | `{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}}` | PV claim spec parametes. |
+| runtime.dind.pvcs.dind | object | `{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}` | Default dind PVC parameters |
+| runtime.dind.pvcs.dind.annotations | object | `{}` | PV annotations. |
+| runtime.dind.pvcs.dind.name | string | `"dind"` | PVC name prefix. Keep `dind` as default! Don't change! |
+| runtime.dind.pvcs.dind.reuseVolumeSelector | string | `"codefresh-app,io.codefresh.accountName"` | PV reuse selector. Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy |
+| runtime.dind.pvcs.dind.storageClassName | string | `"{{ include \"dind-volume-provisioner.storageClassName\" . }}"` | PVC storage class name. Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner |
+| runtime.dind.pvcs.dind.volumeSize | string | `"16Gi"` | PVC size. |
+| runtime.dind.resources | object | `{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null}` | Set dind resources. |
+| runtime.dind.schedulerName | string | `""` | Set scheduler name. |
+| runtime.dind.serviceAccount | string | `"codefresh-engine"` | Set service account for pod. |
+| runtime.dind.tolerations | list | `[]` | Set tolerations. |
+| runtime.dind.userAccess | bool | `true` | Keep `true` as default! |
+| runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts |
+| runtime.dind.userVolumes | object | `{}` | Add extra volumes |
+| runtime.dindDaemon | object | See below | DinD pod daemon config |
+| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100},"image":{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.174.12"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"COMPOSE_IMAGE":"quay.io/codefresh/compose:v2.28.1-1.5.0","CONTAINER_LOGGER_IMAGE":"quay.io/codefresh/cf-container-logger:1.11.6","COSIGN_IMAGE_SIGNER_IMAGE":"quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2","CR_6177_FIXER":"quay.io/codefresh/alpine:edge","DOCKER_BUILDER_IMAGE":"quay.io/codefresh/cf-docker-builder:1.3.13","DOCKER_PULLER_IMAGE":"quay.io/codefresh/cf-docker-puller:8.0.17","DOCKER_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-pusher:6.0.16","DOCKER_TAG_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-tag-pusher:1.3.14","FS_OPS_IMAGE":"quay.io/codefresh/fs-ops:1.2.3","GC_BUILDER_IMAGE":"quay.io/codefresh/cf-gc-builder:0.5.3","GIT_CLONE_IMAGE":"quay.io/codefresh/cf-git-cloner:10.1.28","KUBE_DEPLOY":"quay.io/codefresh/cf-deploy-kubernetes:16.1.11","PIPELINE_DEBUGGER_IMAGE":"quay.io/codefresh/cf-debugger:1.3.0","TEMPLATE_ENGINE":"quay.io/codefresh/pikolo:0.14.1"},"schedulerName":"","serviceAccount":"codefresh-engine","tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
+| runtime.engine.affinity | object | `{}` | Set affinity |
+| runtime.engine.command | list | `["npm","run","start"]` | Set container command. |
+| runtime.engine.env | object | `{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100}` | Set additional env vars. |
+| runtime.engine.env.CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS | int | `1000` | Interval to check the exec status in the container-logger |
+| runtime.engine.env.DOCKER_REQUEST_TIMEOUT_MS | int | `30000` | Timeout while doing requests to the Docker daemon |
+| runtime.engine.env.FORCE_COMPOSE_SERIAL_PULL | bool | `false` | If "true", composition images will be pulled sequentially |
+| runtime.engine.env.LOGGER_LEVEL | string | `"debug"` | Level of logging for engine |
+| runtime.engine.env.LOG_OUTGOING_HTTP_REQUESTS | bool | `false` | Enable debug-level logging of outgoing HTTP/HTTPS requests |
+| runtime.engine.env.METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS | bool | `false` | Enable collecting process metrics |
+| runtime.engine.env.METRICS_PROMETHEUS_ENABLED | bool | `true` | Enable emitting metrics from engine |
+| runtime.engine.env.METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS | bool | `false` | Enable legacy metrics |
+| runtime.engine.env.METRICS_PROMETHEUS_HOST | string | `"0.0.0.0"` | Host for Prometheus metrics server |
+| runtime.engine.env.METRICS_PROMETHEUS_PORT | int | `9100` | Port for Prometheus metrics server |
+| runtime.engine.image | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.174.12"}` | Set image. |
+| runtime.engine.nodeSelector | object | `{}` | Set node selector. |
+| runtime.engine.podAnnotations | object | `{}` | Set pod annotations. |
+| runtime.engine.podLabels | object | `{}` | Set pod labels. |
+| runtime.engine.resources | object | `{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Set resources. |
+| runtime.engine.runtimeImages | object | See below. | Set system(base) runtime images. |
+| runtime.engine.schedulerName | string | `""` | Set scheduler name. |
+| runtime.engine.serviceAccount | string | `"codefresh-engine"` | Set service account for pod. |
+| runtime.engine.tolerations | list | `[]` | Set tolerations. |
+| runtime.engine.userEnvVars | list | `[]` | Set extra env vars |
+| runtime.engine.workflowLimits | object | `{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}` | Set workflow limits. |
+| runtime.engine.workflowLimits.MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS | int | `600` | Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds. |
+| runtime.engine.workflowLimits.MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION | int | `86400` | Maximum time for workflow execution; seconds. |
+| runtime.engine.workflowLimits.MAXIMUM_ELECTED_STATE_AGE_ALLOWED | int | `900` | Maximum time allowed to workflow to spend in "elected" state; seconds. |
+| runtime.engine.workflowLimits.MAXIMUM_RETRY_ATTEMPTS_ALLOWED | int | `20` | Maximum retry attempts allowed for workflow. |
+| runtime.engine.workflowLimits.MAXIMUM_TERMINATING_STATE_AGE_ALLOWED | int | `900` | Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds. |
+| runtime.engine.workflowLimits.MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE | int | `300` | Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds. |
+| runtime.engine.workflowLimits.TIME_ENGINE_INACTIVE_UNTIL_TERMINATION | int | `300` | Time since the last health check report after which workflow is terminated; seconds. |
+| runtime.engine.workflowLimits.TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY | int | `60` | Time since the last health check report after which the engine is considered unhealthy; seconds. |
+| runtime.engine.workflowLimits.TIME_INACTIVE_UNTIL_TERMINATION | int | `2700` | Time since the last workflow logs activity after which workflow is terminated; seconds. |
+| runtime.gencerts | object | See below | Parameters for `gencerts-dind` post-upgrade/install hook |
+| runtime.inCluster | bool | `true` | (for On-Premise only) Set inCluster runtime |
+| runtime.patch | object | See below | Parameters for `runtime-patch` post-upgrade/install hook |
+| runtime.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters |
+| runtime.rbac.create | bool | `true` | Create RBAC resources |
+| runtime.rbac.rules | list | `[]` | Add custom rule to the engine role |
+| runtime.runtimeExtends | list | `["system/default/hybrid/k8s_low_limits"]` | Set parent runtime to inherit. Should not be changes. Parent runtime is controlled from Codefresh side. |
+| runtime.serviceAccount | object | `{"annotations":{},"create":true}` | Set annotation on engine Service Account Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster |
+| serviceMonitor | object | See below | Add serviceMonitor |
+| serviceMonitor.main.enabled | bool | `false` | Enable service monitor for dind pods |
+| storage.azuredisk.cachingMode | string | `"None"` |  |
+| storage.azuredisk.skuName | string | `"Premium_LRS"` | Set storage type (`Premium_LRS`) |
+| storage.backend | string | `"local"` | Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`) |
+| storage.ebs.accessKeyId | string | `""` | Set AWS_ACCESS_KEY_ID for volume-provisioner (optional) Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions |
+| storage.ebs.accessKeyIdSecretKeyRef | object | `{}` | Existing secret containing AWS_ACCESS_KEY_ID. |
+| storage.ebs.availabilityZone | string | `"us-east-1a"` | Set EBS volumes availability zone (required) |
+| storage.ebs.encrypted | string | `"false"` | Enable encryption (optional) |
+| storage.ebs.kmsKeyId | string | `""` | Set KMS encryption key ID (optional) |
+| storage.ebs.secretAccessKey | string | `""` | Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional) Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions |
+| storage.ebs.secretAccessKeySecretKeyRef | object | `{}` | Existing secret containing AWS_SECRET_ACCESS_KEY |
+| storage.ebs.volumeType | string | `"gp2"` | Set EBS volume type (`gp2`/`gp3`/`io1`) (required) |
+| storage.fsType | string | `"ext4"` | Set filesystem type (`ext4`/`xfs`) |
+| storage.gcedisk.availabilityZone | string | `"us-west1-a"` | Set GCP volume availability zone |
+| storage.gcedisk.serviceAccountJson | string | `""` | Set Google SA JSON key for volume-provisioner (optional) |
+| storage.gcedisk.serviceAccountJsonSecretKeyRef | object | `{}` | Existing secret containing containing Google SA JSON key for volume-provisioner (optional) |
+| storage.gcedisk.volumeType | string | `"pd-ssd"` | Set GCP volume backend type (`pd-ssd`/`pd-standard`) |
+| storage.local.volumeParentDir | string | `"/var/lib/codefresh/dind-volumes"` | Set volume path on the host filesystem |
+| storage.mountAzureJson | bool | `false` |  |
+| volumeProvisioner | object | See below | Volume Provisioner parameters |
+| volumeProvisioner.affinity | object | `{}` | Set affinity |
+| volumeProvisioner.dind-lv-monitor | object | See below | `dind-lv-monitor` DaemonSet parameters (local volumes cleaner) |
+| volumeProvisioner.enabled | bool | `true` | Enable volume-provisioner |
+| volumeProvisioner.env | object | `{}` | Add additional env vars |
+| volumeProvisioner.image | object | `{"registry":"quay.io","repository":"codefresh/dind-volume-provisioner","tag":"1.35.0"}` | Set image |
+| volumeProvisioner.nodeSelector | object | `{}` | Set node selector |
+| volumeProvisioner.podAnnotations | object | `{}` | Set pod annotations |
+| volumeProvisioner.podSecurityContext | object | See below | Set security context for the pod |
+| volumeProvisioner.rbac | object | `{"create":true,"rules":[]}` | RBAC parameters |
+| volumeProvisioner.rbac.create | bool | `true` | Create RBAC resources |
+| volumeProvisioner.rbac.rules | list | `[]` | Add custom rule to the role |
+| volumeProvisioner.replicasCount | int | `1` | Set number of pods |
+| volumeProvisioner.resources | object | `{}` | Set resources |
+| volumeProvisioner.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Service Account parameters |
+| volumeProvisioner.serviceAccount.annotations | object | `{}` | Additional service account annotations |
+| volumeProvisioner.serviceAccount.create | bool | `true` | Create service account |
+| volumeProvisioner.serviceAccount.name | string | `""` | Override service account name |
+| volumeProvisioner.tolerations | list | `[]` | Set tolerations |
+| volumeProvisioner.updateStrategy | object | `{"type":"Recreate"}` | Upgrade strategy |
+
diff --git a/charts/codefresh/cf-runtime/6.3.61/README.md.gotmpl b/charts/codefresh/cf-runtime/6.3.61/README.md.gotmpl
new file mode 100644
index 000000000..96e5ca574
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/README.md.gotmpl
@@ -0,0 +1,1007 @@
+## Codefresh Runner
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
+
+## Table of Content
+
+- [Prerequisites](#prerequisites)
+- [Get Chart Info](#get-chart-info)
+- [Install Chart](#install-chart)
+- [Chart Configuration](#chart-configuration)
+- [Upgrade Chart](#upgrade-chart)
+  - [To 2.x](#to-2-x)
+  - [To 3.x](#to-3-x)
+  - [To 4.x](#to-4-x)
+  - [To 5.x](#to-5-x)
+  - [To 6.x](#to-6-x)
+- [Architecture](#architecture)
+- [Configuration](#configuration)
+  - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
+  - [Azure Disks backend volume configuration in AKS](#azure-disks-backend-volume-configuration)
+  - [GCE Disks backend volume configuration in GKE](#gce-disks-backend-volume-configuration-in-gke)
+  - [Custom volume mounts](#custom-volume-mounts)
+  - [Custom global environment variables](#custom-global-environment-variables)
+  - [Volume reuse policy](#volume-reuse-policy)
+  - [Volume cleaners](#volume-cleaners)
+  - [Rootless DinD](#rootless-dind)
+  - [ARM](#arm)
+  - [Openshift](#openshift)
+  - [On-premise](#on-premise)
+
+## Prerequisites
+
+- Kubernetes **1.19+**
+- Helm **3.8.0+**
+
+⚠️⚠️⚠️
+> Since version 6.2.x chart is pushed **only** to OCI registry at `oci://quay.io/codefresh/cf-runtime`
+
+> Versions prior to 6.2.x are still available in ChartMuseum at `http://chartmuseum.codefresh.io/cf-runtime`
+
+## Get Chart Info
+
+```console
+helm show all oci://quay.io/codefresh/cf-runtime
+```
+See [Use OCI-based registries](https://helm.sh/docs/topics/registries/)
+
+## Install Chart
+
+**Important:** only helm3 is supported
+
+- Specify the following mandatory values
+
+`values.yaml`
+```yaml
+# -- Global parameters
+# @default -- See below
+global:
+  # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!)
+  # Ref: https://g.codefresh.io/user/settings (see API Keys)
+  # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write)
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!)
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Account ID (required!)
+  # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information
+  accountId: ""
+
+  # -- K8s context name (required!)
+  context: ""
+  # E.g.
+  # context: prod-ue1-runtime-1
+
+  # -- Agent Name (optional!)
+  # If omitted, the following format will be used '{{ `{{ .Values.global.context }}_{{ .Release.Namespace }}` }}'
+  agentName: ""
+  # E.g.
+  # agentName: prod-ue1-runtime-1
+
+  # -- Runtime name (optional!)
+  # If omitted, the following format will be used '{{ `{{ .Values.global.context }}/{{ .Release.Namespace }}` }}'
+  runtimeName: ""
+  # E.g.
+  # runtimeName: prod-ue1-runtime-1/namespace
+```
+
+- Install chart
+
+```console
+helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace codefresh
+```
+
+## Chart Configuration
+
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
+
+## Upgrade Chart
+
+### To 2.x
+
+This major release renames and deprecated several values in the chart. Most of the workload templates have been refactored.
+
+Affected values:
+- `dockerRegistry` is deprecated. Replaced with `global.imageRegistry`
+- `re` is renamed to `runtime`
+- `storage.localVolumeMonitor` is replaced with `volumeProvisioner.dind-lv-monitor`
+- `volumeProvisioner.volume-cleanup` is replaced with `volumeProvisioner.dind-volume-cleanup`
+- `image` values structure has been updated. Split to `image.registry` `image.repository` `image.tag`
+- pod's `annotations` is renamed to `podAnnotations`
+
+### To 3.x
+
+⚠️⚠️⚠️
+### READ this before the upgrade!
+
+This major release adds [runtime-environment](https://codefresh.io/docs/docs/installation/codefresh-runner/#runtime-environment-specification) spec into chart templates.
+That means it is possible to set parametes for `dind` and `engine` pods via [values.yaml](./values.yaml).
+
+**If you had any overrides (i.e. tolerations/nodeSelector/environment variables/etc) added in runtime spec via [codefresh CLI](https://codefresh-io.github.io/cli/) (for example, you did use [get](https://codefresh-io.github.io/cli/runtime-environments/get-runtime-environments/) and [patch](https://codefresh-io.github.io/cli/runtime-environments/apply-runtime-environments/) commands to modify the runtime-environment), you MUST add these into chart's [values.yaml](./values.yaml) for `.Values.runtime.dind` or(and) .`Values.runtime.engine`**
+
+**For backward compatibility, you can disable updating runtime-environment spec via** `.Values.runtime.patch.enabled=false`
+
+Affected values:
+- added **mandatory** `global.codefreshToken`/`global.codefreshTokenSecretKeyRef` **You must specify it before the upgrade!**
+- `runtime.engine` is added
+- `runtime.dind` is added
+- `global.existingAgentToken` is replaced with `global.agentTokenSecretKeyRef`
+- `global.existingDindCertsSecret` is replaced with `global.dindCertsSecretRef`
+
+### To 4.x
+
+This major release adds **agentless inCluster** runtime mode (relevant only for [Codefresh On-Premises](#on-premise) users)
+
+Affected values:
+- `runtime.agent` / `runtime.inCluster` / `runtime.accounts` / `runtime.description` are added
+
+### To 5.x
+
+This major release converts `.runtime.dind.pvcs` from **list** to **dict**
+
+> 4.x chart's values example:
+```yaml
+runtime:
+  dind:
+    pvcs:
+      - name: dind
+        storageClassName: my-storage-class-name
+        volumeSize: 32Gi
+        reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'
+        reuseVolumeSortOrder: pipeline_id
+```
+
+> 5.x chart's values example:
+```yaml
+runtime:
+  dind:
+    pvcs:
+      dind:
+        name: dind
+        storageClassName: my-storage-class-name
+        volumeSize: 32Gi
+        reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'
+        reuseVolumeSortOrder: pipeline_id
+```
+
+Affected values:
+- `.runtime.dind.pvcs` converted from **list** to **dict**
+
+### To 6.x
+
+⚠️⚠️⚠️
+### READ this before the upgrade!
+
+This major release deprecates previously required `codefresh runner init --generate-helm-values-file`.
+
+Affected values:
+- **Replaced** `.monitor.clusterId` with `.global.context` as **mandatory** value!
+- **Deprecated** `.global.agentToken` / `.global.agentTokenSecretKeyRef`
+- **Removed** `.global.agentId`
+- **Removed** `.global.keys` / `.global.dindCertsSecretRef`
+- **Removed** `.global.existingAgentToken` / `existingDindCertsSecret`
+- **Removed** `.monitor.clusterId` / `.monitor.token` / `.monitor.existingMonitorToken`
+
+#### Migrate the Helm chart from version 5.x to 6.x
+
+Given this is the legacy `generated_values.yaml` values:
+
+> legacy `generated_values.yaml`
+```yaml
+{
+    "appProxy": {
+        "enabled": false,
+    },
+    "monitor": {
+        "enabled": false,
+        "clusterId": "my-cluster-name",
+        "token": "1234567890"
+    },
+    "global": {
+        "namespace": "namespace",
+        "codefreshHost": "https://g.codefresh.io",
+        "agentToken": "0987654321",
+        "agentId": "agent-id-here",
+        "agentName": "my-cluster-name_my-namespace",
+        "accountId": "my-account-id",
+        "runtimeName": "my-cluster-name/my-namespace",
+        "codefreshToken": "1234567890",
+        "keys": {
+            "key": "-----BEGIN RSA PRIVATE KEY-----...",
+            "csr": "-----BEGIN CERTIFICATE REQUEST-----...",
+            "ca": "-----BEGIN CERTIFICATE-----...",
+            "serverCert": "-----BEGIN CERTIFICATE-----..."
+        }
+    }
+}
+```
+
+Update `values.yaml` for new chart version:
+
+> For existing installation for backward compatibility `.Values.global.agentToken/agentTokenSecretKeyRef` **must be provided!** For installation from scratch this value is no longer required.
+
+> updated `values.yaml`
+```yaml
+global:
+  codefreshToken: "1234567890"
+  accountId: "my-account-id"
+  context: "my-cluster-name"
+  agentToken: "0987654321"  # MANDATORY when migrating from < 6.x chart version !
+  agentName: "my-cluster-name_my-namespace" # optional
+  runtimeName: "my-cluster-name/my-namespace" # optional
+```
+
+> **Note!** Though it's still possible to update runtime-environment via [get](https://codefresh-io.github.io/cli/runtime-environments/get-runtime-environments/) and [patch](https://codefresh-io.github.io/cli/runtime-environments/apply-runtime-environments/) commands, it's recommended to enable sidecar container to pull runtime spec from Codefresh API to detect any drift in configuration.
+
+```yaml
+runner:
+  # -- Sidecar container
+  # Reconciles runtime spec from Codefresh API for drift detection
+  sidecar:
+    enabled: true
+```
+
+## Architecture
+
+[Codefresh Runner architecture](https://codefresh.io/docs/docs/installation/codefresh-runner/#codefresh-runner-architecture)
+
+## Configuration
+
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
+
+### EBS backend volume configuration
+
+`dind-volume-provisioner` should have permissions to create/attach/detach/delete/get EBS volumes
+
+Minimal IAM policy for `dind-volume-provisioner`
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:AttachVolume",
+        "ec2:CreateSnapshot",
+        "ec2:CreateTags",
+        "ec2:CreateVolume",
+        "ec2:DeleteSnapshot",
+        "ec2:DeleteTags",
+        "ec2:DeleteVolume",
+        "ec2:DescribeInstances",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ec2:DetachVolume"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+There are three options:
+
+1. Run `dind-volume-provisioner` pod on the node/node-group with IAM role
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: ebs-csi
+
+  ebs:
+    availabilityZone: "us-east-1a"
+
+volumeProvisioner:
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+```
+
+2. Pass static credentials in `.Values.storage.ebs.accessKeyId/accessKeyIdSecretKeyRef` and `.Values.storage.ebs.secretAccessKey/secretAccessKeySecretKeyRef`
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: ebs-csi
+
+  ebs:
+    availabilityZone: "us-east-1a"
+
+    # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional)
+    accessKeyId: ""
+    # -- Existing secret containing AWS_ACCESS_KEY_ID.
+    accessKeyIdSecretKeyRef: {}
+    # E.g.
+    # accessKeyIdSecretKeyRef:
+    #   name:
+    #   key:
+
+    # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional)
+    secretAccessKey: ""
+    # -- Existing secret containing AWS_SECRET_ACCESS_KEY
+    secretAccessKeySecretKeyRef: {}
+    # E.g.
+    # secretAccessKeySecretKeyRef:
+    #   name:
+    #   key:
+```
+
+3. Assign IAM role to `dind-volume-provisioner` service account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: ebs-csi
+
+  ebs:
+    availabilityZone: "us-east-1a"
+
+volumeProvisioner:
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Additional service account annotations
+    annotations:
+      eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+```
+
+### Custom volume mounts
+
+You can add your own volumes and volume mounts in the runtime environment, so that all pipeline steps will have access to the same set of external files.
+
+```yaml
+runtime:
+  dind:
+    userVolumes:
+      regctl-docker-registry:
+        name: regctl-docker-registry
+        secret:
+          items:
+            - key: .dockerconfigjson
+              path: config.json
+          secretName: regctl-docker-registry
+          optional: true
+    userVolumeMounts:
+      regctl-docker-registry:
+        name: regctl-docker-registry
+        mountPath: /home/appuser/.docker/
+        readOnly: true
+
+```
+
+### Azure Disks backend volume configuration
+
+`dind-volume-provisioner` should have permissions to create/delete/get Azure Disks
+
+Role definition for `dind-volume-provisioner`
+
+`dind-volume-provisioner-role.json`
+```json
+{
+  "Name": "CodefreshDindVolumeProvisioner",
+  "Description": "Perform create/delete/get disks",
+  "IsCustom": true,
+  "Actions": [
+      "Microsoft.Compute/disks/read",
+      "Microsoft.Compute/disks/write",
+      "Microsoft.Compute/disks/delete"
+
+  ],
+  "AssignableScopes": ["/subscriptions/<YOUR_SUBSCRIPTION_ID>"]
+}
+```
+
+When creating an AKS cluster in Azure there is the option to use a [managed identity](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity) that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the dind-volume-provisioner.
+
+```console
+export ROLE_DEFINITIN_FILE=dind-volume-provisioner-role.json
+export SUBSCRIPTION_ID=$(az account show --query "id" | xargs echo )
+export RESOURCE_GROUP=<YOUR_RESOURCE_GROUP_NAME>
+export AKS_NAME=<YOUR_AKS_NAME>
+export LOCATION=$(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query location | xargs echo)
+export NODES_RESOURCE_GROUP=MC_${RESOURCE_GROUP}_${AKS_NAME}_${LOCATION}
+export NODE_SERVICE_PRINCIPAL=$(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query identityProfile.kubeletidentity.objectId | xargs echo)
+
+az role definition create --role-definition @${ROLE_DEFINITIN_FILE}
+az role assignment create --assignee $NODE_SERVICE_PRINCIPAL --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$NODES_RESOURCE_GROUP --role CodefreshDindVolumeProvisioner
+```
+
+Deploy Helm chart with the following values:
+
+`values.yaml`
+```yaml
+volumeProvisioner:
+  podSecurityContext:
+    enabled: true
+    runAsUser: 0
+    runAsGroup: 0
+    fsGroup: 0
+
+storage:
+  backend: azuredisk
+  azuredisk:
+    availabilityZone: northeurope-1 # replace with your zone
+    resourceGroup: my-resource-group-name
+
+  mountAzureJson: true
+
+runtime:
+  dind:
+    nodeSelector:
+      topology.kubernetes.io/zone: northeurope-1
+```
+
+### GCE Disks backend volume configuration in GKE
+
+`dind-volume-provisioner` should have `ComputeEngine.StorageAdmin` permissions
+
+There are three options:
+
+1. Run `dind-volume-provisioner` pod on the node/node-group with IAM Service Account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+2. Pass static credentials in `.Values.storage.gcedisk.serviceAccountJson` (inline) or `.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef` (from your own secret)
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: |
+        {
+        "type": "service_account",
+        "project_id": "...",
+        "private_key_id": "...",
+        "private_key": "...",
+        "client_email": "...",
+        "client_id": "...",
+        "auth_uri": "...",
+        "token_uri": "...",
+        "auth_provider_x509_cert_url": "...",
+        "client_x509_cert_url": "..."
+        }
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.:
+    # serviceAccountJsonSecretKeyRef:
+    #   name: gce-service-account
+    #   key: service-account.json
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+3. Assign IAM role to `dind-volume-provisioner` service account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Additional service account annotations
+    annotations:
+      iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+### Custom global environment variables
+
+You can add your own environment variables to the runtime environment. All pipeline steps have access to the global variables.
+
+```yaml
+runtime:
+  engine:
+    userEnvVars:
+    - name: GITHUB_TOKEN
+      valueFrom:
+        secretKeyRef:
+          name: github-token
+          key: token
+```
+
+### Volume reuse policy
+
+Volume reuse behavior depends on the configuration for `reuseVolumeSelector` in the runtime environment spec.
+
+```yaml
+runtime:
+  dind:
+    pvcs:
+      - name: dind
+        ...
+        reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'
+        reuseVolumeSortOrder: pipeline_id
+```
+
+The following options are available:
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName'` - PV can be used by ANY pipeline in the specified account (default).
+Benefit: Fewer PVs, resulting in lower costs. Since any PV can be used by any pipeline, the cluster needs to maintain/reserve fewer PVs in its PV pool for Codefresh.
+Downside: Since the PV can be used by any pipeline, the PVs could have assets and info from different pipelines, reducing the probability of cache.
+
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,project_id'` - PV can be used by ALL pipelines in your account, assigned to the same project.
+
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id'` - PV can be used only by a single pipeline.
+Benefit: More probability of cache without “spam” from other pipelines.
+Downside: More PVs to maintain and therefore higher costs.
+
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id,io.codefresh.branch_name'` - PV can be used only by single pipeline AND single branch.
+
+- `reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName,pipeline_id,trigger'` - PV can be used only by single pipeline AND single trigger.
+
+### Volume cleaners
+
+Codefresh pipelines require disk space for:
+  * [Pipeline Shared Volume](https://codefresh.io/docs/docs/pipelines/introduction-to-codefresh-pipelines/#sharing-the-workspace-between-build-steps) (`/codefresh/volume`, implemented as [docker volume](https://docs.docker.com/storage/volumes/))
+  * Docker containers, both running and stopped
+  * Docker images and cached layers
+
+Codefresh offers two options to manage disk space and prevent out-of-space errors:
+* Use runtime cleaners on Docker images and volumes
+* [Set the minimum disk space per pipeline build volume](https://codefresh.io/docs/docs/pipelines/pipelines/#set-minimum-disk-space-for-a-pipeline-build)
+
+To improve performance by using Docker cache, Codefresh `volume-provisioner` can provision previously used disks with Docker images and pipeline volumes from previously run builds.
+
+### Types of runtime volume cleaners
+
+Docker images and volumes must be cleaned on a regular basis.
+
+* [IN-DIND cleaner](https://github.com/codefresh-io/dind/tree/master/cleaner): Deletes extra Docker containers, volumes, and images in **DIND pod**.
+* [External volume cleaner](https://github.com/codefresh-io/dind-volume-cleanup): Deletes unused **external** PVs (EBS, GCE/Azure disks).
+* [Local volume cleaner](https://github.com/codefresh-io/dind-volume-utils/blob/master/local-volumes/lv-cleaner.sh): Deletes **local** volumes if node disk space is close to the threshold.
+
+### IN-DIND cleaner
+
+**Purpose:** Removes unneeded *docker containers, images, volumes* inside Kubernetes volume mounted on the DIND pod
+
+**How it runs:** Inside each DIND pod as script
+
+**Triggered by:** SIGTERM and also during the run when disk usage > 90% (configurable)
+
+**Configured by:**  Environment Variables which can be set in Runtime Environment spec
+
+**Configuration/Logic:** [README.md](https://github.com/codefresh-io/dind/tree/master/cleaner#readme)
+
+Override `.Values.runtime.dind.env` if necessary (the following are **defaults**):
+
+```yaml
+runtime:
+  dind:
+    env:
+      CLEAN_PERIOD_SECONDS: '21600' # launch clean if last clean was more than CLEAN_PERIOD_SECONDS seconds ago
+      CLEAN_PERIOD_BUILDS: '5' # launch clean if last clean was more CLEAN_PERIOD_BUILDS builds since last build
+      IMAGE_RETAIN_PERIOD: '14400' # do not delete docker images if they have events since current_timestamp - IMAGE_RETAIN_PERIOD
+      VOLUMES_RETAIN_PERIOD: '14400' # do not delete docker volumes if they have events since current_timestamp - VOLUMES_RETAIN_PERIOD
+      DISK_USAGE_THRESHOLD: '0.8' # launch clean based on current disk usage DISK_USAGE_THRESHOLD
+      INODES_USAGE_THRESHOLD: '0.8' # launch clean based on current inodes usage INODES_USAGE_THRESHOLD
+```
+
+### External volumes cleaner
+
+**Purpose:** Removes unused *kubernetes volumes and related backend volumes*
+
+**How it runs:** Runs as `dind-volume-cleanup` CronJob. Installed in case the Runner uses non-local volumes `.Values.storage.backend != local`
+
+**Triggered by:** CronJob every 10min (configurable)
+
+**Configuration:**
+
+Set `codefresh.io/volume-retention` for dinds' PVCs:
+
+```yaml
+runtime:
+  dind:
+    pvcs:
+      dind:
+        ...
+        annotations:
+          codefresh.io/volume-retention: 7d
+```
+
+Or override environment variables for `dind-volume-cleanup` cronjob:
+
+```yaml
+volumeProvisioner:
+  dind-volume-cleanup:
+    env:
+      RETENTION_DAYS: 7   # clean volumes that were last used more than `RETENTION_DAYS` (default is 4) ago
+```
+
+### Local volumes cleaner
+
+**Purpose:** Deletes local volumes when node disk space is close to the threshold
+
+**How it runs:** Runs as `dind-lv-monitor` DaemonSet. Installed in case the Runner uses local volumes `.Values.storage.backend == local`
+
+**Triggered by:** Disk space usage or inode usage that exceeds thresholds (configurable)
+
+**Configuration:**
+
+Override environment variables for `dind-lv-monitor` daemonset:
+
+```yaml
+volumeProvisioner:
+  dind-lv-monitor:
+    env:
+      KB_USAGE_THRESHOLD: 60  # default 80 (percentage)
+      INODE_USAGE_THRESHOLD: 60  # default 80
+```
+
+### Rootless DinD
+
+DinD pod runs a `priviliged` container with **rootfull** docker.
+To run the docker daemon as non-root user (**rootless** mode), change dind image tag:
+
+`values.yaml`
+```yaml
+runtime:
+  dind:
+    image:
+      tag: rootless
+```
+
+### ARM
+
+With the Codefresh Runner, you can run native ARM64v8 builds.
+
+> **Note!**
+> You cannot run both amd64 and arm64 images within the same pipeline. As one pipeline can map only to one runtime, you can run either amd64 or arm64 within the same pipeline.
+
+Provide `nodeSelector` and(or) `tolerations` for dind pods:
+
+`values.yaml`
+```yaml
+runtime:
+  dind:
+    nodeSelector:
+      arch: arm64
+    tolerations:
+    - key: arch
+      operator: Equal
+      value: arm64
+      effect: NoSchedule
+```
+
+### Openshift
+
+To install Codefresh Runner on OpenShift use the following `values.yaml` example
+
+```yaml
+runner:
+  podSecurityContext:
+    enabled: false
+
+volumeProvisioner:
+  podSecurityContext:
+    enabled: false
+  env:
+    PRIVILEGED_CONTAINER: true
+  dind-lv-monitor:
+    containerSecurityContext:
+      enabled: true
+      privileged: true
+    volumePermissions:
+      enabled: true
+      securityContext:
+        privileged: true
+        runAsUser: auto
+```
+
+Grant `privileged` SCC to `cf-runtime-runner` and `cf-runtime-volume-provisioner` service accounts.
+
+```console
+oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-runner
+
+oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-volume-provisioner
+```
+
+### On-premise
+
+If you have [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) deployed, you can install Codefresh Runner in **agentless** mode.
+
+**What is agentless mode?**
+
+Agent (aka venona) is Runner component which responsible for calling Codefresh API to run builds and create dind/engine pods and pvc objects. Agent can only be assigned to a single account, thus you can't share one runtime across multiple accounts. However, with **agentless** mode it's possible to register the runtime as **system**-type runtime so it's registered on the platform level and can be assigned/shared across multiple accounts.
+
+**What are the prerequisites?**
+- You have a running [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) control-plane environment
+- You have a Codefresh API token with platform **Admin** permissions scope
+
+
+### How to deploy agentless runtime when it's on the SAME k8s cluster as On-Premises control-plane environment?
+
+- Enable cluster-level permissions for cf-api (On-Premises control-plane component)
+
+> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) Helm chart
+```yaml
+cfapi:
+  ...
+  # -- Enable ClusterRole/ClusterRoleBinding
+  rbac:
+    namespaced: false
+```
+
+- Set the following values for Runner Helm chart
+
+`.Values.global.codefreshHost=...` \
+`.Values.global.codefreshToken=...` \
+`.Values.global.runtimeName=system/...` \
+`.Values.runtime.agent=false` \
+`.Values.runtime.inCluster=true`
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+```yaml
+global:
+  # -- URL of Codefresh On-Premises Platform
+  codefreshHost: "https://myonprem.somedomain.com"
+  # -- User token in plain text with Admin permission scope
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key.
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Distinguished runtime name
+  # (for On-Premise only; mandatory!) Must be prefixed with "system/..."
+  runtimeName: "system/prod-ue1-some-cluster-name"
+
+# -- Set runtime parameters
+runtime:
+  # -- (for On-Premise only; mandatory!) Disable agent
+  agent: false
+  # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`)
+  # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster
+  # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters
+  inCluster: true
+  # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty)
+  # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty.
+  accounts: []
+  # -- Set parent runtime to inherit.
+  runtimeExtends: []
+```
+
+- Install the chart
+
+```console
+helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime
+```
+
+- Verify the runtime and run test pipeline
+
+Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system) to check the runtime. Assign it to the required account(s). Run test pipeline on it.
+
+
+### How to deploy agentless runtime when it's on the DIFFERENT k8s cluster than On-Premises control-plane environment?
+
+In this case, it's required to mount runtime cluster's `KUBECONFIG` into On-Premises `cf-api` deployment
+
+- Create the neccessary RBAC resources
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+```yaml
+extraResources:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: codefresh-role
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+  rules:
+    - apiGroups: [""]
+      resources: ["pods", "persistentvolumeclaims", "persistentvolumes"]
+      verbs: ["list", "watch", "get", "create", "patch", "delete"]
+    - apiGroups: ["snapshot.storage.k8s.io"]
+      resources: ["volumesnapshots"]
+      verbs: ["list", "watch", "get", "create", "patch", "delete"]
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: codefresh-runtime-user
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: codefresh-runtime-user
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: codefresh-role
+  subjects:
+  - kind: ServiceAccount
+    name: codefresh-runtime-user
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: codefresh-runtime-user-token
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+    annotations:
+      kubernetes.io/service-account.name: codefresh-runtime-user
+  type: kubernetes.io/service-account-token
+```
+
+- Set up the following environment variables to create a `KUBECONFIG` file
+
+```shell
+NAMESPACE=cf-runtime
+CLUSTER_NAME=prod-ue1-some-cluster-name
+CURRENT_CONTEXT=$(kubectl config current-context)
+
+USER_TOKEN_VALUE=$(kubectl -n cf-runtime get secret/codefresh-runtime-user-token -o=go-template='{{ `{{.data.token}}` }}' | base64 --decode)
+CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{ `{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}` }}')
+CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{ `{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}` }}')
+CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{ `{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}` }}')
+
+export -p USER_TOKEN_VALUE CURRENT_CONTEXT CURRENT_CLUSTER CLUSTER_CA CLUSTER_SERVER CLUSTER_NAME
+```
+
+- Create a kubeconfig file
+
+```console
+cat << EOF > $CLUSTER_NAME-kubeconfig
+apiVersion: v1
+kind: Config
+current-context: ${CLUSTER_NAME}
+contexts:
+- name: ${CLUSTER_NAME}
+  context:
+    cluster: ${CLUSTER_NAME}
+    user: codefresh-runtime-user
+    namespace: ${NAMESPACE}
+clusters:
+- name: ${CLUSTER_NAME}
+  cluster:
+    certificate-authority-data: ${CLUSTER_CA}
+    server: ${CLUSTER_SERVER}
+users:
+- name: ${CLUSTER_NAME}
+  user:
+    token: ${USER_TOKEN_VALUE}
+EOF
+```
+
+- **Switch context to On-Premises control-plane cluster**. Create k8s secret (via any tool like [ESO](https://external-secrets.io/v0.4.4/), `kubectl`, etc ) containing runtime cluster's `KUBECONFG` created in previous step.
+
+```shell
+NAMESPACE=codefresh
+kubectl create secret generic dind-runtime-clusters --from-file=$CLUSTER_NAME=$CLUSTER_NAME-kubeconfig -n $NAMESPACE
+```
+
+- Mount secret containing runtime cluster's `KUBECONFG` into cf-api in On-Premises control-plane cluster
+
+> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) helm chart
+```yaml
+cf-api:
+  ...
+  volumes:
+    dind-clusters:
+      enabled: true
+      type: secret
+      nameOverride: dind-runtime-clusters
+      optional: true
+```
+> volumeMount `/etc/kubeconfig` is already configured in cf-api Helm chart template. No need to specify it.
+
+- Set the following values for Runner helm chart
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+
+`.Values.global.codefreshHost=...` \
+`.Values.global.codefreshToken=...` \
+`.Values.global.runtimeName=system/...` \
+`.Values.runtime.agent=false` \
+`.Values.runtime.inCluster=false`
+
+**Important!**
+`.Values.global.name` ("system/" prefix is ignored!) should match the cluster name (key in `dind-runtime-clusters` secret created previously)
+```yaml
+global:
+  # -- URL of Codefresh On-Premises Platform
+  codefreshHost: "https://myonprem.somedomain.com"
+  # -- User token in plain text with Admin permission scope
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key.
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Distinguished runtime name
+  # (for On-Premise only; mandatory!) Must be prefixed with "system/..."
+  name: "system/prod-ue1-some-cluster-name"
+
+# -- Set runtime parameters
+runtime:
+  # -- (for On-Premise only; mandatory!) Disable agent
+  agent: false
+  # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`)
+  # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster
+  # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters
+  inCluster: false
+  # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty)
+  # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty.
+  accounts: []
+  # -- (optional) Set parent runtime to inherit.
+  runtimeExtends: []
+```
+
+- Install the chart
+
+```console
+helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime
+```
+
+- Verify the runtime and run test pipeline
+
+Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system) to see the runtime. Assign it to the required account(s).
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
diff --git a/charts/codefresh/cf-runtime/6.3.61/files/cleanup-runtime.sh b/charts/codefresh/cf-runtime/6.3.61/files/cleanup-runtime.sh
new file mode 100644
index 000000000..c1fc5f368
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/files/cleanup-runtime.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:           ${API_HOST}"
+echo "AGENT_NAME:         ${AGENT_NAME}"
+echo "RUNTIME_NAME:       ${RUNTIME_NAME}"
+echo "AGENT:              ${AGENT}"
+echo "AGENT_SECRET_NAME:  ${AGENT_SECRET_NAME}"
+echo "DIND_SECRET_NAME:   ${DIND_SECRET_NAME}"
+echo "-----"
+
+auth() {
+  codefresh auth create-context --api-key ${API_TOKEN} --url ${API_HOST}
+}
+
+remove_runtime() {
+  if [ "$AGENT" == "true" ]; then
+    codefresh delete re ${RUNTIME_NAME} || true
+  else
+    codefresh delete sys-re ${RUNTIME_NAME} || true
+  fi
+}
+
+remove_agent() {
+  codefresh delete agent ${AGENT_NAME} || true
+}
+
+remove_secrets() {
+  kubectl patch secret $(kubectl get secret -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge || true
+  kubectl delete secret $AGENT_SECRET_NAME || true
+  kubectl delete secret $DIND_SECRET_NAME || true
+}
+
+auth
+remove_runtime
+remove_agent
+remove_secrets
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/files/configure-dind-certs.sh b/charts/codefresh/cf-runtime/6.3.61/files/configure-dind-certs.sh
new file mode 100644
index 000000000..a1092eb1e
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/files/configure-dind-certs.sh
@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+#
+
+#---
+fatal() {
+   echo "ERROR: $1"
+   exit 1
+}
+
+msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
+err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
+
+exit_trap () {
+  local lc="$BASH_COMMAND" rc=$?
+  if [ $rc != 0 ]; then
+    if [[ -n "$SLEEP_ON_ERROR" ]]; then
+      echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error"
+      sleep $SLEEP_ON_ERROR
+    fi
+  fi
+}
+trap exit_trap EXIT
+
+usage() {
+    echo "Usage:
+    $0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token
+
+Example:
+   $0 -n workflow https://g.codefresh.io 21341234.423141234.412431234
+
+"
+}
+
+# Args
+while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]]
+do
+  key=$1
+  value=$2
+
+  case $key in
+    -h|--help)
+        usage
+        exit
+      ;;
+    -n|--namespace)
+        NAMESPACE="$value"
+        shift
+      ;;
+    --server-cert-cn)
+        SERVER_CERT_CN="$value"
+        shift
+      ;;
+    --server-cert-extra-sans)
+        SERVER_CERT_EXTRA_SANS="$value"
+        shift
+      ;;
+  esac
+  shift # past argument or value
+done
+
+API_HOST=${1:-"$CF_API_HOST"}
+API_TOKEN=${2:-"$CF_API_TOKEN"}
+
+[[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST"
+[[ -z "$API_TOKEN" ]] && usage && fatal "Missing token"
+
+
+API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"}
+
+NAMESPACE=${NAMESPACE:-default}
+RELEASE=${RELEASE:-cf-runtime}
+
+DIR=$(dirname $0)
+TMPDIR=/tmp/codefresh/
+
+TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip
+TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt
+CERTS_DIR=$TMPDIR/ssl
+SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem
+SRV_TLS_KEY=${CERTS_DIR}/server-key.pem
+SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr
+SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem
+CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem
+CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem
+mkdir -p $TMPDIR $CERTS_DIR
+
+K8S_CERT_SECRET_NAME=codefresh-certs-server
+echo -e "\n------------------\nGenerating server tls certificates ... "
+
+SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"}
+SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}"
+###
+
+  openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key "
+  openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR  || fatal "Failed to generate openssl csr "
+  GENERATE_CERTS=true
+  CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR})
+
+  SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io"
+  if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then
+    SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS}
+  fi
+  echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json
+
+  rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP}
+
+  SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \
+        -o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} )
+
+  echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS"
+  if [[ $SIGN_STATUS != 200 ]]; then
+     echo "ERROR: Cannot sign certificates"
+     if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then
+       mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error
+       cat ${TMP_CERTS_FILE_ZIP}.error
+     fi
+     exit 1
+  fi
+  unzip -o -d ${CERTS_DIR}/  ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} "
+  cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem"
+  cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem"
+
+
+echo -e "\n------------------\nCreating certificate secret "
+
+kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \
+    --from-file=$SRV_TLS_CA_CERT \
+    --from-file=$SRV_TLS_KEY \
+    --from-file=$SRV_TLS_CERT \
+    --dry-run=client -o yaml | kubectl apply --overwrite -f -
+kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true
+kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}'
diff --git a/charts/codefresh/cf-runtime/6.3.61/files/init-runtime.sh b/charts/codefresh/cf-runtime/6.3.61/files/init-runtime.sh
new file mode 100644
index 000000000..eb3488af1
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/files/init-runtime.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:         ${API_HOST}"
+echo "AGENT_NAME:       ${AGENT_NAME}"
+echo "KUBE_CONTEXT:     ${KUBE_CONTEXT}"
+echo "KUBE_NAMESPACE:   ${KUBE_NAMESPACE}"
+echo "OWNER_NAME:       ${OWNER_NAME}"
+echo "RUNTIME_NAME:     ${RUNTIME_NAME}"
+echo "SECRET_NAME:      ${SECRET_NAME}"
+echo "-----"
+
+create_agent_secret() {
+
+  kubectl apply -f - <<EOF
+  apiVersion: v1
+  kind: Secret
+  type: Opaque
+  metadata:
+    name: ${SECRET_NAME}
+    namespace: ${KUBE_NAMESPACE}
+    labels:
+      codefresh.io/internal: "true"
+    finalizers:
+    - kubernetes
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deploy
+      name: ${OWNER_NAME}
+      uid: ${OWNER_UID}
+  stringData:
+    agent-codefresh-token: ${1}
+EOF
+
+}
+
+OWNER_UID=$(kubectl get deploy ${OWNER_NAME} --namespace ${KUBE_NAMESPACE} -o jsonpath='{.metadata.uid}')
+echo "got owner uid: ${OWNER_UID}"
+
+if [ ! -z "${AGENT_CODEFRESH_TOKEN}" ]; then
+    echo "-----"
+    echo "runtime and agent are already initialized"
+    echo "-----"
+    exit 0
+fi
+
+if [ ! -z "${EXISTING_AGENT_CODEFRESH_TOKEN}" ]; then
+    echo "using existing agentToken value"
+    create_agent_secret $EXISTING_AGENT_CODEFRESH_TOKEN
+    exit 0
+fi
+
+if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
+    echo "-----"
+    echo "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
+    echo "-----"
+    exit 1
+fi
+
+codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
+
+# AGENT_TOKEN might be empty, in which case it will be returned by the call
+RES=$(codefresh install agent \
+    --name ${AGENT_NAME} \
+    --kube-context-name ${KUBE_CONTEXT} \
+    --kube-namespace ${KUBE_NAMESPACE} \
+    --agent-kube-namespace ${KUBE_NAMESPACE} \
+    --install-runtime \
+    --runtime-name ${RUNTIME_NAME} \
+    --skip-cluster-creation \
+    --platform-only)
+
+AGENT_CODEFRESH_TOKEN=$(echo "${RES}" | tail -n 1)
+echo "generated agent + runtime in platform"
+
+create_agent_secret $AGENT_CODEFRESH_TOKEN
+
+echo "-----"
+echo "done initializing runtime and agent"
+echo "-----"
diff --git a/charts/codefresh/cf-runtime/6.3.61/files/reconcile-runtime.sh b/charts/codefresh/cf-runtime/6.3.61/files/reconcile-runtime.sh
new file mode 100644
index 000000000..21e437355
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/files/reconcile-runtime.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:             ${API_HOST}"
+echo "KUBE_CONTEXT:         ${KUBE_CONTEXT}"
+echo "KUBE_NAMESPACE:       ${KUBE_NAMESPACE}"
+echo "OWNER_NAME:           ${OWNER_NAME}"
+echo "RUNTIME_NAME:         ${RUNTIME_NAME}"
+echo "CONFIGMAP_NAME:       ${CONFIGMAP_NAME}"
+echo "RECONCILE_INTERVAL:   ${RECONCILE_INTERVAL}"
+echo "-----"
+
+msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
+err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
+
+
+if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
+    err "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
+    exit 1
+fi
+
+codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
+
+while true; do
+  msg "Reconciling ${RUNTIME_NAME} runtime"
+
+  sleep $RECONCILE_INTERVAL
+
+  codefresh get re \
+      --name ${RUNTIME_NAME} \
+      -o yaml \
+      | yq 'del(.version, .metadata.changedBy, .metadata.creationTime)' > /tmp/runtime.yaml
+
+  kubectl get cm ${CONFIGMAP_NAME} -n ${KUBE_NAMESPACE} -o yaml \
+  | yq 'del(.metadata.resourceVersion, .metadata.uid)' \
+  | yq eval '.data["runtime.yaml"] = load_str("/tmp/runtime.yaml")' \
+  | kubectl apply -f -
+done
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_deployment.yaml
new file mode 100644
index 000000000..26f3576b7
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_deployment.yaml
@@ -0,0 +1,70 @@
+{{- define "app-proxy.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "app-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "app-proxy.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "app-proxy.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: app-proxy
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        env:
+        {{- include "app-proxy.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 3000
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /health
+            port: http
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_env-vars.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_env-vars.yaml
new file mode 100644
index 000000000..c9b9a0e36
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_env-vars.yaml
@@ -0,0 +1,19 @@
+{{- define "app-proxy.environment-variables.defaults" }}
+PORT: 3000
+{{- end }}
+
+{{- define "app-proxy.environment-variables.calculated" }}
+CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+{{- with .Values.ingress.pathPrefix }}
+API_PATH_PREFIX: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "app-proxy.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "app-proxy.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "app-proxy.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_helpers.tpl b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_helpers.tpl
new file mode 100644
index 000000000..2d4272ca9
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_helpers.tpl
@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "app-proxy.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "app-proxy.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "app-proxy.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: app-proxy
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "app-proxy.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: app-proxy
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "app-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "app-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_ingress.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_ingress.yaml
new file mode 100644
index 000000000..d7860b363
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_ingress.yaml
@@ -0,0 +1,32 @@
+{{- define "app-proxy.resources.ingress" -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels: {{- include "app-proxy.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.class (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.class }}
+  {{- end }}
+  {{- if .Values.ingress.tlsSecret }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.tlsSecret }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: {{ .Values.ingress.pathPrefix | default "/" }}
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ include "app-proxy.fullname" . }}
+                port:
+                  number: 80
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_rbac.yaml
new file mode 100644
index 000000000..87bd869ba
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_rbac.yaml
@@ -0,0 +1,47 @@
+{{- define "app-proxy.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "app-proxy.serviceAccountName" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "app-proxy.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "app-proxy.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_service.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_service.yaml
new file mode 100644
index 000000000..4c3a93bf2
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/app-proxy/_service.yaml
@@ -0,0 +1,17 @@
+{{- define "app-proxy.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 3000
+  selector:
+    {{- include "app-proxy.selectorLabels" . | nindent 4 }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_deployment.yaml
new file mode 100644
index 000000000..62588b4d3
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_deployment.yaml
@@ -0,0 +1,62 @@
+{{- define "event-exporter.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "event-exporter.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "event-exporter.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "event-exporter.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: event-exporter
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        args: [--running-in-cluster=true]
+        env:
+        {{- include "event-exporter.environment-variables" . | nindent 8 }}
+        ports:
+        - name: metrics
+          containerPort: 9102
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_env-vars.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_env-vars.yaml
new file mode 100644
index 000000000..d28d0776f
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_env-vars.yaml
@@ -0,0 +1,14 @@
+{{- define "event-exporter.environment-variables.defaults" }}
+{{- end }}
+
+{{- define "event-exporter.environment-variables.calculated" }}
+{{- end }}
+
+{{- define "event-exporter.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "event-exporter.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "event-exporter.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_helpers.tpl b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_helpers.tpl
new file mode 100644
index 000000000..5b8b5eff7
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_helpers.tpl
@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "event-exporter.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "event-exporter.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "event-exporter.labels" -}}
+{{ include "cf-runtime.labels" . }}
+app: event-exporter
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "event-exporter.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+app: event-exporter
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "event-exporter.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "event-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_rbac.yaml
new file mode 100644
index 000000000..69d7b6b2f
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_rbac.yaml
@@ -0,0 +1,47 @@
+{{- define "event-exporter.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "event-exporter.serviceAccountName" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: [events]
+    verbs: [get, list, watch]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "event-exporter.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "event-exporter.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_service.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_service.yaml
new file mode 100644
index 000000000..6fa29ec1a
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_service.yaml
@@ -0,0 +1,17 @@
+{{- define "event-exporter.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: metrics
+    port: 9102
+    targetPort: metrics
+    protocol: TCP
+  selector:
+    {{- include "event-exporter.selectorLabels" . | nindent 4 }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_serviceMontor.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_serviceMontor.yaml
new file mode 100644
index 000000000..6092443f0
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/event-exporter/_serviceMontor.yaml
@@ -0,0 +1,14 @@
+{{- define "event-exporter.resources.serviceMonitor" -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  endpoints:
+  - port: metrics
+  selector:
+    matchLabels:
+    {{- include "event-exporter.selectorLabels" . | nindent 6 }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_deployment.yaml
new file mode 100644
index 000000000..7efa6557b
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_deployment.yaml
@@ -0,0 +1,70 @@
+{{- define "monitor.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "monitor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "monitor.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "monitor.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: monitor
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        env:
+        {{- include "monitor.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 9020
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /api/ping
+            port: 9020
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_env-vars.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_env-vars.yaml
new file mode 100644
index 000000000..f58c7fa25
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_env-vars.yaml
@@ -0,0 +1,26 @@
+{{- define "monitor.environment-variables.defaults" }}
+SERVICE_NAME: {{ include "monitor.fullname" . }}
+PORT: 9020
+HELM3: true
+NODE_OPTIONS: "--max_old_space_size=4096"
+{{- end }}
+
+{{- define "monitor.environment-variables.calculated" }}
+API_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+CLUSTER_ID: {{ include "runtime.runtime-environment-spec.context-name" . }}
+API_URL: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}/api/k8s-monitor/events
+ACCOUNT_ID: {{ .Values.global.accountId }}
+NAMESPACE: {{ .Release.Namespace }}
+{{- if .Values.rbac.namespaced }}
+ROLE_BINDING: true
+{{- end }}
+{{- end }}
+
+{{- define "monitor.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "monitor.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "monitor.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_helpers.tpl b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_helpers.tpl
new file mode 100644
index 000000000..71cc1c027
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_helpers.tpl
@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "monitor.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "monitor.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "monitor.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: monitor
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "monitor.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: monitor
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "monitor.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "monitor.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_rbac.yaml
new file mode 100644
index 000000000..88204796a
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_rbac.yaml
@@ -0,0 +1,56 @@
+{{- define "monitor.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "monitor.serviceAccountName" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch", "create", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "deletecollection" ]
+  - apiGroups: [ "extensions" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "monitor.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+  name: {{ include "monitor.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_service.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_service.yaml
new file mode 100644
index 000000000..f6ae9bb0f
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/monitor/_service.yaml
@@ -0,0 +1,17 @@
+{{- define "monitor.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 9020
+  selector:
+    {{- include "monitor.selectorLabels" . | nindent 4 }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_deployment.yaml
new file mode 100644
index 000000000..e1fb9439a
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_deployment.yaml
@@ -0,0 +1,103 @@
+{{- define "runner.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "runner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "runner.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "runner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      initContainers:
+      - name: init
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.init.image "context" .) }}
+        imagePullPolicy: {{ .Values.init.image.pullPolicy | default "IfNotPresent" }}
+        command:
+        - /bin/bash
+        args:
+        - -ec
+        - | {{ .Files.Get "files/init-runtime.sh" | nindent 10 }}
+        env:
+        {{- include "runner-init.environment-variables" . | nindent 8 }}
+        {{- with .Values.init.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+      containers:
+      - name: runner
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
+        env:
+        {{- include "runner.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 8080
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /health
+            port: http
+        {{- with .Values.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+        {{- with .Values.extraVolumeMounts }}
+        volumeMounts:
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- if .Values.sidecar.enabled }}
+      - name: reconcile-runtime
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.sidecar.image "context" .) }}
+        imagePullPolicy: {{ .Values.sidecar.image.pullPolicy | default "IfNotPresent" }}
+        command:
+        - /bin/bash
+        args:
+        - -ec
+        - | {{ .Files.Get "files/reconcile-runtime.sh" | nindent 10 }}
+        env:
+        {{- include "runner-sidecar.environment-variables" . | nindent 8 }}
+        {{- with .Values.sidecar.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.extraVolumes }}
+      volumes:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_helpers.tpl b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_helpers.tpl
new file mode 100644
index 000000000..2608cb67e
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_helpers.tpl
@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "runner.name" -}}
+  {{- printf "%s-%s" (include "cf-runtime.name" .) "runner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "runner.fullname" -}}
+  {{- printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "runner.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: runner
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "runner.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: runner
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "runner.serviceAccountName" -}}
+  {{- if .Values.serviceAccount.create }}
+    {{- default (include "runner.fullname" .) .Values.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.serviceAccount.name }}
+  {{- end }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_rbac.yaml
new file mode 100644
index 000000000..d95b958d5
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/_rbac.yaml
@@ -0,0 +1,53 @@
+{{- define "runner.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runner.serviceAccountName" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods", "persistentvolumeclaims" ]
+    verbs: [ "get", "create", "delete", patch ]
+  - apiGroups: [ "" ]
+    resources: [ "configmaps", "secrets" ]
+    verbs: [ "get", "create", "update", patch ]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments" ]
+    verbs: [ "get" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "runner.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_init-container.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_init-container.yaml
new file mode 100644
index 000000000..6dda110f7
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_init-container.yaml
@@ -0,0 +1,30 @@
+{{- define "runner-init.environment-variables.defaults" }}
+HOME: /tmp
+{{- end }}
+
+{{- define "runner-init.environment-variables.calculated" }}
+AGENT_NAME: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+AGENT_CODEFRESH_TOKEN:
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "runner.fullname" . }}
+      key: agent-codefresh-token
+      optional: true
+EXISTING_AGENT_CODEFRESH_TOKEN: {{ include "runtime.agent-token-env-var-value" . | nindent 2 }}
+KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
+KUBE_NAMESPACE: {{ .Release.Namespace }}
+OWNER_NAME: {{ include "runner.fullname" . }}
+RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+SECRET_NAME: {{ include "runner.fullname" . }}
+USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+{{- end }}
+
+{{- define "runner-init.environment-variables" }}
+  {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+  {{- $defaults := (include "runner-init.environment-variables.defaults" . | fromYaml) }}
+  {{- $calculated := (include "runner-init.environment-variables.calculated" . | fromYaml) }}
+  {{- $overrides := .Values.env }}
+  {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+  {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_main-container.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_main-container.yaml
new file mode 100644
index 000000000..4d3f0304e
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_main-container.yaml
@@ -0,0 +1,28 @@
+{{- define "runner.environment-variables.defaults" }}
+AGENT_MODE: InCluster
+SELF_DEPLOYMENT_NAME:
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+{{- end }}
+
+{{- define "runner.environment-variables.calculated" }}
+AGENT_ID: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+CODEFRESH_IN_CLUSTER_RUNTIME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+CODEFRESH_TOKEN:
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "runner.fullname" . }}
+      key: agent-codefresh-token
+DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
+{{- end }}
+
+{{- define "runner.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "runner.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "runner.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_sidecar-container.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_sidecar-container.yaml
new file mode 100644
index 000000000..3adcbe5d4
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/runner/environment-variables/_sidecar-container.yaml
@@ -0,0 +1,22 @@
+{{- define "runner-sidecar.environment-variables.defaults" }}
+HOME: /tmp
+{{- end }}
+
+{{- define "runner-sidecar.environment-variables.calculated" }}
+API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
+KUBE_NAMESPACE: {{ .Release.Namespace }}
+OWNER_NAME: {{ include "runner.fullname" . }}
+RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+CONFIGMAP_NAME: {{ printf "%s-%s" (include "runtime.fullname" .) "spec" }}
+{{- end }}
+
+{{- define "runner-sidecar.environment-variables" }}
+  {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+  {{- $defaults := (include "runner-sidecar.environment-variables.defaults" . | fromYaml) }}
+  {{- $calculated := (include "runner-sidecar.environment-variables.calculated" . | fromYaml) }}
+  {{- $overrides := .Values.sidecar.env }}
+  {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+  {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_cronjob.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_cronjob.yaml
new file mode 100644
index 000000000..20bd2d56e
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_cronjob.yaml
@@ -0,0 +1,58 @@
+{{- define "dind-volume-provisioner.resources.cronjob" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- if not (eq .Values.storage.backend "local") }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "dind-volume-cleanup.fullname" . }}
+  labels:
+    {{- include "dind-volume-cleanup.labels" . | nindent 4 }}
+spec:
+  concurrencyPolicy: {{ .Values.concurrencyPolicy }}
+  schedule: {{ .Values.schedule | quote }}
+  successfulJobsHistoryLimit: {{ .Values.successfulJobsHistory }}
+  failedJobsHistoryLimit: {{ .Values.failedJobsHistory }}
+  {{- with .Values.suspend }}
+  suspend: {{ . }}
+  {{- end }}
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            {{- include "dind-volume-cleanup.selectorLabels" . | nindent 12 }}
+          {{- with .Values.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        spec:
+          {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 10 }}
+          serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+          {{- if .Values.podSecurityContext.enabled }}
+          securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          restartPolicy: {{ .Values.restartPolicy | default "Never" }}
+          containers:
+          - name: dind-volume-cleanup
+            image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+            imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+            env:
+            {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 12 }}
+            - name: PROVISIONED_BY
+              value: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+            resources:
+            {{- toYaml .Values.resources | nindent 14 }}
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.affinity }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.tolerations }}
+          tolerations:
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_daemonset.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_daemonset.yaml
new file mode 100644
index 000000000..cb463231d
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_daemonset.yaml
@@ -0,0 +1,98 @@
+{{- define "dind-volume-provisioner.resources.daemonset" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $localVolumeParentDir := .Values.storage.local.volumeParentDir  }}
+{{- if eq .Values.storage.backend "local" }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "dind-lv-monitor.fullname" . }}
+  labels:
+    {{- include "dind-lv-monitor.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "dind-lv-monitor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "dind-lv-monitor.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if .Values.volumePermissions.enabled }}
+      initContainers:
+      - name: volume-permissions
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.volumePermissions.image "context" .) }}
+        imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | default "Always" }}
+        command:
+         - /bin/sh
+        args:
+         - -ec
+         - |
+           chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
+        volumeMounts:
+        - mountPath: {{ $localVolumeParentDir }}
+          name: dind-volume-dir
+        {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+        securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }}
+        {{- else }}
+        securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 10 }}
+        {{- end }}
+        resources:
+          {{- toYaml .Values.volumePermissions.resources | nindent 10 }}
+      {{- end }}
+      containers:
+      - name: dind-lv-monitor
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }}
+        {{- end }}
+        command:
+          - /home/dind-volume-utils/bin/local-volumes-agent
+        env:
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }}
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: VOLUME_PARENT_DIR
+            value: {{ $localVolumeParentDir }}
+        resources:
+          {{- toYaml .Values.resources | nindent 10  }}
+        volumeMounts:
+        - mountPath: {{ $localVolumeParentDir }}
+          readOnly: false
+          name: dind-volume-dir
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      - name: dind-volume-dir
+        hostPath:
+          path: {{ $localVolumeParentDir }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_deployment.yaml
new file mode 100644
index 000000000..9252b4520
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_deployment.yaml
@@ -0,0 +1,67 @@
+{{- define "dind-volume-provisioner.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "dind-volume-provisioner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "dind-volume-provisioner.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: dind-volume-provisioner
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        command:
+          - /usr/local/bin/dind-volume-provisioner
+          - -v=4
+          - --resync-period=50s
+        env:
+        {{- include "dind-volume-provisioner.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 8080
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- include "dind-volume-provisioner.volumeMounts.calculated" . | nindent 8 }}
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- include "dind-volume-provisioner.volumes.calculated" . | nindent 6 }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_env-vars.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_env-vars.yaml
new file mode 100644
index 000000000..e1f5dfe60
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_env-vars.yaml
@@ -0,0 +1,88 @@
+{{- define "dind-volume-provisioner.environment-variables.defaults" }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.environment-variables.calculated" }}
+DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
+PROVISIONER_NAME: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+
+{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.accessKeyIdSecretKeyRef }}
+AWS_ACCESS_KEY_ID:
+  {{- if .Values.storage.ebs.accessKeyId }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "dind-volume-provisioner.fullname" . }}
+      key: aws_access_key_id
+  {{- else if .Values.storage.ebs.accessKeyIdSecretKeyRef }}
+  valueFrom:
+    secretKeyRef:
+  {{- .Values.storage.ebs.accessKeyIdSecretKeyRef | toYaml | nindent 6 }}
+  {{- end }}
+{{- end }}
+
+{{- if or .Values.storage.ebs.secretAccessKey .Values.storage.ebs.secretAccessKeySecretKeyRef }}
+AWS_SECRET_ACCESS_KEY:
+  {{- if .Values.storage.ebs.secretAccessKey }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "dind-volume-provisioner.fullname" . }}
+      key: aws_secret_access_key
+  {{- else if .Values.storage.ebs.secretAccessKeySecretKeyRef }}
+  valueFrom:
+    secretKeyRef:
+  {{- .Values.storage.ebs.secretAccessKeySecretKeyRef | toYaml | nindent 6 }}
+  {{- end }}
+{{- end }}
+
+{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }}
+{{- end }}
+
+{{- if and .Values.storage.mountAzureJson }}
+AZURE_CREDENTIAL_FILE: /etc/kubernetes/azure.json
+CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
+{{- end }}
+
+{{- end }}
+
+{{- define "dind-volume-provisioner.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "dind-volume-provisioner.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "dind-volume-provisioner.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
+
+
+{{- define "dind-volume-provisioner.volumes.calculated" }}
+  {{- if .Values.storage.gcedisk.serviceAccountJson }}
+- name: credentials
+  secret:
+    secretName: {{ include "dind-volume-provisioner.fullname" . }}
+    optional: true
+  {{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+- name: credentials
+  secret:
+    secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }}
+    optional: true
+  {{- end }}
+  {{- if .Values.storage.mountAzureJson }}
+- name: azure-json
+  hostPath:
+    path: /etc/kubernetes/azure.json
+    type: File
+  {{- end }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.volumeMounts.calculated" }}
+  {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+- name: credentials
+  readOnly: true
+  mountPath: "/etc/dind-volume-provisioner/credentials"
+  {{- end }}
+  {{- if .Values.storage.mountAzureJson }}
+- name: azure-json
+  readOnly: true
+  mountPath: "/etc/kubernetes/azure.json"
+  {{- end }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_helpers.tpl b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_helpers.tpl
new file mode 100644
index 000000000..e3d3a0d3f
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_helpers.tpl
@@ -0,0 +1,93 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dind-volume-provisioner.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dind-volume-provisioner.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dind-volume-cleanup.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dind-lv-monitor.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Provisioner name for storage class
+*/}}
+{{- define "dind-volume-provisioner.volumeProvisionerName" }}
+    {{- printf "codefresh.io/dind-volume-provisioner-runner-%s" .Release.Namespace }}
+{{- end }}
+
+{{/*
+Common labels for dind-lv-monitor
+*/}}
+{{- define "dind-lv-monitor.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: lv-monitor
+{{- end }}
+
+{{/*
+Selector labels for dind-lv-monitor
+*/}}
+{{- define "dind-lv-monitor.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: lv-monitor
+{{- end }}
+
+{{/*
+Common labels for dind-volume-provisioner
+*/}}
+{{- define "dind-volume-provisioner.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: volume-provisioner
+{{- end }}
+
+{{/*
+Selector labels for dind-volume-provisioner
+*/}}
+{{- define "dind-volume-provisioner.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: volume-provisioner
+{{- end }}
+
+{{/*
+Common labels for dind-volume-cleanup
+*/}}
+{{- define "dind-volume-cleanup.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: pv-cleanup
+{{- end }}
+
+{{/*
+Common labels for dind-volume-cleanup
+*/}}
+{{- define "dind-volume-cleanup.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: pv-cleanup
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dind-volume-provisioner.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dind-volume-provisioner.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.storageClassName" }}
+{{- printf "dind-local-volumes-runner-%s" .Release.Namespace }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_rbac.yaml
new file mode 100644
index 000000000..fbcbc684f
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_rbac.yaml
@@ -0,0 +1,71 @@
+{{- define "dind-volume-provisioner.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumeclaims" ]
+    verbs: [ "get", "list", "watch", "update", "delete" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "list", "watch", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints" ]
+    verbs: [ "get", "list", "watch", "create", "update", "delete" ]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ "leases" ]
+    verbs: [ "get", "create", "update" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_secret.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_secret.yaml
new file mode 100644
index 000000000..f361a7991
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_secret.yaml
@@ -0,0 +1,22 @@
+{{- define "dind-volume-provisioner.resources.secret" -}}
+{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.secretAccessKey .Values.storage.gcedisk.serviceAccountJson }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+stringData:
+  {{- with .Values.storage.gcedisk.serviceAccountJson }}
+  google-service-account.json: |
+{{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.storage.ebs.accessKeyId }}
+  aws_access_key_id: {{ . }}
+  {{- end }}
+  {{- with .Values.storage.ebs.secretAccessKey }}
+  aws_secret_access_key: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_storageclass.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_storageclass.yaml
new file mode 100644
index 000000000..62e910c87
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_components/volume-provisioner/_storageclass.yaml
@@ -0,0 +1,47 @@
+{{- define "dind-volume-provisioner.resources.storageclass" -}}
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  {{/* has to be exactly that */}}
+  name: {{ include "dind-volume-provisioner.storageClassName" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+provisioner: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+parameters:
+{{- if eq .Values.storage.backend "local" }}
+  volumeBackend: local
+  volumeParentDir: {{ .Values.storage.local.volumeParentDir }}
+{{- else if eq .Values.storage.backend "gcedisk" }}
+  volumeBackend: {{ .Values.storage.backend }}
+  type: {{ .Values.storage.gcedisk.volumeType | default "pd-ssd" }}
+  zone: {{ required ".Values.storage.gcedisk.availabilityZone is required" .Values.storage.gcedisk.availabilityZone }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+{{- else if or (eq .Values.storage.backend "ebs") (eq .Values.storage.backend "ebs-csi")}}
+  volumeBackend: {{ .Values.storage.backend }}
+  VolumeType: {{ .Values.storage.ebs.volumeType | default "gp3" }}
+  AvailabilityZone: {{ required ".Values.storage.ebs.availabilityZone is required" .Values.storage.ebs.availabilityZone }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+  encrypted: {{ .Values.storage.ebs.encrypted | default "false" | quote }}
+  {{- with .Values.storage.ebs.kmsKeyId }}
+  kmsKeyId: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.ebs.iops }}
+  iops: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.ebs.throughput }}
+  throughput: {{ . | quote }}
+  {{- end }}
+{{- else if or (eq .Values.storage.backend "azuredisk") (eq .Values.storage.backend "azuredisk-csi")}}
+  volumeBackend: {{ .Values.storage.backend }}
+  kind: managed
+  skuName: {{ .Values.storage.azuredisk.skuName | default "Premium_LRS" }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+  cachingMode: {{ .Values.storage.azuredisk.cachingMode | default "None" }}
+  {{- with .Values.storage.azuredisk.availabilityZone }}
+  availabilityZone: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.azuredisk.resourceGroup }}
+  resourceGroup: {{ . | quote }}
+  {{- end }}
+{{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/_helpers.tpl b/charts/codefresh/cf-runtime/6.3.61/templates/_helpers.tpl
new file mode 100644
index 000000000..72f44e36a
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/_helpers.tpl
@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cf-runtime.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cf-runtime.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cf-runtime.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cf-runtime.labels" -}}
+helm.sh/chart: {{ include "cf-runtime.chart" . }}
+{{ include "cf-runtime.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cf-runtime.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cf-runtime.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/deployment.yaml
new file mode 100644
index 000000000..90341b305
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/deployment.yaml
@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.deployment" $appProxyContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/ingress.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/ingress.yaml
new file mode 100644
index 000000000..56ab5e95e
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/ingress.yaml
@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.ingress" $appProxyContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/rbac.yaml
new file mode 100644
index 000000000..4db87dcb4
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/rbac.yaml
@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.rbac" $appProxyContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/service.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/service.yaml
new file mode 100644
index 000000000..0b9d85ec0
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/app-proxy/service.yaml
@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.service" $appProxyContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/deployment.yaml
new file mode 100644
index 000000000..494288240
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/deployment.yaml
@@ -0,0 +1,9 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.deployment" $eventExporterContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/rbac.yaml
new file mode 100644
index 000000000..6a9bf5c65
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/rbac.yaml
@@ -0,0 +1,9 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.rbac" $eventExporterContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/service.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/service.yaml
new file mode 100644
index 000000000..c5d856dfe
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/event-exporter/service.yaml
@@ -0,0 +1,11 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.service" $eventExporterContext }}
+---
+{{- include "event-exporter.resources.serviceMonitor" $eventExporterContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/extra/extra-resources.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/extra/extra-resources.yaml
new file mode 100644
index 000000000..1a9777c64
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/extra/extra-resources.yaml
@@ -0,0 +1,6 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+
+{{- range .Values.extraResources }}
+---
+{{ include (printf "%s.tplrender" $cfCommonTplSemver) (dict "Values" . "context" $) }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/extra/runtime-images-cm.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/extra/runtime-images-cm.yaml
new file mode 100644
index 000000000..f269c84b2
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/extra/runtime-images-cm.yaml
@@ -0,0 +1,19 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.engine.runtimeImages }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  {{- /* dummy template just to list runtime images */}}
+  name: {{ include "runtime.fullname" . }}-images
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  images: |
+    {{- range $key, $val := $values }}
+    image: {{ $val }}
+    {{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/cm-update-runtime.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/cm-update-runtime.yaml
new file mode 100644
index 000000000..46a306c56
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/cm-update-runtime.yaml
@@ -0,0 +1,18 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if $values.enabled }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "runtime.fullname" . }}-spec
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  runtime.yaml: |
+    {{ include "runtime.runtime-environment-spec.template" . | nindent 4 | trim }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/job-gencerts-dind.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/job-gencerts-dind.yaml
new file mode 100644
index 000000000..4a08a229c
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/job-gencerts-dind.yaml
@@ -0,0 +1,68 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.gencerts }}
+{{- if and $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "3"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-gencerts-dind
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      {{- if $values.rbac.enabled }}
+      serviceAccountName: {{ template "runtime.fullname" . }}-gencerts-dind
+      {{- end }}
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: gencerts-dind
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - | {{ .Files.Get "files/configure-dind-certs.sh" | nindent 10 }}
+        env:
+        - name: NAMESPACE
+          value: {{ .Release.Namespace }}
+        - name: RELEASE
+          value: {{ .Release.Name }}
+        - name: CF_API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+        - name: CF_API_TOKEN
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/job-update-runtime.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/job-update-runtime.yaml
new file mode 100644
index 000000000..955e882d7
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/job-update-runtime.yaml
@@ -0,0 +1,77 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-patch
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "5"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-patch
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: patch-runtime
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - |
+          codefresh auth create-context --api-key $API_KEY --url $API_HOST
+          cat /usr/share/extras/runtime.yaml
+          codefresh get re
+{{- if .Values.runtime.agent }}
+          codefresh patch re -f /usr/share/extras/runtime.yaml
+{{- else }}
+          codefresh patch sys-re -f /usr/share/extras/runtime.yaml
+{{- end }}
+        env:
+        - name: API_KEY
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+        - name: API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+        volumeMounts:
+        - name: config
+          mountPath: /usr/share/extras/runtime.yaml
+          subPath: runtime.yaml
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+      volumes:
+      - name: config
+        configMap:
+          name: {{ include "runtime.fullname" . }}-spec
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/rbac-gencerts-dind.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/rbac-gencerts-dind.yaml
new file mode 100644
index 000000000..4907dac38
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/post-install/rbac-gencerts-dind.yaml
@@ -0,0 +1,37 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.gencerts }}
+{{- if and $values.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runtime.fullname" . }}-gencerts-dind
+    namespace: {{ .Release.Namespace }}
+{{ end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/hooks/pre-delete/job-cleanup-resources.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/pre-delete/job-cleanup-resources.yaml
new file mode 100644
index 000000000..0e3c7659f
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/pre-delete/job-cleanup-resources.yaml
@@ -0,0 +1,73 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if and $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy:  hook-succeeded,before-hook-creation
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-cleanup
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      {{- if $values.rbac.enabled }}
+      serviceAccountName: {{ template "runtime.fullname" . }}-cleanup
+      {{- end }}
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: cleanup
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - | {{ .Files.Get "files/cleanup-runtime.sh" | nindent 10 }}
+        env:
+        - name: AGENT_NAME
+          value: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+        - name: RUNTIME_NAME
+          value: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+        - name: API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+        - name: API_TOKEN
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+        - name: AGENT
+          value: {{ .Values.runtime.agent | quote }}
+        - name: AGENT_SECRET_NAME
+          value: {{ include "runner.fullname" . }}
+        - name: DIND_SECRET_NAME
+          value: codefresh-certs-server
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/hooks/pre-delete/rbac-cleanup-resources.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/pre-delete/rbac-cleanup-resources.yaml
new file mode 100644
index 000000000..468ec2212
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/hooks/pre-delete/rbac-cleanup-resources.yaml
@@ -0,0 +1,46 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if and $values.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "runtime.fullname" . }}-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runtime.fullname" . }}-cleanup
+    namespace: {{ .Release.Namespace }}
+{{ end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/monitor/deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/monitor/deployment.yaml
new file mode 100644
index 000000000..00c9fb2f9
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/monitor/deployment.yaml
@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.deployment" $monitorContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/monitor/rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/monitor/rbac.yaml
new file mode 100644
index 000000000..f9812d565
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/monitor/rbac.yaml
@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.rbac" $monitorContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/monitor/service.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/monitor/service.yaml
new file mode 100644
index 000000000..f99706614
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/monitor/service.yaml
@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.service" $monitorContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/other/external-secrets.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/other/external-secrets.yaml
new file mode 100644
index 000000000..dc24e24e5
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/other/external-secrets.yaml
@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.external-secrets" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/other/podMonitor.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/other/podMonitor.yaml
new file mode 100644
index 000000000..4319b722b
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/other/podMonitor.yaml
@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.podMonitor" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/other/serviceMonitor.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/other/serviceMonitor.yaml
new file mode 100644
index 000000000..29f890fe2
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/other/serviceMonitor.yaml
@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.serviceMonitor" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/runner/deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/runner/deployment.yaml
new file mode 100644
index 000000000..85777c487
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/runner/deployment.yaml
@@ -0,0 +1,9 @@
+{{- $runnerContext := deepCopy . }}
+{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
+{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
+{{- include "runner.resources.deployment" $runnerContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/runner/rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/runner/rbac.yaml
new file mode 100644
index 000000000..d5f8c1323
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/runner/rbac.yaml
@@ -0,0 +1,9 @@
+{{- $runnerContext := deepCopy . }}
+{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
+{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
+{{- include "runner.resources.rbac" $runnerContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/runtime/_helpers.tpl b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/_helpers.tpl
new file mode 100644
index 000000000..6ba04fcc3
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/_helpers.tpl
@@ -0,0 +1,123 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "runtime.name" -}}
+    {{- printf "%s" (include "cf-runtime.name" .)  | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "runtime.fullname" -}}
+    {{- printf "%s" (include "cf-runtime.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "runtime.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: runtime
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "runtime.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: runtime
+{{- end }}
+
+{{/*
+Return runtime image (classic runtime) with private registry prefix
+*/}}
+{{- define "runtime.runtimeImageName" -}}
+  {{- if .registry -}}
+    {{- $imageName :=  (trimPrefix "quay.io/" .imageFullName) -}}
+    {{- printf "%s/%s" .registry $imageName -}}
+  {{- else -}}
+    {{- printf "%s" .imageFullName -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Environment variable value of Codefresh installation token
+*/}}
+{{- define "runtime.installation-token-env-var-value" -}}
+  {{- if .Values.global.codefreshToken }}
+valueFrom:
+  secretKeyRef:
+    name: {{ include "runtime.installation-token-secret-name" . }}
+    key: codefresh-api-token
+  {{- else if .Values.global.codefreshTokenSecretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.global.codefreshTokenSecretKeyRef | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Environment variable value of Codefresh agent token
+*/}}
+{{- define "runtime.agent-token-env-var-value" -}}
+  {{- if .Values.global.agentToken }}
+{{- printf "%s" .Values.global.agentToken | toYaml }}
+  {{- else if .Values.global.agentTokenSecretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.global.agentTokenSecretKeyRef | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Print Codefresh API token secret name
+*/}}
+{{- define "runtime.installation-token-secret-name" }}
+{{- print "codefresh-user-token" }}
+{{- end }}
+
+{{/*
+Print Codefresh host
+*/}}
+{{- define "runtime.runtime-environment-spec.codefresh-host" }}
+{{- if and (not .Values.global.codefreshHost) }}
+  {{- fail "ERROR: .global.codefreshHost is required" }}
+{{- else }}
+  {{- printf "%s" (trimSuffix "/" .Values.global.codefreshHost) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print runtime-environment name
+*/}}
+{{- define "runtime.runtime-environment-spec.runtime-name" }}
+{{- if and (not .Values.global.runtimeName) }}
+  {{- printf "%s/%s" .Values.global.context .Release.Namespace }}
+{{- else }}
+  {{- printf "%s" .Values.global.runtimeName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print agent name
+*/}}
+{{- define "runtime.runtime-environment-spec.agent-name" }}
+{{- if and (not .Values.global.agentName) }}
+  {{- printf "%s_%s" .Values.global.context .Release.Namespace }}
+{{- else }}
+  {{- printf "%s" .Values.global.agentName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print context
+*/}}
+{{- define "runtime.runtime-environment-spec.context-name" }}
+{{- if and (not .Values.global.context) }}
+  {{- fail "ERROR: .global.context is required" }}
+{{- else }}
+  {{- printf "%s" .Values.global.context }}
+{{- end }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/runtime/cm-dind-daemon.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/cm-dind-daemon.yaml
new file mode 100644
index 000000000..fc7f92905
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/cm-dind-daemon.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  {{- /* has to be a constant */}}
+  name: codefresh-dind-config
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+data:
+  daemon.json: |
+{{ coalesce .Values.re.dindDaemon .Values.runtime.dindDaemon | toPrettyJson | indent 4 }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/runtime/rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/rbac.yaml
new file mode 100644
index 000000000..a51b12526
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/rbac.yaml
@@ -0,0 +1,48 @@
+{{ $values := .Values.runtime }}
+---
+{{- if or $values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- /* has to be a constant */}}
+  name: codefresh-engine
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  {{- with $values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if $values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: codefresh-engine
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get" ]
+{{- with $values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and $values.serviceAccount.create $values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: codefresh-engine
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: codefresh-engine
+roleRef:
+  kind: Role
+  name: codefresh-engine
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/runtime/runtime-env-spec-tmpl.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/runtime-env-spec-tmpl.yaml
new file mode 100644
index 000000000..c0ae0ff82
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/runtime-env-spec-tmpl.yaml
@@ -0,0 +1,211 @@
+{{- define "runtime.runtime-environment-spec.template" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version -}}
+{{- $kubeconfigFilePath := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
+{{- $name := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
+{{- $engineContext := .Values.runtime.engine -}}
+{{- $dindContext := .Values.runtime.dind -}}
+{{- $imageRegistry := .Values.global.imageRegistry -}}
+metadata:
+  name: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+  agent: {{ .Values.runtime.agent }}
+runtimeScheduler:
+  type: KubernetesPod
+  {{- if $engineContext.image }}
+  image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $engineContext.image "context" .) | squote }}
+  {{- end }}
+  imagePullPolicy: {{ $engineContext.image.pullPolicy }}
+  {{- with $engineContext.command }}
+  command: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  envVars:
+  {{- with $engineContext.env }}
+    {{- range $key, $val := . }}
+      {{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }}
+    {{ $key }}: {{ $val | squote }}
+      {{- else }}
+    {{ $key }}: {{ $val }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+    COMPOSE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COMPOSE_IMAGE) | squote }}
+    CONTAINER_LOGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CONTAINER_LOGGER_IMAGE) | squote }}
+    DOCKER_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_BUILDER_IMAGE) | squote }}
+    DOCKER_PULLER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PULLER_IMAGE) | squote }}
+    DOCKER_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PUSHER_IMAGE) | squote }}
+    DOCKER_TAG_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) | squote }}
+    FS_OPS_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.FS_OPS_IMAGE) | squote }}
+    GIT_CLONE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GIT_CLONE_IMAGE) | squote }}
+    KUBE_DEPLOY: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.KUBE_DEPLOY) | squote }}
+    PIPELINE_DEBUGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.PIPELINE_DEBUGGER_IMAGE) | squote }}
+    TEMPLATE_ENGINE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.TEMPLATE_ENGINE) | squote }}
+    CR_6177_FIXER: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CR_6177_FIXER) | squote }}
+    GC_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GC_BUILDER_IMAGE) | squote }}
+    COSIGN_IMAGE_SIGNER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COSIGN_IMAGE_SIGNER_IMAGE) | squote }}
+  {{- with $engineContext.userEnvVars }}
+  userEnvVars:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.workflowLimits }}
+  workflowLimits: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  cluster:
+    namespace: {{ .Release.Namespace }}
+    serviceAccount: {{ $engineContext.serviceAccount }}
+    {{- if .Values.runtime.agent }}
+    clusterProvider:
+      accountId: {{ .Values.global.accountId }}
+      selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
+    {{- else }}
+      {{- if .Values.runtime.inCluster }}
+    inCluster: true
+    kubeconfigFilePath: null
+      {{- else }}
+    name: {{ $name }}
+    kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
+      {{- end }}
+    {{- end }}
+    {{- with $engineContext.nodeSelector }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with $engineContext.affinity }}
+  affinity:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.tolerations }}
+  tolerations:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.podAnnotations }}
+  annotations:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  {{- with $engineContext.podLabels }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $engineContext.schedulerName }}
+  schedulerName: {{ $engineContext.schedulerName }}
+  {{- end }}
+  resources:
+  {{- if $engineContext.resources}}
+  {{- toYaml $engineContext.resources | nindent 4 }}
+  {{- end }}
+dockerDaemonScheduler:
+  type: DindKubernetesPod
+  {{- if $dindContext.image }}
+  dindImage: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.image "context" .) | squote }}
+  {{- end }}
+  imagePullPolicy: {{ $dindContext.image.pullPolicy }}
+  {{- with $dindContext.userAccess }}
+  userAccess: {{ . }}
+  {{- end }}
+  {{- with $dindContext.env }}
+  envVars:
+    {{- range $key, $val := . }}
+      {{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }}
+    {{ $key }}: {{ $val | squote }}
+      {{- else }}
+    {{ $key }}: {{ $val }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  cluster:
+    namespace: {{ .Release.Namespace }}
+    serviceAccount: {{ $dindContext.serviceAccount }}
+    {{- if .Values.runtime.agent }}
+    clusterProvider:
+      accountId: {{ .Values.global.accountId }}
+      selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
+    {{- else }}
+      {{- if .Values.runtime.inCluster }}
+    inCluster: true
+    kubeconfigFilePath: null
+      {{- else }}
+    name: {{ $name }}
+    kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
+      {{- end }}
+    {{- end }}
+    {{- with $dindContext.nodeSelector }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with $dindContext.affinity }}
+  affinity:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.tolerations }}
+  tolerations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.podAnnotations }}
+  annotations:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  {{- with $dindContext.podLabels }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $dindContext.schedulerName }}
+  schedulerName: {{ $dindContext.schedulerName }}
+  {{- end }}
+  {{- if $dindContext.pvcs }}
+  pvcs:
+  {{- range $index, $pvc := $dindContext.pvcs }}
+    - name: {{ $pvc.name }}
+      reuseVolumeSelector: {{ $pvc.reuseVolumeSelector | squote }}
+      reuseVolumeSortOrder: {{ $pvc.reuseVolumeSortOrder }}
+      storageClassName: {{ include (printf "%v.tplrender" $cfCommonTplSemver) (dict "Values" $pvc.storageClassName "context" $) }}
+      volumeSize: {{ $pvc.volumeSize }}
+      {{- with $pvc.annotations }}
+      annotations: {{ . | toYaml | nindent 8 }}
+      {{- end }}
+  {{- end }}
+  {{- end }}
+  defaultDindResources:
+  {{- with $dindContext.resources }}
+  {{- if not .requests }}
+    limits: {{- toYaml .limits | nindent 6 }}
+    requests: null
+  {{- else }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+  {{- with $dindContext.terminationGracePeriodSeconds }}
+  terminationGracePeriodSeconds: {{ . }}
+  {{- end }}
+  {{- with $dindContext.userVolumeMounts }}
+  userVolumeMounts: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.userVolumes }}
+  userVolumes: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if and (not .Values.runtime.agent)  }}
+  clientCertPath: /etc/ssl/cf/
+  volumeMounts:
+    codefresh-certs-server:
+      name: codefresh-certs-server
+      mountPath: /etc/ssl/cf
+      readOnly: false
+  volumes:
+    codefresh-certs-server:
+      name: codefresh-certs-server
+      secret:
+        secretName: codefresh-certs-server
+  {{- end }}
+extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }}
+  {{- if .Values.runtime.description }}
+description: {{ .Values.runtime.description }}
+  {{- else }}
+description: null
+  {{- end }}
+{{- if .Values.global.accountId }}
+accountId: {{ .Values.global.accountId }}
+{{- end }}
+{{- if not .Values.runtime.agent }}
+accounts: {{- toYaml .Values.runtime.accounts | nindent 2 }}
+{{- end }}
+{{- if .Values.appProxy.enabled }}
+appProxy:
+  externalIP: >-
+    {{ printf "https://%s%s" .Values.appProxy.ingress.host (.Values.appProxy.ingress.pathPrefix | default "/") }}
+{{- end }}
+{{- if not .Values.runtime.agent }}
+systemHybrid: true
+{{- end }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/runtime/secret.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/secret.yaml
new file mode 100644
index 000000000..2366d3ccf
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/secret.yaml
@@ -0,0 +1,11 @@
+{{- if and .Values.global.codefreshToken }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "runtime.installation-token-secret-name" . }}
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+stringData:
+  codefresh-api-token: {{ .Values.global.codefreshToken }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/runtime/svc-dind.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/svc-dind.yaml
new file mode 100644
index 000000000..098edb4e8
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/runtime/svc-dind.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+    app: dind
+  {{/* has to be a constant */}}
+  name: dind
+spec:
+  ports:
+  - name: "dind-port"
+    port: 1300
+    protocol: TCP
+  clusterIP: None
+  selector:
+    app: dind
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/cronjob.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/cronjob.yaml
new file mode 100644
index 000000000..db955bc77
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/cronjob.yaml
@@ -0,0 +1,11 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-volume-cleanup") }}
+{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
+{{- include "dind-volume-provisioner.resources.cronjob" $volumeProvisionerContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/daemonset.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/daemonset.yaml
new file mode 100644
index 000000000..39927149e
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/daemonset.yaml
@@ -0,0 +1,11 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-lv-monitor") }}
+{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
+{{- include "dind-volume-provisioner.resources.daemonset" $volumeProvisionerContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/deployment.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/deployment.yaml
new file mode 100644
index 000000000..522fa8791
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/deployment.yaml
@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.deployment" $volumeProvisionerContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/rbac.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/rbac.yaml
new file mode 100644
index 000000000..f3ae9609f
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/rbac.yaml
@@ -0,0 +1,9 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.rbac" $volumeProvisionerContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/secret.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/secret.yaml
new file mode 100644
index 000000000..accf601d1
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/secret.yaml
@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.secret" $volumeProvisionerContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/storageclass.yaml b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/storageclass.yaml
new file mode 100644
index 000000000..77a7602da
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/templates/volume-provisioner/storageclass.yaml
@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.storageclass" $volumeProvisionerContext }}
+{{- end }}
diff --git a/charts/codefresh/cf-runtime/6.3.61/values.yaml b/charts/codefresh/cf-runtime/6.3.61/values.yaml
new file mode 100644
index 000000000..88ad3fac0
--- /dev/null
+++ b/charts/codefresh/cf-runtime/6.3.61/values.yaml
@@ -0,0 +1,947 @@
+# -- String to partially override cf-runtime.fullname template (will maintain the release name)
+nameOverride: ""
+# -- String to fully override cf-runtime.fullname template
+fullnameOverride: ""
+
+# -- Global parameters
+# @default -- See below
+global:
+  # -- Global Docker image registry
+  imageRegistry: ""
+  # -- Global Docker registry secret names as array
+  imagePullSecrets: []
+
+  # -- URL of Codefresh Platform (required!)
+  codefreshHost: "https://g.codefresh.io"
+  # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!)
+  # Ref: https://g.codefresh.io/user/settings (see API Keys)
+  # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write)
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!)
+  codefreshTokenSecretKeyRef: {}
+
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Account ID (required!)
+  # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information
+  accountId: ""
+
+  # -- K8s context name (required!)
+  context: ""
+  # E.g.
+  # context: prod-ue1-runtime-1
+
+  # -- Agent Name (optional!)
+  # If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}`
+  agentName: ""
+  # E.g.
+  # agentName: prod-ue1-runtime-1
+
+  # -- Runtime name (optional!)
+  # If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}`
+  runtimeName: ""
+  # E.g.
+  # runtimeName: prod-ue1-runtime-1/namespace
+
+  # -- DEPRECATED Agent token in plain text.
+  # !!! MUST BE provided if migrating from < 6.x chart version
+  agentToken: ""
+  # -- DEPRECATED Agent token that references an existing secret containing API key.
+  # !!! MUST BE provided if migrating from < 6.x chart version
+  agentTokenSecretKeyRef: {}
+  # E.g.
+  # agentTokenSecretKeyRef:
+  #   name: my-codefresh-agent-secret
+  #   key: codefresh-agent-token
+
+# DEPRECATED -- Use `.Values.global.imageRegistry` instead
+dockerRegistry: ""
+
+# DEPRECATED -- Use `.Values.runtime` instead
+re: {}
+
+# -- Runner parameters
+# @default -- See below
+runner:
+  # -- Enable the runner
+  enabled: true
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/venona
+    tag: 1.10.2
+
+  # -- Init container
+  init:
+    image:
+      registry: quay.io
+      repository: codefresh/cli
+      tag: 0.85.0-rootless
+
+    resources:
+      limits:
+        memory: 512Mi
+        cpu: '1'
+      requests:
+        memory: 256Mi
+        cpu: '0.2'
+
+  # -- Sidecar container
+  # Reconciles runtime spec from Codefresh API for drift detection
+  sidecar:
+    enabled: false
+    image:
+      registry: quay.io
+      repository: codefresh/codefresh-shell
+      tag: 0.0.2
+    env:
+      RECONCILE_INTERVAL: 300
+    resources: {}
+
+  # -- Add additional env vars
+  env: {}
+  # E.g.
+  # env:
+  #   WORKFLOW_CONCURRENCY: 50 # The number of workflow creation and termination tasks the Runner can handle in parallel. Defaults to 50
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: true
+    runAsUser: 10001
+    runAsGroup: 10001
+    fsGroup: 10001
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  # -- Set requests and limits
+  resources: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Volume Provisioner parameters
+# @default -- See below
+volumeProvisioner:
+  # -- Enable volume-provisioner
+  enabled: true
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: Recreate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/dind-volume-provisioner
+    tag: 1.35.0
+  # -- Add additional env vars
+  env: {}
+  # E.g.
+  # env:
+  #   THREADINESS: 4 # The number of PVC requests the dind-volume-provisioner can process in parallel. Defaults to 4
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+    # E.g.
+    #   serviceAccount:
+    #     annotations:
+    #       eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: true
+    runAsUser: 3000
+    runAsGroup: 3000
+    fsGroup: 3000
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+  # -- `dind-lv-monitor` DaemonSet parameters
+  # (local volumes cleaner)
+  # @default -- See below
+  dind-lv-monitor:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/dind-volume-utils
+      tag: 1.29.4
+    podAnnotations: {}
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+    containerSecurityContext: {}
+    env: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations:
+    - key: 'codefresh/dind'
+      operator: 'Exists'
+      effect: 'NoSchedule'
+    volumePermissions:
+      enabled: true
+      image:
+        registry: docker.io
+        repository: alpine
+        tag: 3.18
+      resources: {}
+      securityContext:
+        runAsUser: 0 # auto
+
+  # `dind-volume-cleanup` CronJob parameters
+  # (external volumes cleaner)
+  # @default -- See below
+  dind-volume-cleanup:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/dind-volume-cleanup
+      tag: 1.2.0
+    env: {}
+    concurrencyPolicy: Forbid
+    schedule: "*/10 * * * *"
+    successfulJobsHistory: 3
+    failedJobsHistory: 1
+    suspend: false
+    podAnnotations: {}
+    podSecurityContext:
+      enabled: true
+      fsGroup: 3000
+      runAsGroup: 3000
+      runAsUser: 3000
+    nodeSelector: {}
+    affinity: {}
+    tolerations: []
+
+# Storage parameters for volume-provisioner
+# @default -- See below
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: local
+  # -- Set filesystem type (`ext4`/`xfs`)
+  fsType: "ext4"
+
+  # Storage parametrs example for local volumes on the K8S nodes filesystem (i.e. `storage.backend=local`)
+  # https://kubernetes.io/docs/concepts/storage/volumes/#local
+  # @default -- See below
+  local:
+    # -- Set volume path on the host filesystem
+    volumeParentDir: /var/lib/codefresh/dind-volumes
+
+  # Storage parameters example for aws ebs disks (i.e. `storage.backend=ebs`/`storage.backend=ebs-csi`)
+  # https://aws.amazon.com/ebs/
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#aws-backend-volume-configuration
+  # @default -- See below
+  ebs:
+    # -- Set EBS volume type (`gp2`/`gp3`/`io1`) (required)
+    volumeType: "gp2"
+    # -- Set EBS volumes availability zone (required)
+    availabilityZone: "us-east-1a"
+    # -- Enable encryption (optional)
+    encrypted: "false"
+    # -- Set KMS encryption key ID (optional)
+    kmsKeyId: ""
+
+    # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional)
+    # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
+    accessKeyId: ""
+    # -- Existing secret containing AWS_ACCESS_KEY_ID.
+    accessKeyIdSecretKeyRef: {}
+    # E.g.
+    # accessKeyIdSecretKeyRef:
+    #   name:
+    #   key:
+
+    # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional)
+    # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
+    secretAccessKey: ""
+    # -- Existing secret containing AWS_SECRET_ACCESS_KEY
+    secretAccessKeySecretKeyRef: {}
+    # E.g.
+    # secretAccessKeySecretKeyRef:
+    #   name:
+    #   key:
+
+    # E.g.
+    # ebs:
+    #   volumeType: gp3
+    #   availabilityZone: us-east-1c
+    #   encrypted: false
+    #   iops: "5000"
+    #   # I/O operations per second. Only effetive when gp3 volume type is specified.
+    #   # Default value - 3000.
+    #   # Max - 16,000
+    #   throughput: "500"
+    #   # Throughput in MiB/s. Only effective when gp3 volume type is specified.
+    #   # Default value - 125.
+    #   # Max - 1000.
+    # ebs:
+    #   volumeType: gp2
+    #   availabilityZone: us-east-1c
+    #   encrypted: true
+    #   kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"
+    #   accessKeyId: "MYKEYID"
+    #   secretAccessKey: "MYACCESSKEY"
+
+  # Storage parameters example for gce disks
+  # https://cloud.google.com/compute/docs/disks#pdspecs
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#gke-google-kubernetes-engine-backend-volume-configuration
+  # @default -- See below
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-ssd"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-west1-a"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: ""
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.
+    # gcedisk:
+    #   volumeType: pd-ssd
+    #   availabilityZone: us-central1-c
+    #   serviceAccountJson: |-
+    #          {
+    #           "type": "service_account",
+    #           "project_id": "...",
+    #           "private_key_id": "...",
+    #           "private_key": "...",
+    #           "client_email": "...",
+    #           "client_id": "...",
+    #           "auth_uri": "...",
+    #           "token_uri": "...",
+    #           "auth_provider_x509_cert_url": "...",
+    #           "client_x509_cert_url": "..."
+    #           }
+
+  # Storage parameters example for Azure Disks
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#install-codefresh-runner-on-azure-kubernetes-service-aks
+  # @default -- See below
+  azuredisk:
+    # -- Set storage type (`Premium_LRS`)
+    skuName: Premium_LRS
+    cachingMode: None
+    # availabilityZone: northeurope-1
+    # resourceGroup:
+    # DiskIOPSReadWrite: 500
+    # DiskMBpsReadWrite: 100
+
+  mountAzureJson: false
+
+# -- Set runtime parameters
+# @default -- See below
+
+runtime:
+  # -- Set annotation on engine Service Account
+  # Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster
+  serviceAccount:
+    create: true
+    annotations: {}
+    # E.g.
+    #   serviceAccount:
+    #     annotations:
+    #       eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+
+  # -- Set parent runtime to inherit.
+  # Should not be changes. Parent runtime is controlled from Codefresh side.
+  runtimeExtends:
+    - system/default/hybrid/k8s_low_limits
+  # -- Runtime description
+  description: ""
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the engine role
+    rules: []
+
+  # -- (for On-Premise only) Enable agent
+  agent: true
+  # -- (for On-Premise only) Set inCluster runtime
+  inCluster: true
+  # -- (for On-Premise only) Assign accounts to runtime (list of account ids)
+  accounts: []
+
+  # -- Parameters for DinD (docker-in-docker) pod (aka "runtime" pod).
+  dind:
+    # -- Set dind image.
+    image:
+      registry: quay.io
+      repository: codefresh/dind
+      tag: 26.1.4-1.28.7  # use `latest-rootless/rootless/26.1.4-1.28.7-rootless` tags for rootless-dind
+      pullPolicy: IfNotPresent
+    # -- Set dind resources.
+    resources:
+      requests: null
+      limits:
+        cpu: 400m
+        memory: 800Mi
+    # -- PV claim spec parametes.
+    pvcs:
+      # -- Default dind PVC parameters
+      dind:
+        # -- PVC name prefix.
+        # Keep `dind` as default! Don't change!
+        name: dind
+        # -- PVC storage class name.
+        # Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner
+        storageClassName: '{{ include "dind-volume-provisioner.storageClassName" . }}'
+        # -- PVC size.
+        volumeSize: 16Gi
+        # -- PV reuse selector.
+        # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy
+        reuseVolumeSelector: codefresh-app,io.codefresh.accountName
+        reuseVolumeSortOrder: pipeline_id
+        # -- PV annotations.
+        annotations: {}
+        # E.g.:
+        # annotations:
+        #   codefresh.io/volume-retention: 7d
+    # -- Set additional env vars.
+    env:
+      DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true
+    # -- Set pod annotations.
+    podAnnotations: {}
+    # -- Set pod labels.
+    podLabels: {}
+    # -- Set node selector.
+    nodeSelector: {}
+    # -- Set affinity
+    affinity: {}
+    # -- Set tolerations.
+    tolerations: []
+    # -- Set scheduler name.
+    schedulerName: ""
+    # -- Set service account for pod.
+    serviceAccount: codefresh-engine
+    # -- Keep `true` as default!
+    userAccess: true
+    # -- Add extra volumes
+    userVolumes: {}
+    # E.g.:
+    # userVolumes:
+    #   regctl-docker-registry:
+    #     name: regctl-docker-registry
+    #     secret:
+    #       items:
+    #         - key: .dockerconfigjson
+    #           path: config.json
+    #       secretName: regctl-docker-registry
+    #       optional: true
+    # -- Add extra volume mounts
+    userVolumeMounts: {}
+    # E.g.:
+    # userVolumeMounts:
+    #   regctl-docker-registry:
+    #     name: regctl-docker-registry
+    #     mountPath: /home/appuser/.docker/
+    #     readOnly: true
+
+  # -- Parameters for Engine pod (aka "pipeline" orchestrator).
+  engine:
+    # -- Set image.
+    image:
+      registry: quay.io
+      repository: codefresh/engine
+      tag: 1.174.12
+      pullPolicy: IfNotPresent
+    # -- Set container command.
+    command:
+      - npm
+      - run
+      - start
+    # -- Set resources.
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 1000m
+        memory: 2048Mi
+    # -- Set system(base) runtime images.
+    # @default -- See below.
+    runtimeImages:
+      COMPOSE_IMAGE: quay.io/codefresh/compose:v2.28.1-1.5.0
+      CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.6
+      DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.3.13
+      DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.17
+      DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16
+      DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.14
+      FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.3
+      GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.1.28
+      KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11
+      PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.0
+      TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1
+      CR_6177_FIXER: 'quay.io/codefresh/alpine:edge'
+      GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:0.5.3'
+      COSIGN_IMAGE_SIGNER_IMAGE: 'quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2'
+    # -- Set additional env vars.
+    env:
+      # -- Interval to check the exec status in the container-logger
+      CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS: 1000
+      # -- Timeout while doing requests to the Docker daemon
+      DOCKER_REQUEST_TIMEOUT_MS: 30000
+      # -- If "true", composition images will be pulled sequentially
+      FORCE_COMPOSE_SERIAL_PULL: false
+      # -- Level of logging for engine
+      LOGGER_LEVEL: debug
+      # -- Enable debug-level logging of outgoing HTTP/HTTPS requests
+      LOG_OUTGOING_HTTP_REQUESTS: false
+      # -- Enable emitting metrics from engine
+      METRICS_PROMETHEUS_ENABLED: true
+      # -- Enable legacy metrics
+      METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: false
+      # -- Enable collecting process metrics
+      METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS: false
+      # -- Host for Prometheus metrics server
+      METRICS_PROMETHEUS_HOST: '0.0.0.0'
+      # -- Port for Prometheus metrics server
+      METRICS_PROMETHEUS_PORT: 9100
+    # -- Set workflow limits.
+    workflowLimits:
+      # -- Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds.
+      MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600
+      # -- Maximum time for workflow execution; seconds.
+      MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION: 86400
+      # -- Maximum time allowed to workflow to spend in "elected" state; seconds.
+      MAXIMUM_ELECTED_STATE_AGE_ALLOWED: 900
+      # -- Maximum retry attempts allowed for workflow.
+      MAXIMUM_RETRY_ATTEMPTS_ALLOWED: 20
+      # -- Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds.
+      MAXIMUM_TERMINATING_STATE_AGE_ALLOWED: 900
+      # -- Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds.
+      MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE: 300
+      # -- Time since the last health check report after which workflow is terminated; seconds.
+      TIME_ENGINE_INACTIVE_UNTIL_TERMINATION: 300
+      # -- Time since the last health check report after which the engine is considered unhealthy; seconds.
+      TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY: 60
+      # -- Time since the last workflow logs activity after which workflow is terminated; seconds.
+      TIME_INACTIVE_UNTIL_TERMINATION: 2700
+    # -- Set pod annotations.
+    podAnnotations: {}
+    # -- Set pod labels.
+    podLabels: {}
+    # -- Set node selector.
+    nodeSelector: {}
+    # -- Set affinity
+    affinity: {}
+    # -- Set tolerations.
+    tolerations: []
+    # -- Set scheduler name.
+    schedulerName: ""
+    # -- Set service account for pod.
+    serviceAccount: codefresh-engine
+    # -- Set extra env vars
+    userEnvVars: []
+    # E.g.
+    # userEnvVars:
+    # - name: GITHUB_TOKEN
+    #   valueFrom:
+    #     secretKeyRef:
+    #       name: github-token
+    #       key: token
+
+  # -- Parameters for `runtime-patch` post-upgrade/install hook
+  # @default -- See below
+  patch:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/cli
+      tag: 0.85.0-rootless
+    rbac:
+      enabled: true
+    annotations: {}
+    affinity: {}
+    nodeSelector: {}
+    podSecurityContext: {}
+    resources: {}
+    tolerations: []
+    ttlSecondsAfterFinished: 180
+    env:
+      HOME: /tmp
+
+  # -- Parameters for `gencerts-dind` post-upgrade/install hook
+  # @default -- See below
+  gencerts:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/kubectl
+      tag: 1.28.4
+    rbac:
+      enabled: true
+    annotations: {}
+    affinity: {}
+    nodeSelector: {}
+    podSecurityContext: {}
+    resources: {}
+    tolerations: []
+    ttlSecondsAfterFinished: 180
+
+  # -- DinD pod daemon config
+  # @default -- See below
+  dindDaemon:
+    hosts:
+      - unix:///var/run/docker.sock
+      - tcp://0.0.0.0:1300
+    tlsverify: true
+    tls: true
+    tlscacert: /etc/ssl/cf-client/ca.pem
+    tlscert: /etc/ssl/cf/server-cert.pem
+    tlskey: /etc/ssl/cf/server-key.pem
+    insecure-registries:
+      - 192.168.99.100:5000
+    metrics-addr: 0.0.0.0:9323
+    experimental: true
+
+# App-Proxy parameters
+# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#app-proxy-installation
+# @default -- See below
+appProxy:
+  # -- Enable app-proxy
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/cf-app-proxy
+    tag: 0.0.47
+  # -- Add additional env vars
+  env: {}
+
+  # Set app-proxy ingress parameters
+  # @default -- See below
+  ingress:
+    # -- Set path prefix for ingress (keep empty for default `/` path)
+    pathPrefix: ""
+    # -- Set ingress class
+    class: ""
+    # -- Set DNS hostname the ingress will use
+    host: ""
+    # -- Set k8s tls secret for the ingress object
+    tlsSecret: ""
+    # -- Set extra annotations for ingress object
+    annotations: {}
+    # E.g.
+    # ingress:
+    #   pathPrefix: "/cf-app-proxy"
+    #   class: "nginx"
+    #   host: "mydomain.com"
+    #   tlsSecret: "tls-cert-app-proxy"
+    #   annotations:
+    #     nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/130
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  podSecurityContext: {}
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  # -- Set requests and limits
+  resources: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# Monitor parameters
+# @default -- See below
+monitor:
+  # -- Enable monitor
+  # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component
+  enabled: false
+
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/cf-k8s-agent
+    tag: 1.3.17
+  # -- Add additional env vars
+  env: {}
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  podSecurityContext: {}
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Add serviceMonitor
+# @default -- See below
+serviceMonitor:
+  main:
+    # -- Enable service monitor for dind pods
+    enabled: false
+    nameOverride: dind
+    selector:
+      matchLabels:
+        app: dind
+    endpoints:
+    - path: /metrics
+      targetPort: 9100
+      relabelings:
+      - action: labelmap
+        regex: __meta_kubernetes_pod_label_(.+)
+
+# -- Add podMonitor (for engine pods)
+# @default -- See below
+podMonitor:
+  main:
+    # -- Enable pod monitor for engine pods
+    enabled: false
+    nameOverride: engine
+    selector:
+      matchLabels:
+        app: runtime
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 9100
+
+  runner:
+    # -- Enable pod monitor for runner pod
+    enabled: false
+    nameOverride: runner
+    selector:
+      matchLabels:
+        codefresh.io/application: runner
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 8080
+
+  volume-provisioner:
+    # -- Enable pod monitor for volumeProvisioner pod
+    enabled: false
+    nameOverride: volume-provisioner
+    selector:
+      matchLabels:
+        codefresh.io/application: volume-provisioner
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 8080
+
+# -- Event exporter parameters
+# @default -- See below
+event-exporter:
+  # -- Enable event-exporter
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: Recreate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: docker.io
+    repository: codefresh/k8s-event-exporter
+    tag: latest
+  # -- Add additional env vars
+  env: {}
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: false
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Array of extra objects to deploy with the release
+extraResources: []
+# E.g.
+# extraResources:
+# - apiVersion: rbac.authorization.k8s.io/v1
+#   kind: ClusterRole
+#   metadata:
+#     name: codefresh-role
+#   rules:
+#     - apiGroups: [ "*"]
+#       resources: ["*"]
+#       verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# - apiVersion: v1
+#   kind: ServiceAccount
+#   metadata:
+#     name: codefresh-user
+#     namespace: "{{ .Release.Namespace }}"
+# - apiVersion: rbac.authorization.k8s.io/v1
+#   kind: ClusterRoleBinding
+#   metadata:
+#     name: codefresh-user
+#   roleRef:
+#     apiGroup: rbac.authorization.k8s.io
+#     kind: ClusterRole
+#     name: codefresh-role
+#   subjects:
+#   - kind: ServiceAccount
+#     name: codefresh-user
+#     namespace: "{{ .Release.Namespace }}"
+# - apiVersion: v1
+#   kind: Secret
+#   type: kubernetes.io/service-account-token
+#   metadata:
+#     name: codefresh-user-token
+#     namespace: "{{ .Release.Namespace }}"
+#     annotations:
+#       kubernetes.io/service-account.name: "codefresh-user"
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/Chart.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/Chart.yaml
new file mode 100644
index 000000000..c8ebb7542
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/Chart.yaml
@@ -0,0 +1,23 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Confluent for Kubernetes
+  catalog.cattle.io/kube-version: '>=1.15-0'
+  catalog.cattle.io/release-name: confluent-for-kubernetes
+apiVersion: v1
+appVersion: 2.9.3
+description: A Helm chart to deploy Confluent for Kubernetes
+home: https://www.confluent.io/
+icon: file://assets/icons/confluent-for-kubernetes.png
+keywords:
+- Confluent
+- Confluent Operator
+- Confluent Platform
+- CFK
+kubeVersion: '>=1.15-0'
+maintainers:
+- email: operator@confluent.io
+  name: Confluent Operator
+name: confluent-for-kubernetes
+sources:
+- https://docs.confluent.io/current/index.html
+version: 0.1033.33
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/README.md b/charts/confluent/confluent-for-kubernetes/0.1033.33/README.md
new file mode 100644
index 000000000..512ca36c7
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/README.md
@@ -0,0 +1,72 @@
+Confluent for Kubernetes
+==================================================================
+
+Confluent for Kubernetes (CFK) is a cloud-native control plane for deploying and managing Confluent in your private cloud environment. It provides standard and simple interface to customize, deploy, and manage Confluent Platform through declarative API.
+
+Confluent for Kubernetes runs on Kubernetes, the runtime for private cloud architectures.
+
+
+
+
+
+    NOTE: Confluent for Kubernetes is the next generation of Confluent Operator. For Confluent Operator 1.x documentation, see [Confluent Operator 1](https://docs.confluent.io/operator/1.7.0/overview.html), or use the version picker to browse to a specific version of the documentation.
+
+See [Introducing Confluent for Kubernetes](https://www.confluent.io/blog/confluent-for-kubernetes-offers-cloud-native-kafka-automation/) for an overview.
+
+The following shows the high-level architecture of Confluent for Kubernetes and Confluent Platform in Kubernetes.
+
+[![_images/co-architecture.png](https://docs.confluent.io/operator/current/_images/co-architecture.png)](_images/co-architecture.png)
+
+Features
+---------------------------------------------------
+
+The following are summaries of the main, notable features of Confluent for Kubernetes.
+
+#### Cloud Native Declarative API
+
+*   Declarative Kubernetes-native API approach to configure, deploy, and manage Confluent Platform components (Apache KafkaB., Connect workers, ksqlDB, Schema Registry, Confluent Control Center) and resources (topics, rolebindings) through Infrastructure as Code (IaC).
+*   Provides built-in automation for cloud-native security best practices:
+    *   Complete granular RBAC, authentication and TLS network encryption
+    *   Auto-generated certificates
+    *   Support for credential management systems, such as Hashicorp Vault, to inject sensitive configurations in memory to Confluent deployments
+*   Provides server properties, JVM, and Log4j configuration overrides for customization of all Confluent Platform components.
+
+#### Upgrades
+
+*   Provides automated rolling updates for configuration changes.
+*   Provides automated rolling upgrades with no impact to Kafka availability.
+
+#### Scaling
+
+*   Provides single command, automated scaling and reliability checks of Confluent Platform.
+
+#### Resiliency
+
+*   Restores a Kafka pod with the same Kafka broker ID, configuration, and persistent storage volumes if a failure occurs.
+*   Provides automated rack awareness to spread replicas of a partition across different racks (or zones), improving availability of Kafka brokers and limiting the risk of data loss.
+
+#### Scheduling
+
+*   Supports Kubernetes labels and annotations to provide useful context to DevOps teams and ecosystem tooling.
+*   Supports Kubernetes tolerations and pod/node affinity for efficient resource utilization and pod placement.
+
+#### Monitoring
+
+*   Supports metrics aggregation using JMX/Jolokia.
+*   Supports aggregated metrics export to Prometheus.
+
+Licensing
+-----------------------------------------------------
+
+You can use Confluent for Kubernetes and Confluent Control Center for a 30-day trial period without a license key.
+
+After 30 days, Confluent for Kubernetes and Control Center require a license key. Confluent issues keys to subscribers, along with providing [enterprise-level support](https://www.confluent.io/subscription/) for Confluent components and Confluent for Kubernetes.
+
+If you are a subscriber, contact Confluent Support at [support@confluent.io](mailto:support@confluent.io) for more information.
+
+See [Update Confluent Platform License](co-license.html#co-license-key) if you have received a key for Confluent for Kubernetes.
+
+&copy; Copyright 2021 , Confluent, Inc. [Privacy Policy](https://www.confluent.io/confluent-privacy-statement/) | [Terms & Conditions](https://www.confluent.io/terms-of-use/). Apache, Apache Kafka, Kafka and the Kafka logo are trademarks of the [Apache Software Foundation](http://www.apache.org/). All other trademarks, servicemarks, and copyrights are the property of their respective owners.
+
+[Please report any inaccuracies on this page or suggest an edit.](mailto:docs@confluent.io)
+
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/app-readme.md b/charts/confluent/confluent-for-kubernetes/0.1033.33/app-readme.md
new file mode 100644
index 000000000..cfcabdd21
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/app-readme.md
@@ -0,0 +1,3 @@
+##Confluent For Kubernetes
+
+With Confluent for Kubernetes, Confluent brings a cloud-native experience for data in motion workloads in on-premises environments. Based on our expertise and learnings from operating over 5,000 clusters in Confluent Cloud, Confluent for Kubernetes offers an opinionated deployment of Confluent Platform that enhances the platformb's elasticity, ease of operations, and resiliency. 
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_clusterlinks.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_clusterlinks.yaml
new file mode 100644
index 000000000..5c8a627c3
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_clusterlinks.yaml
@@ -0,0 +1,883 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: clusterlinks.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: ClusterLink
+    listKind: ClusterLinkList
+    plural: clusterlinks
+    shortNames:
+    - cl
+    - clusterlink
+    - clink
+    singular: clusterlink
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.clusterLinkID
+      name: ID
+      type: string
+    - jsonPath: .status.state
+      name: Status
+      type: string
+    - jsonPath: .status.destinationKafkaClusterID
+      name: DestClusterID
+      type: string
+    - jsonPath: .status.sourceKafkaClusterID
+      name: SrcClusterID
+      type: string
+    - jsonPath: .status.numMirrorTopics
+      name: MirrorTopicCount
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ClusterLink is the schema for the ClusterLink API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the cluster link.
+            properties:
+              aclFilters:
+                description: |-
+                  aclFilters specify the list of ACLs to be migrated from the source cluster to the
+                  destination cluster.
+                items:
+                  description: |-
+                    AclFilter defines the configuration for the ACLs filter. This follows the same pattern as defined in the
+                    cluster linking documentation. More info:
+                    https://docs.confluent.io/platform/current/multi-dc-deployments/cluster-linking/security.html#cluster-link-acls-migrate
+                  properties:
+                    accessFilter:
+                      description: AclSyncAccessFilter defines the access filter for
+                        ACLs.
+                      properties:
+                        host:
+                          description: |-
+                            host is the host for which operations can be coming from.
+                            The default value is `*` that matches all hosts.
+                          type: string
+                        operation:
+                          description: |-
+                            operation specifies the operation type of the filter. It can be `ANY` or operations
+                            based on resource type defined in the following Confluent documentation:
+                            https://docs.confluent.io/platform/current/kafka/authorization.html#acl-operations
+                          type: string
+                        permissionType:
+                          description: permissionType is the permission type of the
+                            filter. Valid options are `any`, `allow`, and `deny`.
+                          enum:
+                          - any
+                          - allow
+                          - deny
+                          type: string
+                        principal:
+                          description: |-
+                            principal is the name of the principal.
+                            The default value is `*`.
+                          type: string
+                      required:
+                      - operation
+                      - permissionType
+                      type: object
+                    resourceFilter:
+                      description: AclSyncResourceFilter specifies the resource filter
+                        for ACLs.
+                      properties:
+                        name:
+                          description: |-
+                            name is the name of the resource associated with this filter.
+                            The default value is `*`.
+                          type: string
+                        patternType:
+                          description: patternType is the pattern of the resource.
+                            Valid options are `prefixed`, `literal`, `any`, and `match`.
+                          enum:
+                          - prefixed
+                          - literal
+                          - any
+                          - match
+                          type: string
+                        resourceType:
+                          description: resourceType is the type of the filter. Valid
+                            options are `any`, `cluster`, `group`, `topic`, `transactionId`,
+                            and `delegationToken`.
+                          enum:
+                          - any
+                          - cluster
+                          - group
+                          - topic
+                          - transcationId
+                          - delegationToken
+                          type: string
+                      required:
+                      - patternType
+                      - resourceType
+                      type: object
+                  required:
+                  - accessFilter
+                  - resourceFilter
+                  type: object
+                type: array
+              configs:
+                additionalProperties:
+                  type: string
+                description: |-
+                  configs is a map of string key and value pairs. It specifies additional configurations for the cluster link.
+                  More info: https://docs.confluent.io/platform/current/multi-dc-deployments/cluster-linking/configs.html
+                type: object
+                x-kubernetes-map-type: granular
+              consumerGroupFilters:
+                description: |-
+                  consumerGroupFilters specify a list of consumer groups to be migrated from
+                  the source cluster to the destination cluster.
+                items:
+                  description: ClusterLinkOptionsFilter defines the scheme for a filter
+                  properties:
+                    filterType:
+                      description: filterType specifies the filter type. Valid options
+                        are `INCLUDE` and `EXCLUDE`.
+                      enum:
+                      - INCLUDE
+                      - EXCLUDE
+                      type: string
+                    name:
+                      description: name is the resource name associated with this
+                        filter.
+                      type: string
+                    patternType:
+                      description: patternType is the pattern of the resource. Valid
+                        options are `PREFIXED` and `LITERAL`.
+                      enum:
+                      - PREFIXED
+                      - LITERAL
+                      type: string
+                  required:
+                  - filterType
+                  - name
+                  - patternType
+                  type: object
+                type: array
+              destinationKafkaCluster:
+                description: destinationKafkaCluster specifies the destination Kafka
+                  cluster and its REST API configuration.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication for the
+                      Kafka cluster.
+                    properties:
+                      jaasConfig:
+                        description: jaasConfig specifies the Kafka client-side JaaS
+                          configuration.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      jaasConfigPassThrough:
+                        description: jaasConfigPassThrough specifies another way to
+                          provide the Kafka client-side JaaS configuration.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the required credentials for authentication.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauthSettings:
+                        description: |-
+                          oauthSettings specifies the OAuth settings.
+                          This needs to passed with the authentication type `oauth`.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      oauthbearer:
+                        description: |-
+                          oauthbearer is the authentication mechanism to provider principals.
+                          Only supported in RBAC deployment.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      type:
+                        description: |-
+                          type specifies the Kafka client authentication type.
+                          Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                        enum:
+                        - plain
+                        - oauthbearer
+                        - digest
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  bootstrapEndpoint:
+                    description: |-
+                      bootstrapEndpoint specifies the bootstrap endpoint for the Kafka cluster.
+                      When `spec.sourceInitiatedLink.linkMode` is configured as `Source`, this is required for
+                      `spec.destinationKafkaCluster` and not required for `spec.sourceKafkaCluster`.
+                      For other cluster links this is required for `spec.sourceKafkaCluster` and not required for
+                      `spec.destinationKafkaCluster`.
+                    minLength: 1
+                    pattern: .+:[0-9]+
+                    type: string
+                  clusterID:
+                    description: |-
+                      clusterID specifies the id of the Kafka cluster.
+                      If clusterID is defined for the Kafka cluster, it takes precedence over using the REST API
+                      for getting the cluster ID.
+                    minLength: 1
+                    type: string
+                  kafkaRestClassRef:
+                    description: |-
+                      kafkaRestClassRef references the KafkaRestClass application resource which
+                      defines the Kafka REST API connection information.
+                      When `spec.sourceInitiatedLink.linkMode` is configured as `Source`, this is required for
+                      `spec.sourceKafkaCluster` and optional for `spec.destinationKafkaCluster` if `spec.clusterID` is set.
+                      For other cluster links this is required for 'spec.destinationKafkaCluster` and optional for
+                      `spec.sourceKafkaCluster` if the `spec.clusterID` is set.
+                    properties:
+                      name:
+                        description: name specifies the name of the KafkaRestClass
+                          application resource.
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace of the KafkaRestClass.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  tls:
+                    description: tls specifies the client-side TLS configuration for
+                      the Kafka cluster.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer contains the directory path in the container where
+                          `fullchain.pem`, `privkey.pem`, `cacerts.pem` or `tls.crt`, `tls.key`, `ca.crt` keys are mounted.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies whether to enable the TLS configuration
+                          for the cluster link. The default value is `false`.
+                        type: boolean
+                      keyPassword:
+                        description: |-
+                          keyPassword references the secret containing the SSL key password if the private key passed
+                          in the secretRef above is encrypted.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              mirrorTopicOptions:
+                description: mirrorTopicOptions specify configuration options for
+                  mirror topics.
+                properties:
+                  autoCreateTopics:
+                    description: |-
+                      autoCreateTopics specifies configurations for the cluster link to
+                      automatically create mirror topics on the destination cluster for topics that exist on the source cluster based on defined filters.
+                      More info: https://docs.confluent.io/platform/current/multi-dc-deployments/cluster-linking/mirror-topics-cp.html#auto-create-mirror-topics
+                    properties:
+                      enabled:
+                        description: |-
+                          enabled specifies whether to auto-create mirror topics based on topics on the source cluster.
+                          When set to “true”, mirror topics will be auto-created. Setting this option to “false” disables mirror topic creation and clears any existing filters.
+                        type: boolean
+                      topicFilters:
+                        description: topicFilter contains an array of filters to apply
+                          to indicate which topics should be mirrored.
+                        items:
+                          description: ClusterLinkOptionsFilter defines the scheme
+                            for a filter
+                          properties:
+                            filterType:
+                              description: filterType specifies the filter type. Valid
+                                options are `INCLUDE` and `EXCLUDE`.
+                              enum:
+                              - INCLUDE
+                              - EXCLUDE
+                              type: string
+                            name:
+                              description: name is the resource name associated with
+                                this filter.
+                              type: string
+                            patternType:
+                              description: patternType is the pattern of the resource.
+                                Valid options are `PREFIXED` and `LITERAL`.
+                              enum:
+                              - PREFIXED
+                              - LITERAL
+                              type: string
+                          required:
+                          - filterType
+                          - name
+                          - patternType
+                          type: object
+                        type: array
+                    type: object
+                  prefix:
+                    description: |-
+                      prefix specifies prefix for the mirror topics of the cluster link.
+                      If configured, the valid mirror topic name should be defined with `<prefix><sourceTopicName>` format
+                      which mirrors the topic name of the format `<sourceTopicName>` from source cluster.
+                      When auto-create is enabled and the prefix is configured then the topics created on the destination will automatically contain the prefix.
+                      Otherwise, `spec.mirrorTopic.name` should be defined with `<prefix><sourceTopicName>` format.
+                    maxLength: 255
+                    minLength: 1
+                    pattern: ^[a-zA-Z0-9\._\-]*$
+                    type: string
+                type: object
+              mirrorTopics:
+                description: mirrorTopics specify the mirror topics under this cluster
+                  link.
+                items:
+                  description: MirrorTopic defines the mirror topic configuration.
+                  properties:
+                    configs:
+                      additionalProperties:
+                        type: string
+                      description: configs is a map of string key and value pairs.
+                        It specifies any additional configuration or configuration
+                        overrides for the mirror topic.
+                      type: object
+                      x-kubernetes-map-type: granular
+                    name:
+                      description: |-
+                        name is the mirror topic name. If the sourceTopicName is not configured,
+                        we assume that the sourceTopicName is the same as mirrorTopicName,
+                        so a topic with the exact same name must exist on the source cluster and
+                        no topic with this name should exist on the destination cluster.
+                        When `spec.mirrorTopicOptions.prefix: <prefix>` is configured for the cluster link,
+                        the name has to be of the format `<prefix><sourceTopicName>`.
+                      maxLength: 255
+                      minLength: 1
+                      pattern: ^[a-zA-Z0-9\._\-]*$
+                      type: string
+                    replicationFactor:
+                      description: |-
+                        replicationFactor specifies the replication factor for the mirror topic on the destination cluster.
+                        If this is not configured, mirror topic will inherit the broker `default.replication.factor` configuration.
+                      format: int32
+                      type: integer
+                    sourceTopicName:
+                      description: |-
+                        sourceTopicName is topic name on the source cluster that will be mirrored to the destination cluster.
+                        When `spec.mirrorTopicOptions.prefix: <prefix>` is not configured, you should not configure this field.
+                        If it is configured, a topic with the exact same name must exist on the source cluster.
+                      maxLength: 255
+                      minLength: 1
+                      pattern: ^[a-zA-Z0-9\._\-]*$
+                      type: string
+                    state:
+                      description: |-
+                        state specifies the desired state for this mirror topic. Valid options are
+                        `ACTIVE`, `FAILOVER`, `PAUSE`, and `PROMOTE`. The default value is `ACTIVE`.
+                      enum:
+                      - PAUSE
+                      - PROMOTE
+                      - FAILOVER
+                      - ACTIVE
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+              name:
+                description: |-
+                  name specifies the cluster link name. If not configured, then ClusterLink CR name is used
+                  as the cluster link name.
+                maxLength: 255
+                minLength: 1
+                pattern: ^[a-zA-Z0-9\._\-]*$
+                type: string
+              sourceInitiatedLink:
+                description: sourceInitiatedLink specify configs for source initiated
+                  cluster links.
+                properties:
+                  linkMode:
+                    description: linkMode specifies if this source initiated cluster
+                      link is in Source or Destination mode.
+                    enum:
+                    - Source
+                    - Destination
+                    - Bidirectional
+                    type: string
+                required:
+                - linkMode
+                type: object
+              sourceKafkaCluster:
+                description: sourceKafkaCluster specifies the source Kafka cluster
+                  and its REST API configuration.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication for the
+                      Kafka cluster.
+                    properties:
+                      jaasConfig:
+                        description: jaasConfig specifies the Kafka client-side JaaS
+                          configuration.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      jaasConfigPassThrough:
+                        description: jaasConfigPassThrough specifies another way to
+                          provide the Kafka client-side JaaS configuration.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the required credentials for authentication.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauthSettings:
+                        description: |-
+                          oauthSettings specifies the OAuth settings.
+                          This needs to passed with the authentication type `oauth`.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      oauthbearer:
+                        description: |-
+                          oauthbearer is the authentication mechanism to provider principals.
+                          Only supported in RBAC deployment.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      type:
+                        description: |-
+                          type specifies the Kafka client authentication type.
+                          Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                        enum:
+                        - plain
+                        - oauthbearer
+                        - digest
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  bootstrapEndpoint:
+                    description: |-
+                      bootstrapEndpoint specifies the bootstrap endpoint for the Kafka cluster.
+                      When `spec.sourceInitiatedLink.linkMode` is configured as `Source`, this is required for
+                      `spec.destinationKafkaCluster` and not required for `spec.sourceKafkaCluster`.
+                      For other cluster links this is required for `spec.sourceKafkaCluster` and not required for
+                      `spec.destinationKafkaCluster`.
+                    minLength: 1
+                    pattern: .+:[0-9]+
+                    type: string
+                  clusterID:
+                    description: |-
+                      clusterID specifies the id of the Kafka cluster.
+                      If clusterID is defined for the Kafka cluster, it takes precedence over using the REST API
+                      for getting the cluster ID.
+                    minLength: 1
+                    type: string
+                  kafkaRestClassRef:
+                    description: |-
+                      kafkaRestClassRef references the KafkaRestClass application resource which
+                      defines the Kafka REST API connection information.
+                      When `spec.sourceInitiatedLink.linkMode` is configured as `Source`, this is required for
+                      `spec.sourceKafkaCluster` and optional for `spec.destinationKafkaCluster` if `spec.clusterID` is set.
+                      For other cluster links this is required for 'spec.destinationKafkaCluster` and optional for
+                      `spec.sourceKafkaCluster` if the `spec.clusterID` is set.
+                    properties:
+                      name:
+                        description: name specifies the name of the KafkaRestClass
+                          application resource.
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace of the KafkaRestClass.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  tls:
+                    description: tls specifies the client-side TLS configuration for
+                      the Kafka cluster.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer contains the directory path in the container where
+                          `fullchain.pem`, `privkey.pem`, `cacerts.pem` or `tls.crt`, `tls.key`, `ca.crt` keys are mounted.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies whether to enable the TLS configuration
+                          for the cluster link. The default value is `false`.
+                        type: boolean
+                      keyPassword:
+                        description: |-
+                          keyPassword references the secret containing the SSL key password if the private key passed
+                          in the secretRef above is encrypted.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+            required:
+            - destinationKafkaCluster
+            - sourceKafkaCluster
+            type: object
+          status:
+            description: status defines the observed state of the cluster link.
+            properties:
+              appState:
+                default: Unknown
+                description: appState is the current state of the cluster link application.
+                enum:
+                - Unknown
+                - Created
+                - Failed
+                - Deleted
+                type: string
+              clusterLinkID:
+                description: clusterLinkID is the id of the cluster link.
+                type: string
+              clusterLinkName:
+                description: clusterLinkName is the name of the cluster link.
+                type: string
+              conditions:
+                description: conditions are the latest available observations of the
+                  cluster link's state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              destinationKafkaClusterID:
+                description: destinationKafkaClusterID is the ID of the destination
+                  Kafka cluster.
+                type: string
+              kafkaCluster:
+                description: 'kafkaCluster is the Kafka cluster this cluster link
+                  belongs to. The format is: `<Kafka namespace>/<Kafka name>`'
+                type: string
+              mirrorTopics:
+                additionalProperties:
+                  description: |-
+                    MirrorTopicStatus specifies the status reported for each mirror topic as part of
+                    the cluster link status.
+                  properties:
+                    observedGeneration:
+                      description: observedGeneration is the most recent generation
+                        observed for this Confluent component.
+                      format: int64
+                      type: integer
+                    replicationFactor:
+                      description: replicationFactor specifies the replication factor
+                        for the mirror topic on the destination cluster.
+                      format: int32
+                      type: integer
+                    sourceTopicName:
+                      description: sourceTopicName is the name of the topic being
+                        mirrored on the source cluster.
+                      type: string
+                    status:
+                      description: |-
+                        status is the status of the mirror topic.
+                        It can be `ACTIVE`, `FAILED`, `PAUSED`, `STOPPED`, and `PENDING_STOPPED`.
+                      type: string
+                  type: object
+                description: mirrorTopics is a map of mirror topic name to its status
+                type: object
+                x-kubernetes-map-type: granular
+              numMirrorTopics:
+                description: numMirrorTopics is the number of mirror topics for the
+                  cluster link.
+                type: integer
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              sourceKafkaClusterID:
+                description: sourceKafkaClusterID is the ID of the source Kafka cluster.
+                type: string
+              state:
+                description: state is the current state of the cluster link.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_confluentrolebindings.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_confluentrolebindings.yaml
new file mode 100644
index 000000000..8ff4d8c9e
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_confluentrolebindings.yaml
@@ -0,0 +1,296 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: confluentrolebindings.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: ConfluentRolebinding
+    listKind: ConfluentRolebindingList
+    plural: confluentrolebindings
+    shortNames:
+    - cfrb
+    - confluentrolebinding
+    singular: confluentrolebinding
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: Status
+      type: string
+    - jsonPath: .status.kafkaClusterID
+      name: KafkaClusterID
+      type: string
+    - jsonPath: .status.principal
+      name: Principal
+      type: string
+    - jsonPath: .status.role
+      name: Role
+      type: string
+    - jsonPath: .status.kafkaRestClass
+      name: KafkaRestClass
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.kafkaCluster
+      name: KafkaCluster
+      priority: 1
+      type: string
+    - jsonPath: .status.clusterRegistryName
+      name: ClusterRegistryName
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ConfluentRolebinding is the schema for the ConfluentRolebinding
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the ConfluentRolebinding.
+            properties:
+              clustersScopeByIds:
+                description: clustersScopeByIds specify the scope of the Confluent
+                  component cluster(s) via cluster id(s).
+                properties:
+                  connectClusterId:
+                    description: connectClusterId specifies the Connect cluster id.
+                    minLength: 1
+                    type: string
+                  kafkaClusterId:
+                    description: kafkaClusterId specifies the id of the Kafka cluster
+                      id.
+                    minLength: 1
+                    type: string
+                  ksqlClusterId:
+                    description: ksqlClusterId specifies the ksqlDB cluster id.
+                    minLength: 1
+                    type: string
+                  schemaRegistryClusterId:
+                    description: schemaRegistryClusterId specifies the Schema Registry
+                      cluster id.
+                    minLength: 1
+                    type: string
+                type: object
+              clustersScopeByRegistryName:
+                description: clustersScopeByRegistryName specifies the unique cluster
+                  name you registered in the cluster registry.
+                minLength: 1
+                type: string
+              kafkaRestClassRef:
+                description: kafkaRestClassRef references the KafkaRestClass that
+                  defines the Kafka REST API connection information.
+                properties:
+                  name:
+                    description: name specifies the name of the KafkaRestClass application
+                      resource.
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace specifies the namespace of the KafkaRestClass.
+                    type: string
+                required:
+                - name
+                type: object
+              principal:
+                description: RolebindingPrincipal defines the principal(user/group)
+                  the rolebinding belongs to.
+                properties:
+                  name:
+                    description: name specifies the name of the principal.
+                    minLength: 1
+                    type: string
+                  type:
+                    description: type specifies the type of the principal. Valid options
+                      are `user` and `group`.
+                    enum:
+                    - user
+                    - group
+                    type: string
+                required:
+                - name
+                - type
+                type: object
+              resourcePatterns:
+                description: resourcePatterns specify the qualified resources associated
+                  with this rolebinding.
+                items:
+                  description: ResourcePattern specifies the qualified resource info
+                    associated with this rolebinding.
+                  properties:
+                    name:
+                      description: name specifies the name of the resource associated
+                        with this rolebinding.
+                      minLength: 1
+                      type: string
+                    patternType:
+                      description: |-
+                        patternType specifies the pattern of the resource. Valid options are
+                        `PREFIXED` or `LITERAL`. The default value is `LITERAL`.
+                      enum:
+                      - PREFIXED
+                      - LITERAL
+                      type: string
+                    resourceType:
+                      description: |-
+                        resourceType refers to the type of the resource.
+                        Valid options are `Topic`, `Group`, `Subject`, `KsqlCluster`, `Cluster`, `TransactionalId`, etc.
+                      minLength: 1
+                      type: string
+                  required:
+                  - name
+                  - resourceType
+                  type: object
+                type: array
+              role:
+                description: role specifies the name of the role.
+                minLength: 1
+                type: string
+            required:
+            - principal
+            - role
+            type: object
+          status:
+            description: status is the observed state of the ConfluentRolebinding.
+            properties:
+              appState:
+                default: Unknown
+                description: appState is the current state of the rolebinding application.
+                enum:
+                - Unknown
+                - Created
+                - Failed
+                - Deleted
+                type: string
+              clusterRegistryName:
+                description: clusterRegistryName is the cluster registry name the
+                  rolebinding associated with.
+                type: string
+              conditions:
+                description: conditions are the latest available observations of the
+                  rolebinding's state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              kafkaCluster:
+                description: 'kafkaCluster is the Kafka cluster the rolebinding belongs
+                  to. The format is: `<Kafka namespace>/<Kafka name>`.'
+                type: string
+              kafkaClusterID:
+                description: kafkaClusterID is the id of the Kafka cluster.
+                type: string
+              kafkaRestClass:
+                description: 'kafkaRestClass is the kafkaRestClass this rolebinding
+                  uses. The format is: `<kafkaRestClass namespace>/<kafkaRestClass
+                  name>`.'
+                type: string
+              mdsEndpoint:
+                description: mdsEndpoint is the MDS endpoint.
+                type: string
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              principal:
+                description: 'principal is the principal the rolebinding belongs to.
+                  The format is: `<principal type>:<principal name>`.'
+                type: string
+              resourcePatterns:
+                description: resourcePatterns are the resource patterns this rolebinding
+                  is associated with.
+                items:
+                  description: ResourcePattern specifies the qualified resource info
+                    associated with this rolebinding.
+                  properties:
+                    name:
+                      description: name specifies the name of the resource associated
+                        with this rolebinding.
+                      minLength: 1
+                      type: string
+                    patternType:
+                      description: |-
+                        patternType specifies the pattern of the resource. Valid options are
+                        `PREFIXED` or `LITERAL`. The default value is `LITERAL`.
+                      enum:
+                      - PREFIXED
+                      - LITERAL
+                      type: string
+                    resourceType:
+                      description: |-
+                        resourceType refers to the type of the resource.
+                        Valid options are `Topic`, `Group`, `Subject`, `KsqlCluster`, `Cluster`, `TransactionalId`, etc.
+                      minLength: 1
+                      type: string
+                  required:
+                  - name
+                  - resourceType
+                  type: object
+                type: array
+              role:
+                description: role is the role this rolebinding is associated with.
+                type: string
+              state:
+                description: state is the state of this rolebinding.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_connectors.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_connectors.yaml
new file mode 100644
index 000000000..07bf6d1bb
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_connectors.yaml
@@ -0,0 +1,496 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: connectors.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: Connector
+    listKind: ConnectorList
+    plural: connectors
+    shortNames:
+    - ctr
+    - connector
+    singular: connector
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.state
+      name: Status
+      type: string
+    - jsonPath: .status.connectorState
+      name: ConnectorStatus
+      type: string
+    - jsonPath: .status.tasksReady
+      name: Tasks-Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.connectRestEndpoint
+      name: ConnectEndpoint
+      priority: 1
+      type: string
+    - jsonPath: .status.failedTasksCount
+      name: Tasks-Failed
+      priority: 1
+      type: string
+    - jsonPath: .status.workerID
+      name: WorkerID
+      priority: 1
+      type: string
+    - jsonPath: .status.restartPolicy.type
+      name: RestartPolicy
+      priority: 1
+      type: string
+    - jsonPath: .status.kafkaClusterID
+      name: KafkaClusterID
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Connector is the schema for the Connector API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the Connector.
+            properties:
+              class:
+                description: |-
+                  class specifies the class name of the connector.
+                  The Connect cluster displays the supported class names in its status.
+                minLength: 1
+                type: string
+              configs:
+                additionalProperties:
+                  type: string
+                description: configs is a map of string key and value pairs. It specifies
+                  the additional configurations for the connector.
+                type: object
+                x-kubernetes-map-type: granular
+              connectClusterRef:
+                description: connectClusterRef references the CFK managed Connect
+                  cluster.
+                properties:
+                  name:
+                    description: name specifies the name of the Confluent Platform
+                      component cluster.
+                    type: string
+                  namespace:
+                    description: namespace specifies the namespace where the Confluent
+                      Platform component cluster is running.
+                    type: string
+                required:
+                - name
+                type: object
+              connectRest:
+                description: connectRest specifies the Connect REST API connection
+                  configuration.
+                properties:
+                  authentication:
+                    description: authentication specifies the REST API authentication
+                      mechanism.
+                    properties:
+                      basic:
+                        description: basic specifies the basic authentication settings
+                          for the REST API client.
+                        properties:
+                          debug:
+                            description: debug enables the basic authentication debug
+                              logs for JaaS configuration.
+                            type: boolean
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            minLength: 1
+                            type: string
+                          restrictedRoles:
+                            description: |-
+                              restrictedRoles specify the restricted roles on the server side only.
+                              Changes will be only reflected in Control Center.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            minItems: 1
+                            type: array
+                          roles:
+                            description: |-
+                              roles specify the roles on the server side only.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            type: array
+                          secretRef:
+                            description: |-
+                              secretRef defines secret reference to pass the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      bearer:
+                        description: bearer specifies the bearer authentication settings
+                          for the REST API client.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauth:
+                        description: oauth specifies the OAuth authentication settings
+                          for the REST API client.
+                        properties:
+                          configuration:
+                            description: configuration specifies the OAuth server
+                              settings.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          directoryPathInContainer:
+                            description: directoryPathInContainer allows to pass the
+                              basic credential through a directory path in the container.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef defines secret reference to pass
+                              the required credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - configuration
+                        type: object
+                      type:
+                        description: type specifies the REST API authentication type.
+                          Valid options are `basic`, `bearer`, `mtls` and `oauth`.
+                        enum:
+                        - basic
+                        - bearer
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  endpoint:
+                    description: endpoint specifies where Confluent REST API is running.
+                    minLength: 1
+                    pattern: ^https?://.*
+                    type: string
+                  kafkaClusterID:
+                    description: |-
+                      kafkaClusterID specifies the id of Kafka cluster.
+                      It takes precedence over using the Kafka REST API to get the cluster id.
+                    minLength: 1
+                    type: string
+                  tls:
+                    description: "tls specifies the custom TLS structure for the application
+                      resources,\n\t// e.g. connector, topic, schema, of the Confluent
+                      Platform components.\n\t// +optional"
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer contains the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, `jksPassword.txt` keys are mounted.
+                        minLength: 1
+                        type: string
+                      jksPassword:
+                        description: jksPassword specifies the secret name that contains
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef specifies the secret name that contains the certificates.
+                          More info about certificates key/value format: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                type: object
+              name:
+                description: |-
+                  name specifies the connector name. If not configured,
+                  the Connector CR name is used as the connector name.
+                maxLength: 255
+                minLength: 1
+                pattern: ^[a-zA-Z0-9\._\-]*$
+                type: string
+              restartPolicy:
+                description: restartPolicy specifies the policy to restart failed
+                  tasks of the connector.
+                properties:
+                  maxRetry:
+                    description: maxRetry specifies the max number of tries to restart
+                      failed tasks when the `restartPolicy` type is `OnFailure`. The
+                      default value is `10`.
+                    format: int32
+                    minimum: 1
+                    type: integer
+                  type:
+                    description: |-
+                      type specifies the policy type to restart connector tasks. Valid options are `OnFailure` and `Never`.
+                      Default value is `OnFailure`, which means it will restart automatically when a task fails if the `maxRetry` value is not reached.
+                    enum:
+                    - OnFailure
+                    - Never
+                    type: string
+                required:
+                - type
+                type: object
+              taskMax:
+                description: |-
+                  taskMax specifies the maximum number of tasks for the connector. It must be greater than 0.
+                  The connector may create fewer tasks if it cannot achieve this level of parallelism.
+                format: int32
+                minimum: 1
+                type: integer
+            required:
+            - class
+            - taskMax
+            type: object
+          status:
+            description: status defines the observed state of the Connector.
+            properties:
+              appState:
+                default: Unknown
+                description: appState is the current state of the connector application.
+                enum:
+                - Unknown
+                - Created
+                - Failed
+                - Deleted
+                type: string
+              conditions:
+                description: conditions are the latest available observations of the
+                  connector state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              connectRestEndpoint:
+                description: connectRestEndpoint is the REST endpoint of the Connect
+                  cluster.
+                type: string
+              connectorState:
+                description: connectorState is the status of the connector instance.
+                type: string
+              failedTasks:
+                additionalProperties:
+                  description: TaskStatus defines the connector task status.
+                  properties:
+                    id:
+                      description: Id is the id of the task.
+                      format: int32
+                      type: integer
+                    retryCount:
+                      description: retryCount is the number of retry attempts to restart
+                        the failed task.
+                      format: int32
+                      type: integer
+                    workerID:
+                      description: workerID is the workerId for the task.
+                      type: string
+                  required:
+                  - id
+                  type: object
+                description: |-
+                  failedTasks is the map of connector tasks in the `FAILED` state.
+                  Error messages of failed tasks are logged in the CFK logs as `INFO`.
+                  You can also get the error message via Connect REST API calls.
+                type: object
+                x-kubernetes-map-type: granular
+              failedTasksCount:
+                description: failedTasksCount is the number of failed tasks.
+                format: int32
+                type: integer
+              kafkaClusterID:
+                description: kafkaClusterID is the Kafka cluster id the connector
+                  belongs to.
+                type: string
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              restartPolicy:
+                description: restartPolicy is the policy to restart failed tasks of
+                  the connector.
+                properties:
+                  maxRetry:
+                    description: maxRetry specifies the max number of tries to restart
+                      failed tasks when the `restartPolicy` type is `OnFailure`. The
+                      default value is `10`.
+                    format: int32
+                    minimum: 1
+                    type: integer
+                  type:
+                    description: |-
+                      type specifies the policy type to restart connector tasks. Valid options are `OnFailure` and `Never`.
+                      Default value is `OnFailure`, which means it will restart automatically when a task fails if the `maxRetry` value is not reached.
+                    enum:
+                    - OnFailure
+                    - Never
+                    type: string
+                required:
+                - type
+                type: object
+              state:
+                description: state is the custom resource state of the connector.
+                  This is not the connector state, which can be `CREATED`, `ERROR`,
+                  etc.
+                type: string
+              tasksReady:
+                description: |-
+                  tasksReady is the number of running tasks based on `taskMax`.
+                  The value is in the following format: `<number of running tasks>/<taskMax>`
+                type: string
+              trace:
+                description: trace is the error trace message for the connector instance.
+                type: string
+              workerID:
+                description: workerID is the workerId of the connector instance.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_connects.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_connects.yaml
new file mode 100644
index 000000000..70e45faaa
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_connects.yaml
@@ -0,0 +1,6941 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: connects.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: Connect
+    listKind: ConnectList
+    plural: connects
+    shortNames:
+    - connect
+    singular: connect
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.readyReplicas
+      name: Ready
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.kafka.bootstrapEndpoint
+      name: Kafka
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Connect is the schema for the Connect API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the Connect cluster.
+            properties:
+              authentication:
+                description: authentication specifies authentication configuration.
+                properties:
+                  basic:
+                    description: basic specifies the configuration for basic authentication.
+                    properties:
+                      debug:
+                        description: debug enables the basic authentication debug
+                          logs for JaaS configuration.
+                        type: boolean
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        minLength: 1
+                        type: string
+                      restrictedRoles:
+                        description: |-
+                          restrictedRoles specify the restricted roles on the server side only.
+                          Changes will be only reflected in Control Center.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
+                      roles:
+                        description: |-
+                          roles specify the roles on the server side only.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        type: array
+                      secretRef:
+                        description: |-
+                          secretRef defines secret reference to pass the required credentials.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                  oauth:
+                    description: oauth specifies the configuration for OAuth authentication.
+                    properties:
+                      configuration:
+                        description: configuration specifies the OAuth server settings.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      directoryPathInContainer:
+                        description: directoryPathInContainer allows to pass the basic
+                          credential through a directory path in the container.
+                        minLength: 1
+                        type: string
+                      secretRef:
+                        description: secretRef defines secret reference to pass the
+                          required credentials.
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - configuration
+                    type: object
+                  type:
+                    description: type specifies the authentication scheme for the
+                      REST API server. Valid options are `basic`, `oauth` and `mtls`.
+                    enum:
+                    - basic
+                    - mtls
+                    - oauth
+                    type: string
+                required:
+                - type
+                type: object
+              authorization:
+                description: authorization specifies the authorization configuration.
+                properties:
+                  kafkaRestClassRef:
+                    description: |-
+                      kafkaRestClassRef references the KafkaRestClass
+                      which specifies the Kafka REST API connection configuration.
+                    properties:
+                      name:
+                        description: name specifies the name of the KafkaRestClass
+                          application resource.
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace of the KafkaRestClass.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  type:
+                    description: type specifies the client-side authorization type.
+                      The valid option is `rbac`.
+                    enum:
+                    - rbac
+                    type: string
+                required:
+                - type
+                type: object
+              build:
+                description: build defines the build configurations for connector
+                  plugins.
+                properties:
+                  onDemand:
+                    description: OnDemand defines the build configurations for the
+                      `onDemand` build type.
+                    properties:
+                      plugins:
+                        description: plugins define the installation information for
+                          connector plugins.
+                        properties:
+                          confluentHub:
+                            description: confluentHub contains a list of connector
+                              plugins you get from Confluent Hub.
+                            items:
+                              description: ConfluentHubPlugin contains the required
+                                information to get the connector plugin from Confluent
+                                Hub.
+                              properties:
+                                name:
+                                  description: name specifies the name of the connector
+                                    plugin.
+                                  minLength: 1
+                                  type: string
+                                owner:
+                                  description: owner specifies the individual or organization
+                                    that provides the connector plugin, for example,
+                                    `confluentinc`.
+                                  minLength: 1
+                                  type: string
+                                version:
+                                  description: version specifies the version of the
+                                    connector plugin, which can be either the version
+                                    of the plugin or the literal `latest`.
+                                  minLength: 1
+                                  type: string
+                              required:
+                              - name
+                              - owner
+                              - version
+                              type: object
+                            type: array
+                          locationType:
+                            description: This field is deprecated and will be ignored
+                              if set.
+                            enum:
+                            - confluentHub
+                            - url
+                            type: string
+                          url:
+                            description: url contains a list of URL plugins you get
+                              from external URLs.
+                            items:
+                              description: URLPlugin defines the information to get
+                                the connector plugin from an external URL.
+                              properties:
+                                archivePath:
+                                  description: |-
+                                    archivePath specifies the archive path of the connector plugin.
+                                    Currently, only support ZIP archives.
+                                  minLength: 1
+                                  pattern: ^https?://.*
+                                  type: string
+                                checksum:
+                                  description: |-
+                                    checksum defines the sha512sum checksum of the connector plugin's remote file.
+                                    It is used to verify the remote file after it is downloaded.
+                                  type: string
+                                name:
+                                  description: name specifies the connector plugin
+                                    name.
+                                  minLength: 1
+                                  type: string
+                              required:
+                              - archivePath
+                              - checksum
+                              - name
+                              type: object
+                            type: array
+                        type: object
+                      storageLimit:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: storageLimit specifies the max amount of node
+                          volume that can be used to store connector plugins. The
+                          default value is `4G`.
+                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                        x-kubernetes-int-or-string: true
+                    required:
+                    - plugins
+                    type: object
+                  type:
+                    description: type specifies the build type for connector plugins.
+                      Currently only the `onDemand` type is supported.
+                    enum:
+                    - onDemand
+                    type: string
+                required:
+                - type
+                type: object
+              configOverrides:
+                description: configOverrides specifies the configs to override the
+                  server, JVM, Log4j properties for the Connect cluster.
+                properties:
+                  jvm:
+                    description: |-
+                      jvm is a list of JVM configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  log4j:
+                    description: |-
+                      log4j is a list of Log4J configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  server:
+                    description: |-
+                      server is a list of server configuration supported by the Confluent Platform component.
+                      This will either add or update existing configuration.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              connectorOverridePolicy:
+                description: |-
+                  connectorOverridePolicy allows the policy to permit per-connector override configuration
+                  for producer/consumer/admin prefix.
+                  More info: https://docs.confluent.io/platform/current/connect/security.html#separate-principals
+                enum:
+                - All
+                - Principal
+                type: string
+              connectorTLSCerts:
+                description: |-
+                  connectorTLSCerts are the custom TLS certificates injected into the Connect cluster for connectors to use.
+                  Check the Connect status for the mount path of the certificates.
+                  A change will roll the cluster.
+                items:
+                  description: MountedCustomTLSCertificate defines the mounted custom
+                    TLS structure for the Confluent Platform component.
+                  properties:
+                    directoryPathInContainer:
+                      description: |-
+                        directoryPathInContainer contains the directory path in the container where
+                        `keystore.jks`, `truststore.jks`, `jksPassword.txt` keys are mounted.
+                      minLength: 1
+                      type: string
+                    jksPassword:
+                      description: jksPassword specifies the secret name that contains
+                        the JKS password.
+                      properties:
+                        secretRef:
+                          description: |-
+                            secretRef references the name of the secret containing the JKS password.
+                            More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                          maxLength: 30
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                      required:
+                      - secretRef
+                      type: object
+                    secretRef:
+                      description: |-
+                        secretRef specifies the secret name that contains the certificates.
+                        More info about certificates key/value format: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  type: object
+                type: array
+              dependencies:
+                description: ConnectDependencies contains the dependencies the Connect
+                  requires or can enable.
+                properties:
+                  admin:
+                    description: |-
+                      admin contains the security configuration to connect to the admin client.
+                      If `bootstrapEndpoint` is not configured, the security is configured based on the Kafka dependency configuration.
+                      Configure this property if different bootstrap endpoint is required for the admin client.
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Kafka cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  consumer:
+                    description: |-
+                      consumer contains the security configuration to connect to the Kafka cluster. It is used for sink connectors.
+                      If `bootstrapEndpoint` is not configured, the security is configured based on the Kafka dependency configuration.
+                      Configure this property if different bootstrap endpoint is required for the consumer.
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Kafka cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  interceptor:
+                    description: interceptor contains the dependency configuration
+                      for the monitoring interceptor.
+                    properties:
+                      configs:
+                        description: |-
+                          configs describe the configurations for the Confluent Platform interceptor.
+                          The config override feature can be used to pass the configuration settings.
+                        items:
+                          type: string
+                        type: array
+                      consumer:
+                        description: |-
+                          consumer specifies the consumer configuration for the interceptor. If not
+                          configured, it uses the Kafka dependency configuration.
+                        properties:
+                          authentication:
+                            description: authentication defines the authentication
+                              for the Kafka cluster.
+                            properties:
+                              jaasConfig:
+                                description: jaasConfig specifies the Kafka client-side
+                                  JaaS configuration.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: jaasConfigPassThrough specifies another
+                                  way to provide the Kafka client-side JaaS configuration.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              oauthbearer:
+                                description: |-
+                                  oauthbearer is the authentication mechanism to provider principals.
+                                  Only supported in RBAC deployment.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container
+                                      where the credential is mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef specifies the name of the secret that contains the credential.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              type:
+                                description: |-
+                                  type specifies the Kafka client authentication type.
+                                  Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                                enum:
+                                - plain
+                                - oauthbearer
+                                - digest
+                                - mtls
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          bootstrapEndpoint:
+                            description: bootstrapEndpoint specifies the Kafka bootstrap
+                              endpoint.
+                            minLength: 1
+                            pattern: .+:[0-9]+
+                            type: string
+                          discovery:
+                            description: discovery specifies the capability to discover
+                              the Kafka cluster.
+                            properties:
+                              name:
+                                description: name is the name of the Confluent Platform
+                                  component cluster.
+                                type: string
+                              namespace:
+                                description: |-
+                                  namespace is where the Confluent Platform component is running.
+                                  The default value is the namespace where CFK is running.
+                                type: string
+                              secretRef:
+                                description: secretRef is the name of the secret used
+                                  to discover the Confluent Platform component.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          tls:
+                            description: tls defines the client-side TLS setting for
+                              the Kafka cluster.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                      enabled:
+                        description: enabled indicates whether the Confluent Platform
+                          interceptor is enabled or disabled.
+                        type: boolean
+                      producer:
+                        description: |-
+                          producer specifies the producer configuration for the interceptor. If not
+                          configured, it uses the Kafka dependency configuration.
+                        properties:
+                          authentication:
+                            description: authentication defines the authentication
+                              for the Kafka cluster.
+                            properties:
+                              jaasConfig:
+                                description: jaasConfig specifies the Kafka client-side
+                                  JaaS configuration.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: jaasConfigPassThrough specifies another
+                                  way to provide the Kafka client-side JaaS configuration.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              oauthbearer:
+                                description: |-
+                                  oauthbearer is the authentication mechanism to provider principals.
+                                  Only supported in RBAC deployment.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container
+                                      where the credential is mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef specifies the name of the secret that contains the credential.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              type:
+                                description: |-
+                                  type specifies the Kafka client authentication type.
+                                  Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                                enum:
+                                - plain
+                                - oauthbearer
+                                - digest
+                                - mtls
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          bootstrapEndpoint:
+                            description: bootstrapEndpoint specifies the Kafka bootstrap
+                              endpoint.
+                            minLength: 1
+                            pattern: .+:[0-9]+
+                            type: string
+                          discovery:
+                            description: discovery specifies the capability to discover
+                              the Kafka cluster.
+                            properties:
+                              name:
+                                description: name is the name of the Confluent Platform
+                                  component cluster.
+                                type: string
+                              namespace:
+                                description: |-
+                                  namespace is where the Confluent Platform component is running.
+                                  The default value is the namespace where CFK is running.
+                                type: string
+                              secretRef:
+                                description: secretRef is the name of the secret used
+                                  to discover the Confluent Platform component.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          tls:
+                            description: tls defines the client-side TLS setting for
+                              the Kafka cluster.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                      publishMs:
+                        type: integer
+                    required:
+                    - enabled
+                    type: object
+                  kafka:
+                    description: kafka contains the Connect dependency for connecting
+                      to Kafka. The discovery method is used if this is not specified.
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Kafka cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  licenseCluster:
+                    description: |-
+                      licenseCluster contains the security configuration to connect to the License containing Kafka cluster.Note that this entry is only needed
+                      if the license topic is stored on a different Kafka cluster than the Kafka cluster that Connect uses.
+                    properties:
+                      kafka:
+                        description: |-
+                          KafkaClientDependency configures the Confluent Platform component dependency
+                          for the Kafka cluster.
+                        properties:
+                          authentication:
+                            description: authentication defines the authentication
+                              for the Kafka cluster.
+                            properties:
+                              jaasConfig:
+                                description: jaasConfig specifies the Kafka client-side
+                                  JaaS configuration.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: jaasConfigPassThrough specifies another
+                                  way to provide the Kafka client-side JaaS configuration.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              oauthbearer:
+                                description: |-
+                                  oauthbearer is the authentication mechanism to provider principals.
+                                  Only supported in RBAC deployment.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container
+                                      where the credential is mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef specifies the name of the secret that contains the credential.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              type:
+                                description: |-
+                                  type specifies the Kafka client authentication type.
+                                  Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                                enum:
+                                - plain
+                                - oauthbearer
+                                - digest
+                                - mtls
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          bootstrapEndpoint:
+                            description: bootstrapEndpoint specifies the Kafka bootstrap
+                              endpoint.
+                            minLength: 1
+                            pattern: .+:[0-9]+
+                            type: string
+                          discovery:
+                            description: discovery specifies the capability to discover
+                              the Kafka cluster.
+                            properties:
+                              name:
+                                description: name is the name of the Confluent Platform
+                                  component cluster.
+                                type: string
+                              namespace:
+                                description: |-
+                                  namespace is where the Confluent Platform component is running.
+                                  The default value is the namespace where CFK is running.
+                                type: string
+                              secretRef:
+                                description: secretRef is the name of the secret used
+                                  to discover the Confluent Platform component.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          tls:
+                            description: tls defines the client-side TLS setting for
+                              the Kafka cluster.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                      topic:
+                        description: The name of the Kafka topic where the license
+                          is stored. This defaults to _confluent-command.
+                        type: string
+                    type: object
+                  mds:
+                    description: mds contains the configuration for MDS dependency
+                      when RBAC is enabled.
+                    properties:
+                      authentication:
+                        description: authentication specifies the client side authentication
+                          configuration for the MDS.
+                        properties:
+                          bearer:
+                            description: bearer specifies the bearer authentication
+                              settings.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the OAuth authentication
+                              settings.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication method
+                              for the MDS. The valid option is `bearer`, `oauth`.
+                            enum:
+                            - bearer
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      endpoint:
+                        description: endpoint specifies the MDS endpoint.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      ssoProtocol:
+                        description: sso protocol, valid options are ldap and oidc.
+                        enum:
+                        - ldap
+                        - oidc
+                        type: string
+                      tls:
+                        description: ClientTLSConfig specifies the TLS configuration
+                          for the Confluent component (dependencies, listeners).
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      tokenKeyPair:
+                        description: tokenKeyPair specifies the token keypair to configure
+                          the MDS.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the MDS token key pair are mounted.
+                            minLength: 1
+                            type: string
+                          encryptedTokenKey:
+                            description: |-
+                              EncryptedTokenKey boolean value indicating whether the tokenKeypair(private used for signing) is encrypted using a passphrase. If true, cfk
+                              operator will look for a file named mdsTokenKeyPassphrase.txt containing key value pair
+                              mdsTokenKeyPassphrase=<passphrase>. Relevant only for mds server. Ignored if set for a client configuration.
+                            type: boolean
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the MDS token key pair.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    required:
+                    - authentication
+                    - endpoint
+                    - tokenKeyPair
+                    type: object
+                  producer:
+                    description: |-
+                      producer contains the security configuration to connect to the Kafka cluster. It is used for source connectors.
+                      If `bootstrapEndpoint` is not configured, the security is configured based on the Kafka dependency configuration.
+                      Configure this property if different bootstrap endpoint of security is required for the producer.
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Kafka cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  schemaRegistry:
+                    description: schemaRegistry contains the dependency configuration
+                      for the Schema Registry cluster.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication for
+                          the Schema Registry cluster.
+                        properties:
+                          basic:
+                            description: basic specifies the configuration for basic
+                              authentication.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the configuration for OAuth
+                              authentication.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication scheme
+                              for the REST API client. Valid options are `basic`,
+                              `oauth` and `mtls`.
+                            enum:
+                            - basic
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Schema Registry cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      url:
+                        description: url specifies the URL endpoint of the Schema
+                          Registry cluster.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                    required:
+                    - url
+                    type: object
+                type: object
+              enableExternalInterInstance:
+                description: |-
+                  ExternalInterInstance is only needed for multi-cluster deployment or stretch cluster.
+                  when set to true the connect server will use the external listener for inter-instance communication.
+                type: boolean
+              enableSchemas:
+                description: enableSchemas indicates whether to enable scheme or not.
+                type: boolean
+              externalAccess:
+                description: CPExternalAccess holds all external access policies for
+                  the non-Kafka component clusters.
+                properties:
+                  loadBalancer:
+                    description: loadBalancer specifies the configuration to create
+                      a Kubernetes load balancer service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain is the domain name of the component cluster.
+                        minLength: 1
+                        type: string
+                      externalTrafficPolicy:
+                        description: externalTrafficPolicy specifies the external
+                          traffic policy for the service. Valid options are `Local`
+                          and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      loadBalancerSourceRanges:
+                        description: loadBalancerSourceRanges specify the source ranges.
+                        items:
+                          type: string
+                        type: array
+                      port:
+                        description: |-
+                          port specifies the external port for the client consumption.
+                          If not configured, the same internal/external port is configured for the component.
+                          Information about the port can be retrieved through the status API.
+                        format: int32
+                        type: integer
+                      prefix:
+                        description: |-
+                          prefix specify the prefix for the given domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      servicePorts:
+                        description: servicePorts specify the user-provided service
+                          port(s).
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - domain
+                    type: object
+                  nodePort:
+                    description: nodePort specifies the configuration to create a
+                      Kubernetes node port service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      externalTrafficPolicy:
+                        description: |-
+                          externalTrafficPolicy specifies the external traffic policy for the service.
+                          Valid options are `Local` and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      host:
+                        description: host defines the host name of the cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      nodePortOffset:
+                        description: |-
+                          nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                          to the replicas count.
+                          NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                          The default Kubernetes Node Port range is `30000` - `32762`.
+                        format: int32
+                        minimum: 0
+                        type: integer
+                      servicePorts:
+                        description: |-
+                          servicePorts specify user-provided service port(s).
+                          For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - host
+                    - nodePortOffset
+                    type: object
+                  route:
+                    description: route specifies the configuration to create a route
+                      service in OpenShift.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain specifies the domain name of the Confluent
+                          component cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      prefix:
+                        description: |-
+                          prefix specifies the component prefix when configured for the domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      wildcardPolicy:
+                        description: |-
+                          wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                          The default value is `None`.
+                        enum:
+                        - Subdomain
+                        - None
+                        type: string
+                    required:
+                    - domain
+                    type: object
+                  type:
+                    description: |-
+                      type specifies the Kubernetes external service for the component.
+                      Valid options are `loadBalancer`, `nodePort`, and `route`.
+                    enum:
+                    - loadBalancer
+                    - nodePort
+                    - route
+                    minLength: 1
+                    type: string
+                required:
+                - type
+                type: object
+              headlessService:
+                description: headlessService specifies the configuration of the Kubernetes
+                  headless service.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs.
+                      It specifies the annotations to be added to the CFK-created headless service.
+                      These annotations are merged with the injectAnnotations and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs.
+                      It specifies the labels to be added to the CFK-created headless service.
+                      These labels are merged with the injectLabels and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  publishNotReadyAddresses:
+                    description: |-
+                      publishNotReadyAddresses specifies the publishNotReadyAddresses field.
+                      For Kafka, this value must be true. The default value is true.
+                    type: boolean
+                type: object
+              image:
+                description: |-
+                  image specifies the application and the init docker image configurations.
+                  A change to this setting will roll the cluster.
+                properties:
+                  application:
+                    description: |-
+                      application is the Docker image name of the application. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  init:
+                    description: |-
+                      init is the init-container name. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  pullPolicy:
+                    description: |-
+                      pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
+                      The default value is `IfNotPresent`.
+                    enum:
+                    - Always
+                    - Never
+                    - IfNotPresent
+                    type: string
+                  pullSecretRef:
+                    description: |-
+                      pullSecretRef references the secrets in the same namespace to be used for pulling images.
+                      Image pull secrets are distinct from secrets because secrets
+                      can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
+                      More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+                    items:
+                      type: string
+                    type: array
+                required:
+                - application
+                - init
+                type: object
+              injectAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectAnnotations are the annotations injected to the internal resources that CFK created.
+                  The internal annotations are preserved and cannot be overridden.
+                  For pod annotations, use `podTemplate.annotations`.
+                type: object
+                x-kubernetes-map-type: granular
+              injectLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectLabels are the labels injected to the internal resources that CFK created.
+                  The internal labels are preserved and cannot be overridden.
+                  For pod labels, use `podTemplate.labels`.
+                type: object
+                x-kubernetes-map-type: granular
+              internalTopicReplicationFactor:
+                description: |-
+                  internalTopicReplicationFactor specifies the replication factor for the internal topics.
+                  The default value is `3`.
+                format: int32
+                type: integer
+              k8sClusterDomain:
+                description: |-
+                  k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
+                  The default is the `cluster.local` domain.
+                type: string
+              keyConverterType:
+                description: |-
+                  keyConverterType specifies the supported key converters package for the Confluent Platform.
+                  For the supported converter types, see https://docs.confluent.io/current/connect/concepts.html#connect-converters.
+                  The default value is `org.apache.kafka.connect.json.JsonConverter`.
+                minLength: 1
+                type: string
+              license:
+                description: license specifies the license configuration for the Confluent
+                  Platform component.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      the license key is mounted. More info:
+                      https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    minLength: 1
+                    type: string
+                  globalLicense:
+                    description: globalLicense specifies whether the Confluent Platform
+                      component shares the common global license.
+                    type: boolean
+                  secretRef:
+                    description: |-
+                      secretRef references the secret that provides the license for the Confluent Platform component.
+                      More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              metrics:
+                description: metrics specify the security settings for the metric
+                  services.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication configuration
+                      for the metrics.
+                    properties:
+                      type:
+                        description: type specifies the metrics authentication method.
+                          The valid option is `mtls`.
+                        enum:
+                        - mtls
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  prometheus:
+                    description: prometheus specifies the configuration overrides
+                      for the JMX-Prometheus exporter.
+                    properties:
+                      blacklist:
+                        items:
+                          type: string
+                        type: array
+                      rules:
+                        items:
+                          description: Rule defines the Prometheus Exporter rule override.
+                          properties:
+                            attrNameSnakeCase:
+                              type: boolean
+                            cache:
+                              type: boolean
+                            help:
+                              minLength: 1
+                              type: string
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                              x-kubernetes-map-type: granular
+                            name:
+                              minLength: 1
+                              type: string
+                            pattern:
+                              minLength: 1
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                            value:
+                              minLength: 1
+                              type: string
+                            valueFactor:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              default: 1
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        type: array
+                      whitelist:
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: tls specifies the TLS configuration for the metrics.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              mountedSecrets:
+                description: |-
+                  mountedSecrets list the secrets injected to
+                  the underlying statefulset configuration. The secret reference is mounted
+                  in the default path `/mnt/secrets/<secret-name>`. The underlying resources
+                  will follow the secret as a file configuration.
+                  More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
+                  A change to this setting will roll the cluster.
+                items:
+                  description: |-
+                    MountedSecrets provides a way to inject a custom secret to the underlying
+                    statefulset.
+                  properties:
+                    keyItems:
+                      description: keyItems are key and path names.
+                      items:
+                        description: Maps a string key to a path within a volume.
+                        properties:
+                          key:
+                            description: key is the key to project.
+                            type: string
+                          mode:
+                            description: |-
+                              mode is Optional: mode bits used to set permissions on this file.
+                              Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                              YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                              If not specified, the volume defaultMode will be used.
+                              This might be in conflict with other options that affect the file
+                              mode, like fsGroup, and the result can be other mode bits set.
+                            format: int32
+                            type: integer
+                          path:
+                            description: |-
+                              path is the relative path of the file to map the key to.
+                              May not be an absolute path.
+                              May not contain the path element '..'.
+                              May not start with the string '..'.
+                            type: string
+                        required:
+                        - key
+                        - path
+                        type: object
+                      type: array
+                    secretRef:
+                      description: secretRef references the name of the secret.
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - secretRef
+                  type: object
+                type: array
+              mountedVolumes:
+                description: |-
+                  mountedVolumes list the custom volumes that need to be mounted into the
+                  underlying statefulset.
+                  A change to this setting will roll the cluster.
+                properties:
+                  volumeMounts:
+                    description: |-
+                      volumeMounts specify the list of volume mounts for the pods in the
+                      statefulset.
+                    items:
+                      description: VolumeMount describes a mounting of a Volume within
+                        a container.
+                      properties:
+                        mountPath:
+                          description: |-
+                            Path within the container at which the volume should be mounted.  Must
+                            not contain ':'.
+                          type: string
+                        mountPropagation:
+                          description: |-
+                            mountPropagation determines how mounts are propagated from the host
+                            to container and the other way around.
+                            When not set, MountPropagationNone is used.
+                            This field is beta in 1.10.
+                          type: string
+                        name:
+                          description: This must match the Name of a Volume.
+                          type: string
+                        readOnly:
+                          description: |-
+                            Mounted read-only if true, read-write otherwise (false or unspecified).
+                            Defaults to false.
+                          type: boolean
+                        subPath:
+                          description: |-
+                            Path within the volume from which the container's volume should be mounted.
+                            Defaults to "" (volume's root).
+                          type: string
+                        subPathExpr:
+                          description: |-
+                            Expanded path within the volume from which the container's volume should be mounted.
+                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                            Defaults to "" (volume's root).
+                            SubPathExpr and SubPath are mutually exclusive.
+                          type: string
+                      required:
+                      - mountPath
+                      - name
+                      type: object
+                    type: array
+                  volumes:
+                    description: |-
+                      volumes specify the list of volumes that can be mounted into the pods
+                      of statefulset.
+                    items:
+                      description: Volume represents a named volume in a pod that
+                        may be accessed by any container in the pod.
+                      properties:
+                        awsElasticBlockStore:
+                          description: |-
+                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly value true will force the readOnly setting in VolumeMounts.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: boolean
+                            volumeID:
+                              description: |-
+                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        azureDisk:
+                          description: azureDisk represents an Azure Data Disk mount
+                            on the host and bind mount to the pod.
+                          properties:
+                            cachingMode:
+                              description: 'cachingMode is the Host Caching mode:
+                                None, Read Only, Read Write.'
+                              type: string
+                            diskName:
+                              description: diskName is the Name of the data disk in
+                                the blob storage
+                              type: string
+                            diskURI:
+                              description: diskURI is the URI of data disk in the
+                                blob storage
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is Filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            kind:
+                              description: 'kind expected values are Shared: multiple
+                                blob disks per storage account  Dedicated: single
+                                blob disk per storage account  Managed: azure managed
+                                data disk (only in managed availability set). defaults
+                                to shared'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                          required:
+                          - diskName
+                          - diskURI
+                          type: object
+                        azureFile:
+                          description: azureFile represents an Azure File Service
+                            mount on the host and bind mount to the pod.
+                          properties:
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretName:
+                              description: secretName is the  name of secret that
+                                contains Azure Storage Account Name and Key
+                              type: string
+                            shareName:
+                              description: shareName is the azure share Name
+                              type: string
+                          required:
+                          - secretName
+                          - shareName
+                          type: object
+                        cephfs:
+                          description: cephFS represents a Ceph FS mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            monitors:
+                              description: |-
+                                monitors is Required: Monitors is a collection of Ceph monitors
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            path:
+                              description: 'path is Optional: Used as the mounted
+                                root, rather than the full Ceph tree, default is /'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: boolean
+                            secretFile:
+                              description: |-
+                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is optional: User is the rados user name, default is admin
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - monitors
+                          type: object
+                        cinder:
+                          description: |-
+                            cinder represents a cinder volume attached and mounted on kubelets host machine.
+                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is optional: points to a secret object containing parameters used to connect
+                                to OpenStack.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeID:
+                              description: |-
+                                volumeID used to identify the volume in cinder.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        configMap:
+                          description: configMap represents a configMap that should
+                            populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items if unspecified, each key-value pair in the Data field of the referenced
+                                ConfigMap will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the ConfigMap,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            name:
+                              description: |-
+                                Name of the referent.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              type: string
+                            optional:
+                              description: optional specify whether the ConfigMap
+                                or its keys must be defined
+                              type: boolean
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        csi:
+                          description: csi (Container Storage Interface) represents
+                            ephemeral storage that is handled by certain external
+                            CSI drivers (Beta feature).
+                          properties:
+                            driver:
+                              description: |-
+                                driver is the name of the CSI driver that handles this volume.
+                                Consult with your admin for the correct name as registered in the cluster.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                If not provided, the empty value is passed to the associated CSI driver
+                                which will determine the default filesystem to apply.
+                              type: string
+                            nodePublishSecretRef:
+                              description: |-
+                                nodePublishSecretRef is a reference to the secret object containing
+                                sensitive information to pass to the CSI driver to complete the CSI
+                                NodePublishVolume and NodeUnpublishVolume calls.
+                                This field is optional, and  may be empty if no secret is required. If the
+                                secret object contains more than one secret, all secret references are passed.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            readOnly:
+                              description: |-
+                                readOnly specifies a read-only configuration for the volume.
+                                Defaults to false (read/write).
+                              type: boolean
+                            volumeAttributes:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                volumeAttributes stores driver-specific properties that are passed to the CSI
+                                driver. Consult your driver's documentation for supported values.
+                              type: object
+                          required:
+                          - driver
+                          type: object
+                        downwardAPI:
+                          description: downwardAPI represents downward API about the
+                            pod that should populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                Optional: mode bits to use on created files by default. Must be a
+                                Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: Items is a list of downward API volume
+                                file
+                              items:
+                                description: DownwardAPIVolumeFile represents information
+                                  to create the file containing the pod field
+                                properties:
+                                  fieldRef:
+                                    description: 'Required: Selects a field of the
+                                      pod: only annotations, labels, name and namespace
+                                      are supported.'
+                                    properties:
+                                      apiVersion:
+                                        description: Version of the schema the FieldPath
+                                          is written in terms of, defaults to "v1".
+                                        type: string
+                                      fieldPath:
+                                        description: Path of the field to select in
+                                          the specified API version.
+                                        type: string
+                                    required:
+                                    - fieldPath
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  mode:
+                                    description: |-
+                                      Optional: mode bits used to set permissions on this file, must be an octal value
+                                      between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: 'Required: Path is  the relative
+                                      path name of the file to be created. Must not
+                                      be absolute or contain the ''..'' path. Must
+                                      be utf-8 encoded. The first item of the relative
+                                      path must not start with ''..'''
+                                    type: string
+                                  resourceFieldRef:
+                                    description: |-
+                                      Selects a resource of the container: only resources limits and requests
+                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                    properties:
+                                      containerName:
+                                        description: 'Container name: required for
+                                          volumes, optional for env vars'
+                                        type: string
+                                      divisor:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: Specifies the output format of
+                                          the exposed resources, defaults to "1"
+                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                        x-kubernetes-int-or-string: true
+                                      resource:
+                                        description: 'Required: resource to select'
+                                        type: string
+                                    required:
+                                    - resource
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                required:
+                                - path
+                                type: object
+                              type: array
+                          type: object
+                        emptyDir:
+                          description: |-
+                            emptyDir represents a temporary directory that shares a pod's lifetime.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                          properties:
+                            medium:
+                              description: |-
+                                medium represents what type of storage medium should back this directory.
+                                The default is "" which means to use the node's default medium.
+                                Must be an empty string (default) or Memory.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              type: string
+                            sizeLimit:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                The size limit is also applicable for memory medium.
+                                The maximum usage on memory medium EmptyDir would be the minimum value between
+                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                The default is nil which means that the limit is undefined.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        ephemeral:
+                          description: |-
+                            ephemeral represents a volume that is handled by a cluster storage driver.
+                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                            and deleted when the pod is removed.
+
+
+                            Use this if:
+                            a) the volume is only needed while the pod runs,
+                            b) features of normal volumes like restoring from snapshot or capacity
+                               tracking are needed,
+                            c) the storage driver is specified through a storage class, and
+                            d) the storage driver supports dynamic volume provisioning through
+                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                               information on the connection between this volume type
+                               and PersistentVolumeClaim).
+
+
+                            Use PersistentVolumeClaim or one of the vendor-specific
+                            APIs for volumes that persist for longer than the lifecycle
+                            of an individual pod.
+
+
+                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                            be used that way - see the documentation of the driver for
+                            more information.
+
+
+                            A pod can use both types of ephemeral volumes and
+                            persistent volumes at the same time.
+                          properties:
+                            volumeClaimTemplate:
+                              description: |-
+                                Will be used to create a stand-alone PVC to provision the volume.
+                                The pod in which this EphemeralVolumeSource is embedded will be the
+                                owner of the PVC, i.e. the PVC will be deleted together with the
+                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                `<volume name>` is the name from the `PodSpec.Volumes` array
+                                entry. Pod validation will reject the pod if the concatenated name
+                                is not valid for a PVC (for example, too long).
+
+
+                                An existing PVC with that name that is not owned by the pod
+                                will *not* be used for the pod to avoid using an unrelated
+                                volume by mistake. Starting the pod is then blocked until
+                                the unrelated PVC is removed. If such a pre-created PVC is
+                                meant to be used by the pod, the PVC has to updated with an
+                                owner reference to the pod once the pod exists. Normally
+                                this should not be necessary, but it may be useful when
+                                manually reconstructing a broken cluster.
+
+
+                                This field is read-only and no changes will be made by Kubernetes
+                                to the PVC after it has been created.
+
+
+                                Required, must not be nil.
+                              properties:
+                                metadata:
+                                  description: |-
+                                    May contain labels and annotations that will be copied into the PVC
+                                    when creating it. No other fields are allowed and will be rejected during
+                                    validation.
+                                  type: object
+                                spec:
+                                  description: |-
+                                    The specification for the PersistentVolumeClaim. The entire content is
+                                    copied unchanged into the PVC that gets created from this
+                                    template. The same fields as in a PersistentVolumeClaim
+                                    are also valid here.
+                                  properties:
+                                    accessModes:
+                                      description: |-
+                                        accessModes contains the desired access modes the volume should have.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                      items:
+                                        type: string
+                                      type: array
+                                    dataSource:
+                                      description: |-
+                                        dataSource field can be used to specify either:
+                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                        * An existing PVC (PersistentVolumeClaim)
+                                        If the provisioner or an external controller can support the specified data source,
+                                        it will create a new volume based on the contents of the specified data source.
+                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    dataSourceRef:
+                                      description: |-
+                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                        volume is desired. This may be any object from a non-empty API group (non
+                                        core object) or a PersistentVolumeClaim object.
+                                        When this field is specified, volume binding will only succeed if the type of
+                                        the specified object matches some installed volume populator or dynamic
+                                        provisioner.
+                                        This field will replace the functionality of the dataSource field and as such
+                                        if both fields are non-empty, they must have the same value. For backwards
+                                        compatibility, when namespace isn't specified in dataSourceRef,
+                                        both fields (dataSource and dataSourceRef) will be set to the same
+                                        value automatically if one of them is empty and the other is non-empty.
+                                        When namespace is specified in dataSourceRef,
+                                        dataSource isn't set to the same value and must be empty.
+                                        There are three important differences between dataSource and dataSourceRef:
+                                        * While dataSource only allows two specific types of objects, dataSourceRef
+                                          allows any non-core object, as well as PersistentVolumeClaim objects.
+                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                          preserves all values, and generates an error if a disallowed value is
+                                          specified.
+                                        * While dataSource only allows local objects, dataSourceRef allows objects
+                                          in any namespaces.
+                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace is the namespace of resource being referenced
+                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                    resources:
+                                      description: |-
+                                        resources represents the minimum resources the volume should have.
+                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+                                        that are lower than previous value but must still be higher than capacity recorded in the
+                                        status field of the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                      properties:
+                                        limits:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Limits describes the maximum amount of compute resources allowed.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                        requests:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Requests describes the minimum amount of compute resources required.
+                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                      type: object
+                                    selector:
+                                      description: selector is a label query over
+                                        volumes to consider for binding.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    storageClassName:
+                                      description: |-
+                                        storageClassName is the name of the StorageClass required by the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                      type: string
+                                    volumeAttributesClassName:
+                                      description: |-
+                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                        If specified, the CSI driver will create or update the volume with the attributes defined
+                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+                                        will be set by the persistentvolume controller if it exists.
+                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                        exists.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+                                      type: string
+                                    volumeMode:
+                                      description: |-
+                                        volumeMode defines what type of volume is required by the claim.
+                                        Value of Filesystem is implied when not included in claim spec.
+                                      type: string
+                                    volumeName:
+                                      description: volumeName is the binding reference
+                                        to the PersistentVolume backing this claim.
+                                      type: string
+                                  type: object
+                              required:
+                              - spec
+                              type: object
+                          type: object
+                        fc:
+                          description: fc represents a Fibre Channel resource that
+                            is attached to a kubelet's host machine and then exposed
+                            to the pod.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            lun:
+                              description: 'lun is Optional: FC target lun number'
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            targetWWNs:
+                              description: 'targetWWNs is Optional: FC target worldwide
+                                names (WWNs)'
+                              items:
+                                type: string
+                              type: array
+                            wwids:
+                              description: |-
+                                wwids Optional: FC volume world wide identifiers (wwids)
+                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        flexVolume:
+                          description: |-
+                            flexVolume represents a generic volume resource that is
+                            provisioned/attached using an exec based plugin.
+                          properties:
+                            driver:
+                              description: driver is the name of the driver to use
+                                for this volume.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                              type: string
+                            options:
+                              additionalProperties:
+                                type: string
+                              description: 'options is Optional: this field holds
+                                extra command options if any.'
+                              type: object
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: secretRef is reference to the secret object containing
+                                sensitive information to pass to the plugin scripts. This may be
+                                empty if no secret object is specified. If the secret object
+                                contains more than one secret, all secrets are passed to the plugin
+                                scripts.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          required:
+                          - driver
+                          type: object
+                        flocker:
+                          description: flocker represents a Flocker volume attached
+                            to a kubelet's host machine. This depends on the Flocker
+                            control service being running
+                          properties:
+                            datasetName:
+                              description: |-
+                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                should be considered as deprecated
+                              type: string
+                            datasetUUID:
+                              description: datasetUUID is the UUID of the dataset.
+                                This is unique identifier of a Flocker dataset
+                              type: string
+                          type: object
+                        gcePersistentDisk:
+                          description: |-
+                            gcePersistentDisk represents a GCE Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              format: int32
+                              type: integer
+                            pdName:
+                              description: |-
+                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: boolean
+                          required:
+                          - pdName
+                          type: object
+                        gitRepo:
+                          description: |-
+                            gitRepo represents a git repository at a particular revision.
+                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                            into the Pod's container.
+                          properties:
+                            directory:
+                              description: |-
+                                directory is the target directory name.
+                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                the subdirectory with the given name.
+                              type: string
+                            repository:
+                              description: repository is the URL
+                              type: string
+                            revision:
+                              description: revision is the commit hash for the specified
+                                revision.
+                              type: string
+                          required:
+                          - repository
+                          type: object
+                        glusterfs:
+                          description: |-
+                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
+                          properties:
+                            endpoints:
+                              description: |-
+                                endpoints is the endpoint name that details Glusterfs topology.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            path:
+                              description: |-
+                                path is the Glusterfs volume path.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: boolean
+                          required:
+                          - endpoints
+                          - path
+                          type: object
+                        hostPath:
+                          description: |-
+                            hostPath represents a pre-existing file or directory on the host
+                            machine that is directly exposed to the container. This is generally
+                            used for system agents or other privileged things that are allowed
+                            to see the host machine. Most containers will NOT need this.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                            ---
+                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+                            mount host directories as read/write.
+                          properties:
+                            path:
+                              description: |-
+                                path of the directory on the host.
+                                If the path is a symlink, it will follow the link to the real path.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                            type:
+                              description: |-
+                                type for HostPath Volume
+                                Defaults to ""
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        iscsi:
+                          description: |-
+                            iscsi represents an ISCSI Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                          properties:
+                            chapAuthDiscovery:
+                              description: chapAuthDiscovery defines whether support
+                                iSCSI Discovery CHAP authentication
+                              type: boolean
+                            chapAuthSession:
+                              description: chapAuthSession defines whether support
+                                iSCSI Session CHAP authentication
+                              type: boolean
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            initiatorName:
+                              description: |-
+                                initiatorName is the custom iSCSI Initiator Name.
+                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                <target portal>:<volume name> will be created for the connection.
+                              type: string
+                            iqn:
+                              description: iqn is the target iSCSI Qualified Name.
+                              type: string
+                            iscsiInterface:
+                              description: |-
+                                iscsiInterface is the interface Name that uses an iSCSI transport.
+                                Defaults to 'default' (tcp).
+                              type: string
+                            lun:
+                              description: lun represents iSCSI Target Lun number.
+                              format: int32
+                              type: integer
+                            portals:
+                              description: |-
+                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              items:
+                                type: string
+                              type: array
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                              type: boolean
+                            secretRef:
+                              description: secretRef is the CHAP Secret for iSCSI
+                                target and initiator authentication
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            targetPortal:
+                              description: |-
+                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              type: string
+                          required:
+                          - iqn
+                          - lun
+                          - targetPortal
+                          type: object
+                        name:
+                          description: |-
+                            name of the volume.
+                            Must be a DNS_LABEL and unique within the pod.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                        nfs:
+                          description: |-
+                            nfs represents an NFS mount on the host that shares a pod's lifetime
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                          properties:
+                            path:
+                              description: |-
+                                path that is exported by the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the NFS export to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: boolean
+                            server:
+                              description: |-
+                                server is the hostname or IP address of the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                          required:
+                          - path
+                          - server
+                          type: object
+                        persistentVolumeClaim:
+                          description: |-
+                            persistentVolumeClaimVolumeSource represents a reference to a
+                            PersistentVolumeClaim in the same namespace.
+                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                          properties:
+                            claimName:
+                              description: |-
+                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Will force the ReadOnly setting in VolumeMounts.
+                                Default false.
+                              type: boolean
+                          required:
+                          - claimName
+                          type: object
+                        photonPersistentDisk:
+                          description: photonPersistentDisk represents a PhotonController
+                            persistent disk attached and mounted on kubelets host
+                            machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            pdID:
+                              description: pdID is the ID that identifies Photon Controller
+                                persistent disk
+                              type: string
+                          required:
+                          - pdID
+                          type: object
+                        portworxVolume:
+                          description: portworxVolume represents a portworx volume
+                            attached and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fSType represents the filesystem type to mount
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            volumeID:
+                              description: volumeID uniquely identifies a Portworx
+                                volume
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        projected:
+                          description: projected items for all in one resources secrets,
+                            configmaps, and downward API
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode are the mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            sources:
+                              description: sources is the list of volume projections
+                              items:
+                                description: Projection that may be projected along
+                                  with other supported volume types
+                                properties:
+                                  clusterTrustBundle:
+                                    description: |-
+                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                      of ClusterTrustBundle objects in an auto-updating file.
+
+
+                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+                                      ClusterTrustBundle objects can either be selected by name, or by the
+                                      combination of signer name and a label selector.
+
+
+                                      Kubelet performs aggressive normalization of the PEM contents written
+                                      into the pod filesystem.  Esoteric PEM features such as inter-block
+                                      comments and block headers are stripped.  Certificates are deduplicated.
+                                      The ordering of certificates within the file is arbitrary, and Kubelet
+                                      may change the order over time.
+                                    properties:
+                                      labelSelector:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this label selector.  Only has
+                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                          interpreted as "match nothing".  If set but empty, interpreted as "match
+                                          everything".
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      name:
+                                        description: |-
+                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                          with signerName and labelSelector.
+                                        type: string
+                                      optional:
+                                        description: |-
+                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                          aren't available.  If using name, then the named ClusterTrustBundle is
+                                          allowed not to exist.  If using signerName, then the combination of
+                                          signerName and labelSelector is allowed to match zero
+                                          ClusterTrustBundles.
+                                        type: boolean
+                                      path:
+                                        description: Relative path from the volume
+                                          root to write the bundle.
+                                        type: string
+                                      signerName:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this signer name.
+                                          Mutually-exclusive with name.  The contents of all selected
+                                          ClusterTrustBundles will be unified and deduplicated.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                  configMap:
+                                    description: configMap information about the configMap
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          ConfigMap will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the ConfigMap,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional specify whether the
+                                          ConfigMap or its keys must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  downwardAPI:
+                                    description: downwardAPI information about the
+                                      downwardAPI data to project
+                                    properties:
+                                      items:
+                                        description: Items is a list of DownwardAPIVolume
+                                          file
+                                        items:
+                                          description: DownwardAPIVolumeFile represents
+                                            information to create the file containing
+                                            the pod field
+                                          properties:
+                                            fieldRef:
+                                              description: 'Required: Selects a field
+                                                of the pod: only annotations, labels,
+                                                name and namespace are supported.'
+                                              properties:
+                                                apiVersion:
+                                                  description: Version of the schema
+                                                    the FieldPath is written in terms
+                                                    of, defaults to "v1".
+                                                  type: string
+                                                fieldPath:
+                                                  description: Path of the field to
+                                                    select in the specified API version.
+                                                  type: string
+                                              required:
+                                              - fieldPath
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            mode:
+                                              description: |-
+                                                Optional: mode bits used to set permissions on this file, must be an octal value
+                                                between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: 'Required: Path is  the
+                                                relative path name of the file to
+                                                be created. Must not be absolute or
+                                                contain the ''..'' path. Must be utf-8
+                                                encoded. The first item of the relative
+                                                path must not start with ''..'''
+                                              type: string
+                                            resourceFieldRef:
+                                              description: |-
+                                                Selects a resource of the container: only resources limits and requests
+                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                              properties:
+                                                containerName:
+                                                  description: 'Container name: required
+                                                    for volumes, optional for env
+                                                    vars'
+                                                  type: string
+                                                divisor:
+                                                  anyOf:
+                                                  - type: integer
+                                                  - type: string
+                                                  description: Specifies the output
+                                                    format of the exposed resources,
+                                                    defaults to "1"
+                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                  x-kubernetes-int-or-string: true
+                                                resource:
+                                                  description: 'Required: resource
+                                                    to select'
+                                                  type: string
+                                              required:
+                                              - resource
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                          required:
+                                          - path
+                                          type: object
+                                        type: array
+                                    type: object
+                                  secret:
+                                    description: secret information about the secret
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          Secret will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the Secret,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional field specify whether
+                                          the Secret or its key must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  serviceAccountToken:
+                                    description: serviceAccountToken is information
+                                      about the serviceAccountToken data to project
+                                    properties:
+                                      audience:
+                                        description: |-
+                                          audience is the intended audience of the token. A recipient of a token
+                                          must identify itself with an identifier specified in the audience of the
+                                          token, and otherwise should reject the token. The audience defaults to the
+                                          identifier of the apiserver.
+                                        type: string
+                                      expirationSeconds:
+                                        description: |-
+                                          expirationSeconds is the requested duration of validity of the service
+                                          account token. As the token approaches expiration, the kubelet volume
+                                          plugin will proactively rotate the service account token. The kubelet will
+                                          start trying to rotate the token if the token is older than 80 percent of
+                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                          and must be at least 10 minutes.
+                                        format: int64
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the path relative to the mount point of the file to project the
+                                          token into.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                type: object
+                              type: array
+                          type: object
+                        quobyte:
+                          description: quobyte represents a Quobyte mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            group:
+                              description: |-
+                                group to map volume access to
+                                Default is no group
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                Defaults to false.
+                              type: boolean
+                            registry:
+                              description: |-
+                                registry represents a single or multiple Quobyte Registry services
+                                specified as a string as host:port pair (multiple entries are separated with commas)
+                                which acts as the central registry for volumes
+                              type: string
+                            tenant:
+                              description: |-
+                                tenant owning the given Quobyte volume in the Backend
+                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                              type: string
+                            user:
+                              description: |-
+                                user to map volume access to
+                                Defaults to serivceaccount user
+                              type: string
+                            volume:
+                              description: volume is a string that references an already
+                                created Quobyte volume by name.
+                              type: string
+                          required:
+                          - registry
+                          - volume
+                          type: object
+                        rbd:
+                          description: |-
+                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/rbd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            image:
+                              description: |-
+                                image is the rados image name.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            keyring:
+                              description: |-
+                                keyring is the path to key ring for RBDUser.
+                                Default is /etc/ceph/keyring.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            monitors:
+                              description: |-
+                                monitors is a collection of Ceph monitors.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            pool:
+                              description: |-
+                                pool is the rados pool name.
+                                Default is rbd.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is name of the authentication secret for RBDUser. If provided
+                                overrides keyring.
+                                Default is nil.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is the rados user name.
+                                Default is admin.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - image
+                          - monitors
+                          type: object
+                        scaleIO:
+                          description: scaleIO represents a ScaleIO persistent volume
+                            attached and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs".
+                                Default is "xfs".
+                              type: string
+                            gateway:
+                              description: gateway is the host address of the ScaleIO
+                                API Gateway.
+                              type: string
+                            protectionDomain:
+                              description: protectionDomain is the name of the ScaleIO
+                                Protection Domain for the configured storage.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef references to the secret for ScaleIO user and other
+                                sensitive information. If this is not provided, Login operation will fail.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            sslEnabled:
+                              description: sslEnabled Flag enable/disable SSL communication
+                                with Gateway, default false
+                              type: boolean
+                            storageMode:
+                              description: |-
+                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                Default is ThinProvisioned.
+                              type: string
+                            storagePool:
+                              description: storagePool is the ScaleIO Storage Pool
+                                associated with the protection domain.
+                              type: string
+                            system:
+                              description: system is the name of the storage system
+                                as configured in ScaleIO.
+                              type: string
+                            volumeName:
+                              description: |-
+                                volumeName is the name of a volume already created in the ScaleIO system
+                                that is associated with this volume source.
+                              type: string
+                          required:
+                          - gateway
+                          - secretRef
+                          - system
+                          type: object
+                        secret:
+                          description: |-
+                            secret represents a secret that should populate this volume.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values
+                                for mode bits. Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items If unspecified, each key-value pair in the Data field of the referenced
+                                Secret will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the Secret,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            optional:
+                              description: optional field specify whether the Secret
+                                or its keys must be defined
+                              type: boolean
+                            secretName:
+                              description: |-
+                                secretName is the name of the secret in the pod's namespace to use.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              type: string
+                          type: object
+                        storageos:
+                          description: storageOS represents a StorageOS volume attached
+                            and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef specifies the secret to use for obtaining the StorageOS API
+                                credentials.  If not specified, default values will be attempted.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeName:
+                              description: |-
+                                volumeName is the human-readable name of the StorageOS volume.  Volume
+                                names are only unique within a namespace.
+                              type: string
+                            volumeNamespace:
+                              description: |-
+                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                namespace is specified then the Pod's namespace will be used.  This allows the
+                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                Set VolumeName to any name to override the default behaviour.
+                                Set to "default" if you are not using namespaces within StorageOS.
+                                Namespaces that do not pre-exist within StorageOS will be created.
+                              type: string
+                          type: object
+                        vsphereVolume:
+                          description: vsphereVolume represents a vSphere volume attached
+                            and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            storagePolicyID:
+                              description: storagePolicyID is the storage Policy Based
+                                Management (SPBM) profile ID associated with the StoragePolicyName.
+                              type: string
+                            storagePolicyName:
+                              description: storagePolicyName is the storage Policy
+                                Based Management (SPBM) profile name.
+                              type: string
+                            volumePath:
+                              description: volumePath is the path that identifies
+                                vSphere volume vmdk
+                              type: string
+                          required:
+                          - volumePath
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                required:
+                - volumeMounts
+                - volumes
+                type: object
+              oneReplicaPerNode:
+                description: |-
+                  oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
+                  Enabling this configuration in an existing cluster will roll the cluster.
+                type: boolean
+              pdb:
+                description: |-
+                  configures PodDisruptionBudget for the Confluent Platform component.
+                  by default PDB is configured based on pre-detemined formula.
+                properties:
+                  enabled:
+                    description: enabled specifies whether the PodDisruptionBudget
+                      is enabled
+                    type: boolean
+                  maxUnavailable:
+                    description: maxUnavailable is the maximum number of pods that
+                      can be unavailable during the disruption.
+                    format: int32
+                    type: integer
+                required:
+                - enabled
+                type: object
+              podTemplate:
+                description: podTemplate specifies the statefulset pod template configuration.
+                properties:
+                  affinity:
+                    description: |-
+                      affinity specifies a group of affinity scheduling rules.
+                      More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
+                    properties:
+                      nodeAffinity:
+                        description: Describes node affinity scheduling rules for
+                          the pod.
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node matches the corresponding matchExpressions; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: |-
+                                An empty preferred scheduling term matches all objects with implicit weight 0
+                                (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                              properties:
+                                preference:
+                                  description: A node selector term, associated with
+                                    the corresponding weight.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                weight:
+                                  description: Weight associated with matching the
+                                    corresponding nodeSelectorTerm, in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - preference
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to an update), the system
+                              may or may not try to eventually evict the pod from its node.
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      podAffinity:
+                        description: Describes pod affinity scheduling rules (e.g.
+                          co-locate this pod in the same node, zone, etc. as some
+                          other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                      podAntiAffinity:
+                        description: Describes pod anti-affinity scheduling rules
+                          (e.g. avoid putting this pod in the same node, zone, etc.
+                          as some other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the anti-affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling anti-affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the anti-affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the anti-affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs stored with the resource and
+                      may be set by external tools to store and retrieve arbitrary metadata. They
+                      are not queryable and should be preserved when modifying objects. More
+                      info: http://kubernetes.io/docs/user-guide/annotations.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  envVars:
+                    description: |-
+                      envVars contain environment variables to be injected into containers.
+                      More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
+                    items:
+                      description: EnvVar represents an environment variable present
+                        in a Container.
+                      properties:
+                        name:
+                          description: Name of the environment variable. Must be a
+                            C_IDENTIFIER.
+                          type: string
+                        value:
+                          description: |-
+                            Variable references $(VAR_NAME) are expanded
+                            using the previously defined environment variables in the container and
+                            any service environment variables. If a variable cannot be resolved,
+                            the reference in the input string will be unchanged. Double $$ are reduced
+                            to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                            "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                            Escaped references will never be expanded, regardless of whether the variable
+                            exists or not.
+                            Defaults to "".
+                          type: string
+                        valueFrom:
+                          description: Source for the environment variable's value.
+                            Cannot be used if value is not empty.
+                          properties:
+                            configMapKeyRef:
+                              description: Selects a key of a ConfigMap.
+                              properties:
+                                key:
+                                  description: The key to select.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the ConfigMap or its
+                                    key must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            fieldRef:
+                              description: |-
+                                Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                              properties:
+                                apiVersion:
+                                  description: Version of the schema the FieldPath
+                                    is written in terms of, defaults to "v1".
+                                  type: string
+                                fieldPath:
+                                  description: Path of the field to select in the
+                                    specified API version.
+                                  type: string
+                              required:
+                              - fieldPath
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            resourceFieldRef:
+                              description: |-
+                                Selects a resource of the container: only resources limits and requests
+                                (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                              properties:
+                                containerName:
+                                  description: 'Container name: required for volumes,
+                                    optional for env vars'
+                                  type: string
+                                divisor:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: Specifies the output format of the
+                                    exposed resources, defaults to "1"
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                resource:
+                                  description: 'Required: resource to select'
+                                  type: string
+                              required:
+                              - resource
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            secretKeyRef:
+                              description: Selects a key of a secret in the pod's
+                                namespace
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the Secret or its key
+                                    must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs that can be used to organize and categorize
+                      (scope and select) objects.
+                      More info: http://kubernetes.io/docs/user-guide/labels.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  podSecurityContext:
+                    description: |-
+                      PodSecurityContext holds pod-level security attributes and common container settings.
+                      Some fields are also present in container.securityContext.  Field values of
+                      container.securityContext take precedence over field values of PodSecurityContext.
+                    properties:
+                      fsGroup:
+                        description: |-
+                          A special supplemental group that applies to all containers in a pod.
+                          Some volume types allow the Kubelet to change the ownership of that volume
+                          to be owned by the pod:
+
+
+                          1. The owning GID will be the FSGroup
+                          2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+                          3. The permission bits are OR'd with rw-rw----
+
+
+                          If unset, the Kubelet will not modify the ownership and permissions of any volume.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      fsGroupChangePolicy:
+                        description: |-
+                          fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+                          before being exposed inside Pod. This field will only apply to
+                          volume types which support fsGroup based ownership(and permissions).
+                          It will have no effect on ephemeral volume types such as: secret, configmaps
+                          and emptydir.
+                          Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to all containers.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in SecurityContext.  If set in
+                          both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+                          takes precedence for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by the containers in this pod.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      supplementalGroups:
+                        description: |-
+                          A list of groups applied to the first process run in each container, in addition
+                          to the container's primary GID, the fsGroup (if specified), and group memberships
+                          defined in the container image for the uid of the container process. If unspecified,
+                          no additional groups are added to any container. Note that group memberships
+                          defined in the container image for the uid of the container process are still effective,
+                          even if they are not included in this list.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          format: int64
+                          type: integer
+                        type: array
+                      sysctls:
+                        description: |-
+                          Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+                          sysctls (by the container runtime) might fail to launch.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          description: Sysctl defines a kernel parameter to be set
+                          properties:
+                            name:
+                              description: Name of a property to set
+                              type: string
+                            value:
+                              description: Value of a property to set
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        type: array
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options within a container's SecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  priorityClassName:
+                    description: priorityClassName specifies the priority class for
+                      the pod (if any).
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  probe:
+                    description: probe contains the fields for standard Kubernetes
+                      readiness/liveness probe configuration.
+                    properties:
+                      liveness:
+                        description: |-
+                          liveness configures the Kubernetes probe settings. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                      readiness:
+                        description: |-
+                          readiness configures the Kubernetes probe setting. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  resources:
+                    description: resources describe the compute resource requirements.
+                    properties:
+                      claims:
+                        description: |-
+                          Claims lists the names of resources, defined in spec.resourceClaims,
+                          that are used by this container.
+
+
+                          This is an alpha field and requires enabling the
+                          DynamicResourceAllocation feature gate.
+
+
+                          This field is immutable. It can only be set for containers.
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: |-
+                                Name must match the name of one entry in pod.spec.resourceClaims of
+                                the Pod where this field is used. It makes that resource available
+                                inside a container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Limits describes the maximum amount of compute resources allowed.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Requests describes the minimum amount of compute resources required.
+                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                    type: object
+                  securityContext:
+                    description: |-
+                      SecurityContext holds security configuration that will be applied to a container.
+                      Some fields are present in both SecurityContext and PodSecurityContext.  When both
+                      are set, the values in SecurityContext take precedence.
+                    properties:
+                      allowPrivilegeEscalation:
+                        description: |-
+                          AllowPrivilegeEscalation controls whether a process can gain more
+                          privileges than its parent process. This bool directly controls if
+                          the no_new_privs flag will be set on the container process.
+                          AllowPrivilegeEscalation is true always when the container is:
+                          1) run as Privileged
+                          2) has CAP_SYS_ADMIN
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      capabilities:
+                        description: |-
+                          The capabilities to add/drop when running containers.
+                          Defaults to the default set of capabilities granted by the container runtime.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          add:
+                            description: Added capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                          drop:
+                            description: Removed capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                        type: object
+                      privileged:
+                        description: |-
+                          Run container in privileged mode.
+                          Processes in privileged containers are essentially equivalent to root on the host.
+                          Defaults to false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      procMount:
+                        description: |-
+                          procMount denotes the type of proc mount to use for the containers.
+                          The default is DefaultProcMount which uses the container runtime defaults for
+                          readonly paths and masked paths.
+                          This requires the ProcMountType feature flag to be enabled.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      readOnlyRootFilesystem:
+                        description: |-
+                          Whether this container has a read-only root filesystem.
+                          Default is false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to the container.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by this container. If seccomp options are
+                          provided at both the pod & container level, the container options
+                          override the pod options.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options from the PodSecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of the service account used to run this pod.
+                      More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
+                    type: string
+                  terminationGracePeriodSeconds:
+                    description: terminationGracePeriodSeconds is the grace period
+                      before the pod is deleted.
+                    format: int64
+                    type: integer
+                  tolerations:
+                    description: |-
+                      tolerations specify the pods to schedule onto the nodes with matching taints, using
+                      the triple `<key,value,effect>` and the matching operator `<operator>`.
+                    items:
+                      description: |-
+                        The pod this Toleration is attached to tolerates any taint that matches
+                        the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: |-
+                            Effect indicates the taint effect to match. Empty means match all taint effects.
+                            When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          type: string
+                        key:
+                          description: |-
+                            Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                            If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          type: string
+                        operator:
+                          description: |-
+                            Operator represents a key's relationship to the value.
+                            Valid operators are Exists and Equal. Defaults to Equal.
+                            Exists is equivalent to wildcard for value, so that a pod can
+                            tolerate all taints of a particular category.
+                          type: string
+                        tolerationSeconds:
+                          description: |-
+                            TolerationSeconds represents the period of time the toleration (which must be
+                            of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                            it is not set, which means tolerate the taint forever (do not evict). Zero and
+                            negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          type: integer
+                        value:
+                          description: |-
+                            Value is the taint value the toleration matches to.
+                            If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          type: string
+                      type: object
+                    type: array
+                  topologySpreadConstraints:
+                    description: |-
+                      topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
+                      schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
+                    items:
+                      description: TopologySpreadConstraint specifies how to spread
+                        matching pods among the given topology.
+                      properties:
+                        labelSelector:
+                          description: |-
+                            LabelSelector is used to find matching pods.
+                            Pods that match this label selector are counted to determine the number of pods
+                            in their corresponding topology domain.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        matchLabelKeys:
+                          description: |-
+                            MatchLabelKeys is a set of pod label keys to select the pods over which
+                            spreading will be calculated. The keys are used to lookup values from the
+                            incoming pod labels, those key-value labels are ANDed with labelSelector
+                            to select the group of existing pods over which spreading will be calculated
+                            for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                            MatchLabelKeys cannot be set when LabelSelector isn't set.
+                            Keys that don't exist in the incoming pod labels will
+                            be ignored. A null or empty list means only match against labelSelector.
+
+
+                            This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        maxSkew:
+                          description: |-
+                            MaxSkew describes the degree to which pods may be unevenly distributed.
+                            When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                            between the number of matching pods in the target topology and the global minimum.
+                            The global minimum is the minimum number of matching pods in an eligible domain
+                            or zero if the number of eligible domains is less than MinDomains.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 2/2/1:
+                            In this case, the global minimum is 1.
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |   P   |
+                            - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                            scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                            violate MaxSkew(1).
+                            - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                            When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                            to topologies that satisfy it.
+                            It's a required field. Default value is 1 and 0 is not allowed.
+                          format: int32
+                          type: integer
+                        minDomains:
+                          description: |-
+                            MinDomains indicates a minimum number of eligible domains.
+                            When the number of eligible domains with matching topology keys is less than minDomains,
+                            Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                            And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                            this value has no effect on scheduling.
+                            As a result, when the number of eligible domains is less than minDomains,
+                            scheduler won't schedule more than maxSkew Pods to those domains.
+                            If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                            Valid values are integers greater than 0.
+                            When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+                            For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                            labelSelector spread as 2/2/2:
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |  P P  |
+                            The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                            In this situation, new pod with the same labelSelector cannot be scheduled,
+                            because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                            it will violate MaxSkew.
+
+
+                            This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
+                          format: int32
+                          type: integer
+                        nodeAffinityPolicy:
+                          description: |-
+                            NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                            when calculating pod topology spread skew. Options are:
+                            - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                            - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+                            If this value is nil, the behavior is equivalent to the Honor policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        nodeTaintsPolicy:
+                          description: |-
+                            NodeTaintsPolicy indicates how we will treat node taints when calculating
+                            pod topology spread skew. Options are:
+                            - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                            has a toleration, are included.
+                            - Ignore: node taints are ignored. All nodes are included.
+
+
+                            If this value is nil, the behavior is equivalent to the Ignore policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        topologyKey:
+                          description: |-
+                            TopologyKey is the key of node labels. Nodes that have a label with this key
+                            and identical values are considered to be in the same topology.
+                            We consider each <key, value> as a "bucket", and try to put balanced number
+                            of pods into each bucket.
+                            We define a domain as a particular instance of a topology.
+                            Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                            nodeAffinityPolicy and nodeTaintsPolicy.
+                            e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                            And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                            It's a required field.
+                          type: string
+                        whenUnsatisfiable:
+                          description: |-
+                            WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                            the spread constraint.
+                            - DoNotSchedule (default) tells the scheduler not to schedule it.
+                            - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                              but giving higher precedence to topologies that would help reduce the
+                              skew.
+                            A constraint is considered "Unsatisfiable" for an incoming pod
+                            if and only if every possible node assignment for that pod would violate
+                            "MaxSkew" on some topology.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 3/1/1:
+                            | zone1 | zone2 | zone3 |
+                            | P P P |   P   |   P   |
+                            If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                            to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                            MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                            won't make it *more* imbalanced.
+                            It's a required field.
+                          type: string
+                      required:
+                      - maxSkew
+                      - topologyKey
+                      - whenUnsatisfiable
+                      type: object
+                    type: array
+                type: object
+              replicas:
+                description: |-
+                  replicas is the desired number of replicas.
+                  A change to this setting will roll the cluster.
+                format: int32
+                type: integer
+              telemetry:
+                description: telemetry specifies the Confluent telemetry reporter
+                  configuration.
+                properties:
+                  global:
+                    description: |-
+                      global allows disabling telemetry configuration.
+                      If CFK is deployed with telemetry, this field is only
+                      used to disable telemetry. The default value is `true` if
+                      telemetry is enabled at the global level.
+                    type: boolean
+                type: object
+              tls:
+                description: tls specifies the global-level TLS configuration.
+                properties:
+                  autoGeneratedCerts:
+                    description: |-
+                      autoGeneratedCerts specifies that the certificates are auto-generated based on
+                      the CA key pair provided.
+                    type: boolean
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                    minLength: 1
+                    type: string
+                  fips:
+                    description: |-
+                      fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
+                      TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                    properties:
+                      enabled:
+                        description: enabled specifies whether to enable the FIPS
+                          configuration for cp components.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                  ignoreTrustStoreConfig:
+                    description: |-
+                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                      for the Confluent component.
+                    type: boolean
+                  jksPassword:
+                    description: jksPassword references the secret containing the
+                      JKS password.
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the name of the secret containing the JKS password.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  secretRef:
+                    description: |-
+                      secretRef references the secret containing the certificates.
+                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              valueConverterType:
+                description: |-
+                  valueConverterType specifies the supported value converters package for the Confluent Platform.
+                  For the supported converter types, see https://docs.confluent.io/current/connect/concepts.html#connect-converters.
+                  The default value is `org.apache.kafka.connect.json.JsonConverter`.
+                minLength: 1
+                type: string
+            required:
+            - image
+            type: object
+          status:
+            description: status defines the observed state of the Connect cluster.
+            properties:
+              arbitraryData:
+                description: arbitraryData is the map for any arbitrary data associated
+                  with this Confluent component.
+                x-kubernetes-preserve-unknown-fields: true
+              authorizationType:
+                description: authorizationType is the authorization type for this
+                  Confluent component.
+                type: string
+              clusterName:
+                description: clusterName is the name of the Confluent Platform component
+                  cluster.
+                type: string
+              clusterNamespace:
+                description: clusterNamespace is the namespace where the Confluent
+                  Platform component cluster is running.
+                type: string
+              conditions:
+                description: conditions specify the latest available observations
+                  of the current state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              connectorPlugins:
+                description: connectorPlugins are the installed connector plugins.
+                items:
+                  description: ConnectorPluginStatus defines the state of the connector
+                    plugin.
+                  properties:
+                    class:
+                      description: class specifies the class name of the connector
+                        plugin.
+                      type: string
+                    type:
+                      description: type is the connector plugin type, which can be
+                        `SOURCE`, `SINK` or `UNKNOWN`.
+                      type: string
+                    version:
+                      description: version is the current version of the connector
+                        plugin.
+                      type: string
+                  required:
+                  - class
+                  type: object
+                type: array
+              connectorTLSFilePaths:
+                description: connectorTLSFilePaths are the connector TLS file paths.
+                items:
+                  description: CustomTLSFilePathStatus specifies the file paths of
+                    the custom TLS certificates.
+                  properties:
+                    jksPasswordPath:
+                      description: jksPasswordPath contains the absolute path of the
+                        `jksPassword.txt` file.
+                      type: string
+                    keyStorePath:
+                      description: keyStorePath contains the absolute path of the
+                        keystore file, `.jks` or `.p12`.
+                      type: string
+                    trustStorePath:
+                      description: trustStorePath contains the absolute path of the
+                        truststore file, `.jks` or `.p12`.
+                      type: string
+                  type: object
+                type: array
+              currentReplicas:
+                description: currentReplicas is the number of currently running replicas.
+                format: int32
+                type: integer
+              groupID:
+                description: groupID is the group id of the Connect cluster.
+                type: string
+              internalSecrets:
+                description: |-
+                  internalSecrets are internal secrets created
+                  by CFK for this Confluent component.
+                items:
+                  type: string
+                type: array
+              internalTopicNames:
+                description: internalTopicNames are the topics used by the component
+                  for internal use.
+                items:
+                  type: string
+                type: array
+              kafka:
+                description: kafka is the Kafka client side status for the Connect
+                  cluster.
+                properties:
+                  authenticationType:
+                    description: authenticationType describes the authentication method
+                      for the Kafka cluster.
+                    type: string
+                  bootstrapEndpoint:
+                    description: bootstrapEndpoint specifies the Kafka bootstrap endpoint.
+                    type: string
+                  tls:
+                    description: tls indicates whether TLS is enabled for the Kafka
+                      dependency.
+                    type: boolean
+                type: object
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              operatorVersion:
+                description: operatorVersion is the internal version of CFK.
+                type: string
+              phase:
+                description: |-
+                  phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
+                  or 'RUNNING'
+                  'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
+                  'RUNNING' means the Confluent Platform component has been successfully deployed.
+                type: string
+              rbac:
+                description: rbac contains the RBAC-related status when RBAC is enabled.
+                properties:
+                  clusterID:
+                    description: clusterID specifies the id of the cluster.
+                    type: string
+                  internalRolebindings:
+                    description: internalRolebindings specifies the internal rolebindings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              readyReplicas:
+                description: readyReplicas is the number of currently ready replicas.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the number of replicas.
+                format: int32
+                type: integer
+              restConfig:
+                description: restConfig is the REST configuration of the Connect cluster.
+                properties:
+                  advertisedExternalEndpoints:
+                    description: advertisedExternalEndpoints specifies other advertised
+                      endpoints used, especially for Kafka.
+                    items:
+                      type: string
+                    type: array
+                  authenticationType:
+                    description: authenticationType shows the authentication type
+                      configured by the listener.
+                    type: string
+                  externalAccessType:
+                    description: externalAccessType shows the external access type
+                      used for the listener.
+                    type: string
+                  externalEndpoint:
+                    description: externalEndpoint specifies the external endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  internalEndpoint:
+                    description: internalEndpoint specifies the internal endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  tls:
+                    description: tls shows whether TLS is configured for the listener.
+                    type: boolean
+                type: object
+              selector:
+                description: |-
+                  selector gets the label selector of the child pod.
+                  The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_controlcenters.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_controlcenters.yaml
new file mode 100644
index 000000000..0b1288d2f
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_controlcenters.yaml
@@ -0,0 +1,6394 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: controlcenters.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: ControlCenter
+    listKind: ControlCenterList
+    plural: controlcenters
+    shortNames:
+    - controlcenter
+    - c3
+    singular: controlcenter
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.readyReplicas
+      name: Ready
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.kafka.bootstrapEndpoint
+      name: Kafka
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ControlCenter is the schema for the Control Center API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the Control Center cluster.
+            properties:
+              authentication:
+                description: authentication specifies the authentication configurations.
+                properties:
+                  basic:
+                    description: basic specifies the configuration for basic authentication.
+                    properties:
+                      debug:
+                        description: debug enables the basic authentication debug
+                          logs for JaaS configuration.
+                        type: boolean
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        minLength: 1
+                        type: string
+                      restrictedRoles:
+                        description: |-
+                          restrictedRoles specify the restricted roles on the server side only.
+                          Changes will be only reflected in Control Center.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
+                      roles:
+                        description: |-
+                          roles specify the roles on the server side only.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        type: array
+                      secretRef:
+                        description: |-
+                          secretRef defines secret reference to pass the required credentials.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                  ldap:
+                    description: ldap specifies the configuration for Control Center
+                      LDAP authentication.
+                    properties:
+                      debug:
+                        description: debug enables basic authentication debug logs
+                          for JaaS configuration.
+                        type: boolean
+                      property:
+                        additionalProperties:
+                          type: string
+                        description: |-
+                          property is a map of string key and value pairs that specifies the LDAP configuration.
+                          Use a secret object to pass username/password.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      restrictedRoles:
+                        description: restrictedRoles specify the restricted access
+                          roles.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
+                      roles:
+                        description: roles specify the roles on the server side only.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
+                      secretRef:
+                        description: |-
+                          secretRef references the secret to pass required credentials.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#ldap-authentication-for-c3
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                  type:
+                    description: type specifies the authentication type of the Control
+                      Center. Valid options are `basic`, `ldap`, and `mtls`.
+                    enum:
+                    - basic
+                    - ldap
+                    - mtls
+                    type: string
+                required:
+                - type
+                type: object
+              authorization:
+                description: authorization specifies the authorization configurations.
+                properties:
+                  kafkaRestClassRef:
+                    description: |-
+                      kafkaRestClassRef references the KafkaRestClass
+                      which specifies the Kafka REST API connection configuration.
+                    properties:
+                      name:
+                        description: name specifies the name of the KafkaRestClass
+                          application resource.
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace of the KafkaRestClass.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  type:
+                    description: type specifies the client-side authorization type.
+                      The valid option is `rbac`.
+                    enum:
+                    - rbac
+                    type: string
+                required:
+                - type
+                type: object
+              configOverrides:
+                description: configOverrides specifies the configs to override the
+                  server, JVM, Log4j properties for the Control Center.
+                properties:
+                  jvm:
+                    description: |-
+                      jvm is a list of JVM configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  log4j:
+                    description: |-
+                      log4j is a list of Log4J configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  server:
+                    description: |-
+                      server is a list of server configuration supported by the Confluent Platform component.
+                      This will either add or update existing configuration.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              dataVolumeCapacity:
+                anyOf:
+                - type: integer
+                - type: string
+                description: dataVolumeCapacity specifies the data size for the persistent
+                  volume.
+                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                x-kubernetes-int-or-string: true
+              dependencies:
+                description: dependencies specify the dependencies configurations.
+                properties:
+                  connect:
+                    description: connect defines the Connect worker dependency configurations.
+                    items:
+                      description: ControlCenterConnectDependency defines the Connect
+                        dependency settings.
+                      properties:
+                        authentication:
+                          description: authentication specifies the authentication
+                            configuration for the Connect cluster.
+                          properties:
+                            basic:
+                              description: basic specifies the configuration for basic
+                                authentication.
+                              properties:
+                                debug:
+                                  description: debug enables the basic authentication
+                                    debug logs for JaaS configuration.
+                                  type: boolean
+                                directoryPathInContainer:
+                                  description: |-
+                                    directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                    More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                  minLength: 1
+                                  type: string
+                                restrictedRoles:
+                                  description: |-
+                                    restrictedRoles specify the restricted roles on the server side only.
+                                    Changes will be only reflected in Control Center.
+                                    This configuration is ignored on the client side configuration.
+                                  items:
+                                    type: string
+                                  minItems: 1
+                                  type: array
+                                roles:
+                                  description: |-
+                                    roles specify the roles on the server side only.
+                                    This configuration is ignored on the client side configuration.
+                                  items:
+                                    type: string
+                                  type: array
+                                secretRef:
+                                  description: |-
+                                    secretRef defines secret reference to pass the required credentials.
+                                    More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              type: object
+                            oauth:
+                              description: oauth specifies the configuration for OAuth
+                                authentication.
+                              properties:
+                                configuration:
+                                  description: configuration specifies the OAuth server
+                                    settings.
+                                  properties:
+                                    audience:
+                                      description: audience specifies the audience
+                                        claim in the JWT payload.
+                                      minLength: 1
+                                      type: string
+                                    expectedIssuer:
+                                      description: expectedIssuer specifies the expected
+                                        issuer in the JWT payload.
+                                      minLength: 1
+                                      type: string
+                                    groupsClaimName:
+                                      description: groupsClaimName specifies the name
+                                        of claim in token for identifying the groups
+                                        of subject in the JWT payload.
+                                      minLength: 1
+                                      type: string
+                                    jwksEndpointUri:
+                                      description: |-
+                                        jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                        It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                      minLength: 1
+                                      type: string
+                                    loginConnectTimeoutMs:
+                                      description: LoginConnectTimeoutMs sets connect
+                                        timeout with IDP in ms
+                                      format: int32
+                                      type: integer
+                                    loginReadTimeoutMs:
+                                      description: LoginReadTimeoutMs sets read timeout
+                                        with IDP in ms
+                                      format: int32
+                                      type: integer
+                                    loginRetryBackoffMaxMs:
+                                      description: LoginRetryBackoffMaxMs sets max
+                                        retry backoff with IDP in ms
+                                      format: int32
+                                      type: integer
+                                    loginRetryBackoffMs:
+                                      description: LoginRetryBackoffMs sets retry
+                                        backoff with IDP in ms
+                                      format: int32
+                                      type: integer
+                                    scope:
+                                      description: |-
+                                        scope is optional and required only when your identity provider doesn't have
+                                        a default scope or your groups claim is linked to a scope.
+                                      minLength: 1
+                                      type: string
+                                    subClaimName:
+                                      description: subClaimName specifies name of
+                                        claim in JWT to use for the subject.
+                                      minLength: 1
+                                      type: string
+                                    tokenEndpointUri:
+                                      description: |-
+                                        tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                        This is required for OAuth for inter broker communication along with
+                                        clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                      minLength: 1
+                                      type: string
+                                  type: object
+                                directoryPathInContainer:
+                                  description: directoryPathInContainer allows to
+                                    pass the basic credential through a directory
+                                    path in the container.
+                                  minLength: 1
+                                  type: string
+                                secretRef:
+                                  description: secretRef defines secret reference
+                                    to pass the required credentials.
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - configuration
+                              type: object
+                            type:
+                              description: type specifies the authentication scheme
+                                for the REST API client. Valid options are `basic`,
+                                `oauth` and `mtls`.
+                              enum:
+                              - basic
+                              - mtls
+                              - oauth
+                              type: string
+                          required:
+                          - type
+                          type: object
+                        name:
+                          description: name specifies the Connect cluster name.
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        tls:
+                          description: tls specifies the client-side TLS setting for
+                            the Connect cluster.
+                          properties:
+                            directoryPathInContainer:
+                              description: |-
+                                directoryPathInContainer specifies the directory path in the container where
+                                `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                              minLength: 1
+                              type: string
+                            enabled:
+                              description: enabled specifies to enable the TLS configuration
+                                for the Confluent component.
+                              type: boolean
+                            ignoreTrustStoreConfig:
+                              description: |-
+                                ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                for the Confluent component.
+                              type: boolean
+                            jksPassword:
+                              description: jksPassword references the secret containing
+                                the JKS password.
+                              properties:
+                                secretRef:
+                                  description: |-
+                                    secretRef references the name of the secret containing the JKS password.
+                                    More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - secretRef
+                              type: object
+                            secretRef:
+                              description: |-
+                                secretRef references the secret containing the certificates.
+                                More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                              maxLength: 30
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                          required:
+                          - enabled
+                          type: object
+                        url:
+                          description: url specifies the URL endpoint of the Connect
+                            cluster.
+                          minLength: 1
+                          pattern: ^https?://.*
+                          type: string
+                      required:
+                      - name
+                      - url
+                      type: object
+                    type: array
+                  kafka:
+                    description: kafka defines the Kafka dependency configurations.
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Kafka cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  ksqldb:
+                    description: ksqldb defines the ksqlDB dependency configurations.
+                    items:
+                      description: ControlCenterKSQLDependency defines the ksqlDB
+                        dependency settings.
+                      properties:
+                        advertisedUrl:
+                          description: advertisedUrl specifies the advertised URL
+                            to use in the browser.
+                          minLength: 1
+                          pattern: ^https?://.*
+                          type: string
+                        authentication:
+                          description: authentication specifies the authentication
+                            for the ksqlDB cluster.
+                          properties:
+                            basic:
+                              description: basic specifies the configuration for basic
+                                authentication.
+                              properties:
+                                debug:
+                                  description: debug enables the basic authentication
+                                    debug logs for JaaS configuration.
+                                  type: boolean
+                                directoryPathInContainer:
+                                  description: |-
+                                    directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                    More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                  minLength: 1
+                                  type: string
+                                restrictedRoles:
+                                  description: |-
+                                    restrictedRoles specify the restricted roles on the server side only.
+                                    Changes will be only reflected in Control Center.
+                                    This configuration is ignored on the client side configuration.
+                                  items:
+                                    type: string
+                                  minItems: 1
+                                  type: array
+                                roles:
+                                  description: |-
+                                    roles specify the roles on the server side only.
+                                    This configuration is ignored on the client side configuration.
+                                  items:
+                                    type: string
+                                  type: array
+                                secretRef:
+                                  description: |-
+                                    secretRef defines secret reference to pass the required credentials.
+                                    More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              type: object
+                            oauth:
+                              description: oauth specifies the configuration for OAuth
+                                authentication.
+                              properties:
+                                configuration:
+                                  description: configuration specifies the OAuth server
+                                    settings.
+                                  properties:
+                                    audience:
+                                      description: audience specifies the audience
+                                        claim in the JWT payload.
+                                      minLength: 1
+                                      type: string
+                                    expectedIssuer:
+                                      description: expectedIssuer specifies the expected
+                                        issuer in the JWT payload.
+                                      minLength: 1
+                                      type: string
+                                    groupsClaimName:
+                                      description: groupsClaimName specifies the name
+                                        of claim in token for identifying the groups
+                                        of subject in the JWT payload.
+                                      minLength: 1
+                                      type: string
+                                    jwksEndpointUri:
+                                      description: |-
+                                        jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                        It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                      minLength: 1
+                                      type: string
+                                    loginConnectTimeoutMs:
+                                      description: LoginConnectTimeoutMs sets connect
+                                        timeout with IDP in ms
+                                      format: int32
+                                      type: integer
+                                    loginReadTimeoutMs:
+                                      description: LoginReadTimeoutMs sets read timeout
+                                        with IDP in ms
+                                      format: int32
+                                      type: integer
+                                    loginRetryBackoffMaxMs:
+                                      description: LoginRetryBackoffMaxMs sets max
+                                        retry backoff with IDP in ms
+                                      format: int32
+                                      type: integer
+                                    loginRetryBackoffMs:
+                                      description: LoginRetryBackoffMs sets retry
+                                        backoff with IDP in ms
+                                      format: int32
+                                      type: integer
+                                    scope:
+                                      description: |-
+                                        scope is optional and required only when your identity provider doesn't have
+                                        a default scope or your groups claim is linked to a scope.
+                                      minLength: 1
+                                      type: string
+                                    subClaimName:
+                                      description: subClaimName specifies name of
+                                        claim in JWT to use for the subject.
+                                      minLength: 1
+                                      type: string
+                                    tokenEndpointUri:
+                                      description: |-
+                                        tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                        This is required for OAuth for inter broker communication along with
+                                        clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                      minLength: 1
+                                      type: string
+                                  type: object
+                                directoryPathInContainer:
+                                  description: directoryPathInContainer allows to
+                                    pass the basic credential through a directory
+                                    path in the container.
+                                  minLength: 1
+                                  type: string
+                                secretRef:
+                                  description: secretRef defines secret reference
+                                    to pass the required credentials.
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - configuration
+                              type: object
+                            type:
+                              description: type specifies the authentication scheme
+                                for the REST API client. Valid options are `basic`,
+                                `oauth` and `mtls`.
+                              enum:
+                              - basic
+                              - mtls
+                              - oauth
+                              type: string
+                          required:
+                          - type
+                          type: object
+                        name:
+                          description: name specifies the ksqlDB cluster name.
+                          minLength: 1
+                          type: string
+                        tls:
+                          description: tls specifies the client-side TLS setting for
+                            the ksqlDB cluster.
+                          properties:
+                            directoryPathInContainer:
+                              description: |-
+                                directoryPathInContainer specifies the directory path in the container where
+                                `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                              minLength: 1
+                              type: string
+                            enabled:
+                              description: enabled specifies to enable the TLS configuration
+                                for the Confluent component.
+                              type: boolean
+                            ignoreTrustStoreConfig:
+                              description: |-
+                                ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                for the Confluent component.
+                              type: boolean
+                            jksPassword:
+                              description: jksPassword references the secret containing
+                                the JKS password.
+                              properties:
+                                secretRef:
+                                  description: |-
+                                    secretRef references the name of the secret containing the JKS password.
+                                    More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - secretRef
+                              type: object
+                            secretRef:
+                              description: |-
+                                secretRef references the secret containing the certificates.
+                                More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                              maxLength: 30
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                          required:
+                          - enabled
+                          type: object
+                        url:
+                          description: url specifies the URL endpoint of the ksqlDB
+                            cluster.
+                          minLength: 1
+                          pattern: ^https?://.*
+                          type: string
+                      required:
+                      - name
+                      - url
+                      type: object
+                    type: array
+                  mds:
+                    description: mds defines the RBAC dependency configurations.
+                    properties:
+                      authentication:
+                        description: authentication specifies the client side authentication
+                          configuration for the MDS.
+                        properties:
+                          bearer:
+                            description: bearer specifies the bearer authentication
+                              settings.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the OAuth authentication
+                              settings.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication method
+                              for the MDS. The valid option is `bearer`, `oauth`.
+                            enum:
+                            - bearer
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      endpoint:
+                        description: endpoint specifies the MDS endpoint.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      ssoProtocol:
+                        description: sso protocol, valid options are ldap and oidc.
+                        enum:
+                        - ldap
+                        - oidc
+                        type: string
+                      tls:
+                        description: ClientTLSConfig specifies the TLS configuration
+                          for the Confluent component (dependencies, listeners).
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      tokenKeyPair:
+                        description: tokenKeyPair specifies the token keypair to configure
+                          the MDS.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the MDS token key pair are mounted.
+                            minLength: 1
+                            type: string
+                          encryptedTokenKey:
+                            description: |-
+                              EncryptedTokenKey boolean value indicating whether the tokenKeypair(private used for signing) is encrypted using a passphrase. If true, cfk
+                              operator will look for a file named mdsTokenKeyPassphrase.txt containing key value pair
+                              mdsTokenKeyPassphrase=<passphrase>. Relevant only for mds server. Ignored if set for a client configuration.
+                            type: boolean
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the MDS token key pair.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    required:
+                    - authentication
+                    - endpoint
+                    - tokenKeyPair
+                    type: object
+                  schemaRegistry:
+                    description: schemaRegistry defines the Schema Registry dependency
+                      configurations.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication for
+                          the Schema Registry cluster.
+                        properties:
+                          basic:
+                            description: basic specifies the configuration for basic
+                              authentication.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the configuration for OAuth
+                              authentication.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication scheme
+                              for the REST API client. Valid options are `basic`,
+                              `oauth` and `mtls`.
+                            enum:
+                            - basic
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      clusters:
+                        items:
+                          description: ControlCenterMultiSchemaRegistryDependency
+                            defines the Schema Registry dependency List.
+                          properties:
+                            authentication:
+                              description: authentication specifies the authentication
+                                for the Schema Registry cluster.
+                              properties:
+                                basic:
+                                  description: basic specifies the configuration for
+                                    basic authentication.
+                                  properties:
+                                    debug:
+                                      description: debug enables the basic authentication
+                                        debug logs for JaaS configuration.
+                                      type: boolean
+                                    directoryPathInContainer:
+                                      description: |-
+                                        directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                        More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                      minLength: 1
+                                      type: string
+                                    restrictedRoles:
+                                      description: |-
+                                        restrictedRoles specify the restricted roles on the server side only.
+                                        Changes will be only reflected in Control Center.
+                                        This configuration is ignored on the client side configuration.
+                                      items:
+                                        type: string
+                                      minItems: 1
+                                      type: array
+                                    roles:
+                                      description: |-
+                                        roles specify the roles on the server side only.
+                                        This configuration is ignored on the client side configuration.
+                                      items:
+                                        type: string
+                                      type: array
+                                    secretRef:
+                                      description: |-
+                                        secretRef defines secret reference to pass the required credentials.
+                                        More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                      maxLength: 30
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                      type: string
+                                  type: object
+                                oauth:
+                                  description: oauth specifies the configuration for
+                                    OAuth authentication.
+                                  properties:
+                                    configuration:
+                                      description: configuration specifies the OAuth
+                                        server settings.
+                                      properties:
+                                        audience:
+                                          description: audience specifies the audience
+                                            claim in the JWT payload.
+                                          minLength: 1
+                                          type: string
+                                        expectedIssuer:
+                                          description: expectedIssuer specifies the
+                                            expected issuer in the JWT payload.
+                                          minLength: 1
+                                          type: string
+                                        groupsClaimName:
+                                          description: groupsClaimName specifies the
+                                            name of claim in token for identifying
+                                            the groups of subject in the JWT payload.
+                                          minLength: 1
+                                          type: string
+                                        jwksEndpointUri:
+                                          description: |-
+                                            jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                            It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                          minLength: 1
+                                          type: string
+                                        loginConnectTimeoutMs:
+                                          description: LoginConnectTimeoutMs sets
+                                            connect timeout with IDP in ms
+                                          format: int32
+                                          type: integer
+                                        loginReadTimeoutMs:
+                                          description: LoginReadTimeoutMs sets read
+                                            timeout with IDP in ms
+                                          format: int32
+                                          type: integer
+                                        loginRetryBackoffMaxMs:
+                                          description: LoginRetryBackoffMaxMs sets
+                                            max retry backoff with IDP in ms
+                                          format: int32
+                                          type: integer
+                                        loginRetryBackoffMs:
+                                          description: LoginRetryBackoffMs sets retry
+                                            backoff with IDP in ms
+                                          format: int32
+                                          type: integer
+                                        scope:
+                                          description: |-
+                                            scope is optional and required only when your identity provider doesn't have
+                                            a default scope or your groups claim is linked to a scope.
+                                          minLength: 1
+                                          type: string
+                                        subClaimName:
+                                          description: subClaimName specifies name
+                                            of claim in JWT to use for the subject.
+                                          minLength: 1
+                                          type: string
+                                        tokenEndpointUri:
+                                          description: |-
+                                            tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                            This is required for OAuth for inter broker communication along with
+                                            clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                          minLength: 1
+                                          type: string
+                                      type: object
+                                    directoryPathInContainer:
+                                      description: directoryPathInContainer allows
+                                        to pass the basic credential through a directory
+                                        path in the container.
+                                      minLength: 1
+                                      type: string
+                                    secretRef:
+                                      description: secretRef defines secret reference
+                                        to pass the required credentials.
+                                      maxLength: 30
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                      type: string
+                                  required:
+                                  - configuration
+                                  type: object
+                                type:
+                                  description: type specifies the authentication scheme
+                                    for the REST API client. Valid options are `basic`,
+                                    `oauth` and `mtls`.
+                                  enum:
+                                  - basic
+                                  - mtls
+                                  - oauth
+                                  type: string
+                              required:
+                              - type
+                              type: object
+                            name:
+                              description: name defines the Schema Registry cluster
+                                name.
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                            tls:
+                              description: tls defines the client-side TLS setting
+                                for the Schema Registry cluster.
+                              properties:
+                                directoryPathInContainer:
+                                  description: |-
+                                    directoryPathInContainer specifies the directory path in the container where
+                                    `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                    `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                  minLength: 1
+                                  type: string
+                                enabled:
+                                  description: enabled specifies to enable the TLS
+                                    configuration for the Confluent component.
+                                  type: boolean
+                                ignoreTrustStoreConfig:
+                                  description: |-
+                                    ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                    for the Confluent component.
+                                  type: boolean
+                                jksPassword:
+                                  description: jksPassword references the secret containing
+                                    the JKS password.
+                                  properties:
+                                    secretRef:
+                                      description: |-
+                                        secretRef references the name of the secret containing the JKS password.
+                                        More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                      maxLength: 30
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                      type: string
+                                  required:
+                                  - secretRef
+                                  type: object
+                                secretRef:
+                                  description: |-
+                                    secretRef references the secret containing the certificates.
+                                    More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - enabled
+                              type: object
+                            url:
+                              description: url specifies the URL endpoint of the Schema
+                                Registry cluster.
+                              minLength: 1
+                              pattern: ^https?://.*
+                              type: string
+                          required:
+                          - name
+                          - url
+                          type: object
+                        type: array
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Schema Registry cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      url:
+                        description: url specifies the URL endpoint of the Schema
+                          Registry cluster.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                    required:
+                    - url
+                    type: object
+                type: object
+              externalAccess:
+                description: externalAccess specifies the external access configuration
+                  for the Control Center cluster.
+                properties:
+                  loadBalancer:
+                    description: loadBalancer specifies the configuration to create
+                      a Kubernetes load balancer service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain is the domain name of the component cluster.
+                        minLength: 1
+                        type: string
+                      externalTrafficPolicy:
+                        description: externalTrafficPolicy specifies the external
+                          traffic policy for the service. Valid options are `Local`
+                          and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      loadBalancerSourceRanges:
+                        description: loadBalancerSourceRanges specify the source ranges.
+                        items:
+                          type: string
+                        type: array
+                      port:
+                        description: |-
+                          port specifies the external port for the client consumption.
+                          If not configured, the same internal/external port is configured for the component.
+                          Information about the port can be retrieved through the status API.
+                        format: int32
+                        type: integer
+                      prefix:
+                        description: |-
+                          prefix specify the prefix for the given domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      servicePorts:
+                        description: servicePorts specify the user-provided service
+                          port(s).
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - domain
+                    type: object
+                  nodePort:
+                    description: nodePort specifies the configuration to create a
+                      Kubernetes node port service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      externalTrafficPolicy:
+                        description: |-
+                          externalTrafficPolicy specifies the external traffic policy for the service.
+                          Valid options are `Local` and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      host:
+                        description: host defines the host name of the cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      nodePortOffset:
+                        description: |-
+                          nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                          to the replicas count.
+                          NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                          The default Kubernetes Node Port range is `30000` - `32762`.
+                        format: int32
+                        minimum: 0
+                        type: integer
+                      servicePorts:
+                        description: |-
+                          servicePorts specify user-provided service port(s).
+                          For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - host
+                    - nodePortOffset
+                    type: object
+                  route:
+                    description: route specifies the configuration to create a route
+                      service in OpenShift.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain specifies the domain name of the Confluent
+                          component cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      prefix:
+                        description: |-
+                          prefix specifies the component prefix when configured for the domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      wildcardPolicy:
+                        description: |-
+                          wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                          The default value is `None`.
+                        enum:
+                        - Subdomain
+                        - None
+                        type: string
+                    required:
+                    - domain
+                    type: object
+                  type:
+                    description: |-
+                      type specifies the Kubernetes external service for the component.
+                      Valid options are `loadBalancer`, `nodePort`, and `route`.
+                    enum:
+                    - loadBalancer
+                    - nodePort
+                    - route
+                    minLength: 1
+                    type: string
+                required:
+                - type
+                type: object
+              headlessService:
+                description: headlessService specifies the configuration of the Kubernetes
+                  headless service.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs.
+                      It specifies the annotations to be added to the CFK-created headless service.
+                      These annotations are merged with the injectAnnotations and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs.
+                      It specifies the labels to be added to the CFK-created headless service.
+                      These labels are merged with the injectLabels and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  publishNotReadyAddresses:
+                    description: |-
+                      publishNotReadyAddresses specifies the publishNotReadyAddresses field.
+                      For Kafka, this value must be true. The default value is true.
+                    type: boolean
+                type: object
+              id:
+                description: |-
+                  id specifies the prefix used for this instance of Control Center
+                  when multiple instances of Control Center co-exist.
+                format: int32
+                type: integer
+              image:
+                description: |-
+                  image specifies the application and the init docker image configurations.
+                  A change to this setting will roll the cluster.
+                properties:
+                  application:
+                    description: |-
+                      application is the Docker image name of the application. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  init:
+                    description: |-
+                      init is the init-container name. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  pullPolicy:
+                    description: |-
+                      pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
+                      The default value is `IfNotPresent`.
+                    enum:
+                    - Always
+                    - Never
+                    - IfNotPresent
+                    type: string
+                  pullSecretRef:
+                    description: |-
+                      pullSecretRef references the secrets in the same namespace to be used for pulling images.
+                      Image pull secrets are distinct from secrets because secrets
+                      can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
+                      More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+                    items:
+                      type: string
+                    type: array
+                required:
+                - application
+                - init
+                type: object
+              injectAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectAnnotations are the annotations injected to the internal resources that CFK created.
+                  The internal annotations are preserved and cannot be overridden.
+                  For pod annotations, use `podTemplate.annotations`.
+                type: object
+                x-kubernetes-map-type: granular
+              injectLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectLabels are the labels injected to the internal resources that CFK created.
+                  The internal labels are preserved and cannot be overridden.
+                  For pod labels, use `podTemplate.labels`.
+                type: object
+                x-kubernetes-map-type: granular
+              internalTopicReplicatorFactor:
+                description: internalTopicReplicationFactor specifies the replication
+                  factor for internal topics.
+                format: int32
+                type: integer
+              k8sClusterDomain:
+                description: |-
+                  k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
+                  The default is the `cluster.local` domain.
+                type: string
+              license:
+                description: license specifies the license configuration for the Confluent
+                  Platform component.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      the license key is mounted. More info:
+                      https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    minLength: 1
+                    type: string
+                  globalLicense:
+                    description: globalLicense specifies whether the Confluent Platform
+                      component shares the common global license.
+                    type: boolean
+                  secretRef:
+                    description: |-
+                      secretRef references the secret that provides the license for the Confluent Platform component.
+                      More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              mail:
+                description: |-
+                  mail specifies the settings that control the SMTP server and
+                  account used when an alert triggers an email action.
+                properties:
+                  authentication:
+                    description: |-
+                      authentication specifies the authentication for SMTP. SMP only supports basic authentication.
+                      For other types of authentication, use the config overrides capability.
+                    properties:
+                      basic:
+                        description: basic specifies the configuration for basic authentication.
+                        properties:
+                          debug:
+                            description: debug enables the basic authentication debug
+                              logs for JaaS configuration.
+                            type: boolean
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            minLength: 1
+                            type: string
+                          restrictedRoles:
+                            description: |-
+                              restrictedRoles specify the restricted roles on the server side only.
+                              Changes will be only reflected in Control Center.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            minItems: 1
+                            type: array
+                          roles:
+                            description: |-
+                              roles specify the roles on the server side only.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            type: array
+                          secretRef:
+                            description: |-
+                              secretRef defines secret reference to pass the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauth:
+                        description: oauth specifies the configuration for OAuth authentication.
+                        properties:
+                          configuration:
+                            description: configuration specifies the OAuth server
+                              settings.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          directoryPathInContainer:
+                            description: directoryPathInContainer allows to pass the
+                              basic credential through a directory path in the container.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef defines secret reference to pass
+                              the required credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - configuration
+                        type: object
+                      type:
+                        description: type specifies the authentication scheme for
+                          the REST API client. Valid options are `basic`, `oauth`
+                          and `mtls`.
+                        enum:
+                        - basic
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  checkServerIdentity:
+                    description: checkServerIdentity forces validation of server’s
+                      certificate when using STARTTLS or SSL.
+                    type: boolean
+                  hostname:
+                    description: hostname is the hostname of the outgoing SMTP server.
+                    minLength: 1
+                    type: string
+                  mailBounceAddress:
+                    description: mailBounceAddress is the override for the `mailFrom`
+                      config to send message.
+                    minLength: 1
+                    type: string
+                  mailFrom:
+                    description: mailFrom is the originating address for emails sent
+                      from the Control Center.
+                    minLength: 1
+                    type: string
+                  port:
+                    description: port is the SMTP port open on the hostname.
+                    format: int32
+                    type: integer
+                  startTLSRequired:
+                    description: startTLSRequired forces using STARTTLS.
+                    type: boolean
+                required:
+                - hostname
+                type: object
+              metrics:
+                description: metrics specify the security settings for the metric
+                  services.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication configuration
+                      for the metrics.
+                    properties:
+                      type:
+                        description: type specifies the metrics authentication method.
+                          The valid option is `mtls`.
+                        enum:
+                        - mtls
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  prometheus:
+                    description: prometheus specifies the configuration overrides
+                      for the JMX-Prometheus exporter.
+                    properties:
+                      blacklist:
+                        items:
+                          type: string
+                        type: array
+                      rules:
+                        items:
+                          description: Rule defines the Prometheus Exporter rule override.
+                          properties:
+                            attrNameSnakeCase:
+                              type: boolean
+                            cache:
+                              type: boolean
+                            help:
+                              minLength: 1
+                              type: string
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                              x-kubernetes-map-type: granular
+                            name:
+                              minLength: 1
+                              type: string
+                            pattern:
+                              minLength: 1
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                            value:
+                              minLength: 1
+                              type: string
+                            valueFactor:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              default: 1
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        type: array
+                      whitelist:
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: tls specifies the TLS configuration for the metrics.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              monitoringKafkaClusters:
+                description: monitoringKafkaClusters specify the configurations for
+                  the Kafka clusters that this Control Center monitors.
+                items:
+                  description: MonitoringKafkaClusters defines the configuration of
+                    the additional Kafka clusters the Control Center monitors.
+                  properties:
+                    authentication:
+                      description: authentication defines the authentication for the
+                        Kafka cluster.
+                      properties:
+                        jaasConfig:
+                          description: jaasConfig specifies the Kafka client-side
+                            JaaS configuration.
+                          properties:
+                            secretRef:
+                              description: |-
+                                secretRef references the secret containing the required credentials.
+                                More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                              maxLength: 30
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                          required:
+                          - secretRef
+                          type: object
+                        jaasConfigPassThrough:
+                          description: jaasConfigPassThrough specifies another way
+                            to provide the Kafka client-side JaaS configuration.
+                          properties:
+                            directoryPathInContainer:
+                              description: |-
+                                directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                              minLength: 1
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef references the secret containing the required credentials for authentication.
+                                More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                              maxLength: 30
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                          type: object
+                        oauthSettings:
+                          description: |-
+                            oauthSettings specifies the OAuth settings.
+                            This needs to passed with the authentication type `oauth`.
+                          properties:
+                            audience:
+                              description: audience specifies the audience claim in
+                                the JWT payload.
+                              minLength: 1
+                              type: string
+                            expectedIssuer:
+                              description: expectedIssuer specifies the expected issuer
+                                in the JWT payload.
+                              minLength: 1
+                              type: string
+                            groupsClaimName:
+                              description: groupsClaimName specifies the name of claim
+                                in token for identifying the groups of subject in
+                                the JWT payload.
+                              minLength: 1
+                              type: string
+                            jwksEndpointUri:
+                              description: |-
+                                jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                              minLength: 1
+                              type: string
+                            loginConnectTimeoutMs:
+                              description: LoginConnectTimeoutMs sets connect timeout
+                                with IDP in ms
+                              format: int32
+                              type: integer
+                            loginReadTimeoutMs:
+                              description: LoginReadTimeoutMs sets read timeout with
+                                IDP in ms
+                              format: int32
+                              type: integer
+                            loginRetryBackoffMaxMs:
+                              description: LoginRetryBackoffMaxMs sets max retry backoff
+                                with IDP in ms
+                              format: int32
+                              type: integer
+                            loginRetryBackoffMs:
+                              description: LoginRetryBackoffMs sets retry backoff
+                                with IDP in ms
+                              format: int32
+                              type: integer
+                            scope:
+                              description: |-
+                                scope is optional and required only when your identity provider doesn't have
+                                a default scope or your groups claim is linked to a scope.
+                              minLength: 1
+                              type: string
+                            subClaimName:
+                              description: subClaimName specifies name of claim in
+                                JWT to use for the subject.
+                              minLength: 1
+                              type: string
+                            tokenEndpointUri:
+                              description: |-
+                                tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                This is required for OAuth for inter broker communication along with
+                                clientId & clientSecret in JassConfig or JassConfigPassthrough
+                              minLength: 1
+                              type: string
+                          type: object
+                        oauthbearer:
+                          description: |-
+                            oauthbearer is the authentication mechanism to provider principals.
+                            Only supported in RBAC deployment.
+                          properties:
+                            directoryPathInContainer:
+                              description: |-
+                                directoryPathInContainer specifies the directory path in the container
+                                where the credential is mounted.
+                              minLength: 1
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef specifies the name of the secret that contains the credential.
+                                More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                              maxLength: 30
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                          type: object
+                        type:
+                          description: |-
+                            type specifies the Kafka client authentication type.
+                            Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                          enum:
+                          - plain
+                          - oauthbearer
+                          - digest
+                          - mtls
+                          - oauth
+                          type: string
+                      required:
+                      - type
+                      type: object
+                    bootstrapEndpoint:
+                      description: bootstrapEndpoint specifies the Kafka bootstrap
+                        endpoint.
+                      minLength: 1
+                      pattern: .+:[0-9]+
+                      type: string
+                    discovery:
+                      description: discovery specifies the capability to discover
+                        the Kafka cluster.
+                      properties:
+                        name:
+                          description: name is the name of the Confluent Platform
+                            component cluster.
+                          type: string
+                        namespace:
+                          description: |-
+                            namespace is where the Confluent Platform component is running.
+                            The default value is the namespace where CFK is running.
+                          type: string
+                        secretRef:
+                          description: secretRef is the name of the secret used to
+                            discover the Confluent Platform component.
+                          maxLength: 30
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    name:
+                      description: name defines the Kafka cluster name.
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                    tls:
+                      description: tls defines the client-side TLS setting for the
+                        Kafka cluster.
+                      properties:
+                        directoryPathInContainer:
+                          description: |-
+                            directoryPathInContainer specifies the directory path in the container where
+                            `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                            `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                          minLength: 1
+                          type: string
+                        enabled:
+                          description: enabled specifies to enable the TLS configuration
+                            for the Confluent component.
+                          type: boolean
+                        ignoreTrustStoreConfig:
+                          description: |-
+                            ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                            for the Confluent component.
+                          type: boolean
+                        jksPassword:
+                          description: jksPassword references the secret containing
+                            the JKS password.
+                          properties:
+                            secretRef:
+                              description: |-
+                                secretRef references the name of the secret containing the JKS password.
+                                More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                              maxLength: 30
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                          required:
+                          - secretRef
+                          type: object
+                        secretRef:
+                          description: |-
+                            secretRef references the secret containing the certificates.
+                            More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                          maxLength: 30
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                      required:
+                      - enabled
+                      type: object
+                  required:
+                  - name
+                  type: object
+                type: array
+              mountedSecrets:
+                description: |-
+                  mountedSecrets list the secrets injected to
+                  the underlying statefulset configuration. The secret reference is mounted
+                  in the default path `/mnt/secrets/<secret-name>`. The underlying resources
+                  will follow the secret as a file configuration.
+                  More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
+                  A change to this setting will roll the cluster.
+                items:
+                  description: |-
+                    MountedSecrets provides a way to inject a custom secret to the underlying
+                    statefulset.
+                  properties:
+                    keyItems:
+                      description: keyItems are key and path names.
+                      items:
+                        description: Maps a string key to a path within a volume.
+                        properties:
+                          key:
+                            description: key is the key to project.
+                            type: string
+                          mode:
+                            description: |-
+                              mode is Optional: mode bits used to set permissions on this file.
+                              Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                              YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                              If not specified, the volume defaultMode will be used.
+                              This might be in conflict with other options that affect the file
+                              mode, like fsGroup, and the result can be other mode bits set.
+                            format: int32
+                            type: integer
+                          path:
+                            description: |-
+                              path is the relative path of the file to map the key to.
+                              May not be an absolute path.
+                              May not contain the path element '..'.
+                              May not start with the string '..'.
+                            type: string
+                        required:
+                        - key
+                        - path
+                        type: object
+                      type: array
+                    secretRef:
+                      description: secretRef references the name of the secret.
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - secretRef
+                  type: object
+                type: array
+              mountedVolumes:
+                description: |-
+                  mountedVolumes list the custom volumes that need to be mounted into the
+                  underlying statefulset.
+                  A change to this setting will roll the cluster.
+                properties:
+                  volumeMounts:
+                    description: |-
+                      volumeMounts specify the list of volume mounts for the pods in the
+                      statefulset.
+                    items:
+                      description: VolumeMount describes a mounting of a Volume within
+                        a container.
+                      properties:
+                        mountPath:
+                          description: |-
+                            Path within the container at which the volume should be mounted.  Must
+                            not contain ':'.
+                          type: string
+                        mountPropagation:
+                          description: |-
+                            mountPropagation determines how mounts are propagated from the host
+                            to container and the other way around.
+                            When not set, MountPropagationNone is used.
+                            This field is beta in 1.10.
+                          type: string
+                        name:
+                          description: This must match the Name of a Volume.
+                          type: string
+                        readOnly:
+                          description: |-
+                            Mounted read-only if true, read-write otherwise (false or unspecified).
+                            Defaults to false.
+                          type: boolean
+                        subPath:
+                          description: |-
+                            Path within the volume from which the container's volume should be mounted.
+                            Defaults to "" (volume's root).
+                          type: string
+                        subPathExpr:
+                          description: |-
+                            Expanded path within the volume from which the container's volume should be mounted.
+                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                            Defaults to "" (volume's root).
+                            SubPathExpr and SubPath are mutually exclusive.
+                          type: string
+                      required:
+                      - mountPath
+                      - name
+                      type: object
+                    type: array
+                  volumes:
+                    description: |-
+                      volumes specify the list of volumes that can be mounted into the pods
+                      of statefulset.
+                    items:
+                      description: Volume represents a named volume in a pod that
+                        may be accessed by any container in the pod.
+                      properties:
+                        awsElasticBlockStore:
+                          description: |-
+                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly value true will force the readOnly setting in VolumeMounts.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: boolean
+                            volumeID:
+                              description: |-
+                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        azureDisk:
+                          description: azureDisk represents an Azure Data Disk mount
+                            on the host and bind mount to the pod.
+                          properties:
+                            cachingMode:
+                              description: 'cachingMode is the Host Caching mode:
+                                None, Read Only, Read Write.'
+                              type: string
+                            diskName:
+                              description: diskName is the Name of the data disk in
+                                the blob storage
+                              type: string
+                            diskURI:
+                              description: diskURI is the URI of data disk in the
+                                blob storage
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is Filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            kind:
+                              description: 'kind expected values are Shared: multiple
+                                blob disks per storage account  Dedicated: single
+                                blob disk per storage account  Managed: azure managed
+                                data disk (only in managed availability set). defaults
+                                to shared'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                          required:
+                          - diskName
+                          - diskURI
+                          type: object
+                        azureFile:
+                          description: azureFile represents an Azure File Service
+                            mount on the host and bind mount to the pod.
+                          properties:
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretName:
+                              description: secretName is the  name of secret that
+                                contains Azure Storage Account Name and Key
+                              type: string
+                            shareName:
+                              description: shareName is the azure share Name
+                              type: string
+                          required:
+                          - secretName
+                          - shareName
+                          type: object
+                        cephfs:
+                          description: cephFS represents a Ceph FS mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            monitors:
+                              description: |-
+                                monitors is Required: Monitors is a collection of Ceph monitors
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            path:
+                              description: 'path is Optional: Used as the mounted
+                                root, rather than the full Ceph tree, default is /'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: boolean
+                            secretFile:
+                              description: |-
+                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is optional: User is the rados user name, default is admin
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - monitors
+                          type: object
+                        cinder:
+                          description: |-
+                            cinder represents a cinder volume attached and mounted on kubelets host machine.
+                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is optional: points to a secret object containing parameters used to connect
+                                to OpenStack.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeID:
+                              description: |-
+                                volumeID used to identify the volume in cinder.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        configMap:
+                          description: configMap represents a configMap that should
+                            populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items if unspecified, each key-value pair in the Data field of the referenced
+                                ConfigMap will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the ConfigMap,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            name:
+                              description: |-
+                                Name of the referent.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              type: string
+                            optional:
+                              description: optional specify whether the ConfigMap
+                                or its keys must be defined
+                              type: boolean
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        csi:
+                          description: csi (Container Storage Interface) represents
+                            ephemeral storage that is handled by certain external
+                            CSI drivers (Beta feature).
+                          properties:
+                            driver:
+                              description: |-
+                                driver is the name of the CSI driver that handles this volume.
+                                Consult with your admin for the correct name as registered in the cluster.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                If not provided, the empty value is passed to the associated CSI driver
+                                which will determine the default filesystem to apply.
+                              type: string
+                            nodePublishSecretRef:
+                              description: |-
+                                nodePublishSecretRef is a reference to the secret object containing
+                                sensitive information to pass to the CSI driver to complete the CSI
+                                NodePublishVolume and NodeUnpublishVolume calls.
+                                This field is optional, and  may be empty if no secret is required. If the
+                                secret object contains more than one secret, all secret references are passed.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            readOnly:
+                              description: |-
+                                readOnly specifies a read-only configuration for the volume.
+                                Defaults to false (read/write).
+                              type: boolean
+                            volumeAttributes:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                volumeAttributes stores driver-specific properties that are passed to the CSI
+                                driver. Consult your driver's documentation for supported values.
+                              type: object
+                          required:
+                          - driver
+                          type: object
+                        downwardAPI:
+                          description: downwardAPI represents downward API about the
+                            pod that should populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                Optional: mode bits to use on created files by default. Must be a
+                                Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: Items is a list of downward API volume
+                                file
+                              items:
+                                description: DownwardAPIVolumeFile represents information
+                                  to create the file containing the pod field
+                                properties:
+                                  fieldRef:
+                                    description: 'Required: Selects a field of the
+                                      pod: only annotations, labels, name and namespace
+                                      are supported.'
+                                    properties:
+                                      apiVersion:
+                                        description: Version of the schema the FieldPath
+                                          is written in terms of, defaults to "v1".
+                                        type: string
+                                      fieldPath:
+                                        description: Path of the field to select in
+                                          the specified API version.
+                                        type: string
+                                    required:
+                                    - fieldPath
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  mode:
+                                    description: |-
+                                      Optional: mode bits used to set permissions on this file, must be an octal value
+                                      between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: 'Required: Path is  the relative
+                                      path name of the file to be created. Must not
+                                      be absolute or contain the ''..'' path. Must
+                                      be utf-8 encoded. The first item of the relative
+                                      path must not start with ''..'''
+                                    type: string
+                                  resourceFieldRef:
+                                    description: |-
+                                      Selects a resource of the container: only resources limits and requests
+                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                    properties:
+                                      containerName:
+                                        description: 'Container name: required for
+                                          volumes, optional for env vars'
+                                        type: string
+                                      divisor:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: Specifies the output format of
+                                          the exposed resources, defaults to "1"
+                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                        x-kubernetes-int-or-string: true
+                                      resource:
+                                        description: 'Required: resource to select'
+                                        type: string
+                                    required:
+                                    - resource
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                required:
+                                - path
+                                type: object
+                              type: array
+                          type: object
+                        emptyDir:
+                          description: |-
+                            emptyDir represents a temporary directory that shares a pod's lifetime.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                          properties:
+                            medium:
+                              description: |-
+                                medium represents what type of storage medium should back this directory.
+                                The default is "" which means to use the node's default medium.
+                                Must be an empty string (default) or Memory.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              type: string
+                            sizeLimit:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                The size limit is also applicable for memory medium.
+                                The maximum usage on memory medium EmptyDir would be the minimum value between
+                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                The default is nil which means that the limit is undefined.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        ephemeral:
+                          description: |-
+                            ephemeral represents a volume that is handled by a cluster storage driver.
+                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                            and deleted when the pod is removed.
+
+
+                            Use this if:
+                            a) the volume is only needed while the pod runs,
+                            b) features of normal volumes like restoring from snapshot or capacity
+                               tracking are needed,
+                            c) the storage driver is specified through a storage class, and
+                            d) the storage driver supports dynamic volume provisioning through
+                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                               information on the connection between this volume type
+                               and PersistentVolumeClaim).
+
+
+                            Use PersistentVolumeClaim or one of the vendor-specific
+                            APIs for volumes that persist for longer than the lifecycle
+                            of an individual pod.
+
+
+                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                            be used that way - see the documentation of the driver for
+                            more information.
+
+
+                            A pod can use both types of ephemeral volumes and
+                            persistent volumes at the same time.
+                          properties:
+                            volumeClaimTemplate:
+                              description: |-
+                                Will be used to create a stand-alone PVC to provision the volume.
+                                The pod in which this EphemeralVolumeSource is embedded will be the
+                                owner of the PVC, i.e. the PVC will be deleted together with the
+                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                `<volume name>` is the name from the `PodSpec.Volumes` array
+                                entry. Pod validation will reject the pod if the concatenated name
+                                is not valid for a PVC (for example, too long).
+
+
+                                An existing PVC with that name that is not owned by the pod
+                                will *not* be used for the pod to avoid using an unrelated
+                                volume by mistake. Starting the pod is then blocked until
+                                the unrelated PVC is removed. If such a pre-created PVC is
+                                meant to be used by the pod, the PVC has to updated with an
+                                owner reference to the pod once the pod exists. Normally
+                                this should not be necessary, but it may be useful when
+                                manually reconstructing a broken cluster.
+
+
+                                This field is read-only and no changes will be made by Kubernetes
+                                to the PVC after it has been created.
+
+
+                                Required, must not be nil.
+                              properties:
+                                metadata:
+                                  description: |-
+                                    May contain labels and annotations that will be copied into the PVC
+                                    when creating it. No other fields are allowed and will be rejected during
+                                    validation.
+                                  type: object
+                                spec:
+                                  description: |-
+                                    The specification for the PersistentVolumeClaim. The entire content is
+                                    copied unchanged into the PVC that gets created from this
+                                    template. The same fields as in a PersistentVolumeClaim
+                                    are also valid here.
+                                  properties:
+                                    accessModes:
+                                      description: |-
+                                        accessModes contains the desired access modes the volume should have.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                      items:
+                                        type: string
+                                      type: array
+                                    dataSource:
+                                      description: |-
+                                        dataSource field can be used to specify either:
+                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                        * An existing PVC (PersistentVolumeClaim)
+                                        If the provisioner or an external controller can support the specified data source,
+                                        it will create a new volume based on the contents of the specified data source.
+                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    dataSourceRef:
+                                      description: |-
+                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                        volume is desired. This may be any object from a non-empty API group (non
+                                        core object) or a PersistentVolumeClaim object.
+                                        When this field is specified, volume binding will only succeed if the type of
+                                        the specified object matches some installed volume populator or dynamic
+                                        provisioner.
+                                        This field will replace the functionality of the dataSource field and as such
+                                        if both fields are non-empty, they must have the same value. For backwards
+                                        compatibility, when namespace isn't specified in dataSourceRef,
+                                        both fields (dataSource and dataSourceRef) will be set to the same
+                                        value automatically if one of them is empty and the other is non-empty.
+                                        When namespace is specified in dataSourceRef,
+                                        dataSource isn't set to the same value and must be empty.
+                                        There are three important differences between dataSource and dataSourceRef:
+                                        * While dataSource only allows two specific types of objects, dataSourceRef
+                                          allows any non-core object, as well as PersistentVolumeClaim objects.
+                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                          preserves all values, and generates an error if a disallowed value is
+                                          specified.
+                                        * While dataSource only allows local objects, dataSourceRef allows objects
+                                          in any namespaces.
+                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace is the namespace of resource being referenced
+                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                    resources:
+                                      description: |-
+                                        resources represents the minimum resources the volume should have.
+                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+                                        that are lower than previous value but must still be higher than capacity recorded in the
+                                        status field of the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                      properties:
+                                        limits:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Limits describes the maximum amount of compute resources allowed.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                        requests:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Requests describes the minimum amount of compute resources required.
+                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                      type: object
+                                    selector:
+                                      description: selector is a label query over
+                                        volumes to consider for binding.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    storageClassName:
+                                      description: |-
+                                        storageClassName is the name of the StorageClass required by the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                      type: string
+                                    volumeAttributesClassName:
+                                      description: |-
+                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                        If specified, the CSI driver will create or update the volume with the attributes defined
+                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+                                        will be set by the persistentvolume controller if it exists.
+                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                        exists.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+                                      type: string
+                                    volumeMode:
+                                      description: |-
+                                        volumeMode defines what type of volume is required by the claim.
+                                        Value of Filesystem is implied when not included in claim spec.
+                                      type: string
+                                    volumeName:
+                                      description: volumeName is the binding reference
+                                        to the PersistentVolume backing this claim.
+                                      type: string
+                                  type: object
+                              required:
+                              - spec
+                              type: object
+                          type: object
+                        fc:
+                          description: fc represents a Fibre Channel resource that
+                            is attached to a kubelet's host machine and then exposed
+                            to the pod.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            lun:
+                              description: 'lun is Optional: FC target lun number'
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            targetWWNs:
+                              description: 'targetWWNs is Optional: FC target worldwide
+                                names (WWNs)'
+                              items:
+                                type: string
+                              type: array
+                            wwids:
+                              description: |-
+                                wwids Optional: FC volume world wide identifiers (wwids)
+                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        flexVolume:
+                          description: |-
+                            flexVolume represents a generic volume resource that is
+                            provisioned/attached using an exec based plugin.
+                          properties:
+                            driver:
+                              description: driver is the name of the driver to use
+                                for this volume.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                              type: string
+                            options:
+                              additionalProperties:
+                                type: string
+                              description: 'options is Optional: this field holds
+                                extra command options if any.'
+                              type: object
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: secretRef is reference to the secret object containing
+                                sensitive information to pass to the plugin scripts. This may be
+                                empty if no secret object is specified. If the secret object
+                                contains more than one secret, all secrets are passed to the plugin
+                                scripts.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          required:
+                          - driver
+                          type: object
+                        flocker:
+                          description: flocker represents a Flocker volume attached
+                            to a kubelet's host machine. This depends on the Flocker
+                            control service being running
+                          properties:
+                            datasetName:
+                              description: |-
+                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                should be considered as deprecated
+                              type: string
+                            datasetUUID:
+                              description: datasetUUID is the UUID of the dataset.
+                                This is unique identifier of a Flocker dataset
+                              type: string
+                          type: object
+                        gcePersistentDisk:
+                          description: |-
+                            gcePersistentDisk represents a GCE Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              format: int32
+                              type: integer
+                            pdName:
+                              description: |-
+                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: boolean
+                          required:
+                          - pdName
+                          type: object
+                        gitRepo:
+                          description: |-
+                            gitRepo represents a git repository at a particular revision.
+                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                            into the Pod's container.
+                          properties:
+                            directory:
+                              description: |-
+                                directory is the target directory name.
+                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                the subdirectory with the given name.
+                              type: string
+                            repository:
+                              description: repository is the URL
+                              type: string
+                            revision:
+                              description: revision is the commit hash for the specified
+                                revision.
+                              type: string
+                          required:
+                          - repository
+                          type: object
+                        glusterfs:
+                          description: |-
+                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
+                          properties:
+                            endpoints:
+                              description: |-
+                                endpoints is the endpoint name that details Glusterfs topology.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            path:
+                              description: |-
+                                path is the Glusterfs volume path.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: boolean
+                          required:
+                          - endpoints
+                          - path
+                          type: object
+                        hostPath:
+                          description: |-
+                            hostPath represents a pre-existing file or directory on the host
+                            machine that is directly exposed to the container. This is generally
+                            used for system agents or other privileged things that are allowed
+                            to see the host machine. Most containers will NOT need this.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                            ---
+                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+                            mount host directories as read/write.
+                          properties:
+                            path:
+                              description: |-
+                                path of the directory on the host.
+                                If the path is a symlink, it will follow the link to the real path.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                            type:
+                              description: |-
+                                type for HostPath Volume
+                                Defaults to ""
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        iscsi:
+                          description: |-
+                            iscsi represents an ISCSI Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                          properties:
+                            chapAuthDiscovery:
+                              description: chapAuthDiscovery defines whether support
+                                iSCSI Discovery CHAP authentication
+                              type: boolean
+                            chapAuthSession:
+                              description: chapAuthSession defines whether support
+                                iSCSI Session CHAP authentication
+                              type: boolean
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            initiatorName:
+                              description: |-
+                                initiatorName is the custom iSCSI Initiator Name.
+                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                <target portal>:<volume name> will be created for the connection.
+                              type: string
+                            iqn:
+                              description: iqn is the target iSCSI Qualified Name.
+                              type: string
+                            iscsiInterface:
+                              description: |-
+                                iscsiInterface is the interface Name that uses an iSCSI transport.
+                                Defaults to 'default' (tcp).
+                              type: string
+                            lun:
+                              description: lun represents iSCSI Target Lun number.
+                              format: int32
+                              type: integer
+                            portals:
+                              description: |-
+                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              items:
+                                type: string
+                              type: array
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                              type: boolean
+                            secretRef:
+                              description: secretRef is the CHAP Secret for iSCSI
+                                target and initiator authentication
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            targetPortal:
+                              description: |-
+                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              type: string
+                          required:
+                          - iqn
+                          - lun
+                          - targetPortal
+                          type: object
+                        name:
+                          description: |-
+                            name of the volume.
+                            Must be a DNS_LABEL and unique within the pod.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                        nfs:
+                          description: |-
+                            nfs represents an NFS mount on the host that shares a pod's lifetime
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                          properties:
+                            path:
+                              description: |-
+                                path that is exported by the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the NFS export to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: boolean
+                            server:
+                              description: |-
+                                server is the hostname or IP address of the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                          required:
+                          - path
+                          - server
+                          type: object
+                        persistentVolumeClaim:
+                          description: |-
+                            persistentVolumeClaimVolumeSource represents a reference to a
+                            PersistentVolumeClaim in the same namespace.
+                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                          properties:
+                            claimName:
+                              description: |-
+                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Will force the ReadOnly setting in VolumeMounts.
+                                Default false.
+                              type: boolean
+                          required:
+                          - claimName
+                          type: object
+                        photonPersistentDisk:
+                          description: photonPersistentDisk represents a PhotonController
+                            persistent disk attached and mounted on kubelets host
+                            machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            pdID:
+                              description: pdID is the ID that identifies Photon Controller
+                                persistent disk
+                              type: string
+                          required:
+                          - pdID
+                          type: object
+                        portworxVolume:
+                          description: portworxVolume represents a portworx volume
+                            attached and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fSType represents the filesystem type to mount
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            volumeID:
+                              description: volumeID uniquely identifies a Portworx
+                                volume
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        projected:
+                          description: projected items for all in one resources secrets,
+                            configmaps, and downward API
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode are the mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            sources:
+                              description: sources is the list of volume projections
+                              items:
+                                description: Projection that may be projected along
+                                  with other supported volume types
+                                properties:
+                                  clusterTrustBundle:
+                                    description: |-
+                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                      of ClusterTrustBundle objects in an auto-updating file.
+
+
+                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+                                      ClusterTrustBundle objects can either be selected by name, or by the
+                                      combination of signer name and a label selector.
+
+
+                                      Kubelet performs aggressive normalization of the PEM contents written
+                                      into the pod filesystem.  Esoteric PEM features such as inter-block
+                                      comments and block headers are stripped.  Certificates are deduplicated.
+                                      The ordering of certificates within the file is arbitrary, and Kubelet
+                                      may change the order over time.
+                                    properties:
+                                      labelSelector:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this label selector.  Only has
+                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                          interpreted as "match nothing".  If set but empty, interpreted as "match
+                                          everything".
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      name:
+                                        description: |-
+                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                          with signerName and labelSelector.
+                                        type: string
+                                      optional:
+                                        description: |-
+                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                          aren't available.  If using name, then the named ClusterTrustBundle is
+                                          allowed not to exist.  If using signerName, then the combination of
+                                          signerName and labelSelector is allowed to match zero
+                                          ClusterTrustBundles.
+                                        type: boolean
+                                      path:
+                                        description: Relative path from the volume
+                                          root to write the bundle.
+                                        type: string
+                                      signerName:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this signer name.
+                                          Mutually-exclusive with name.  The contents of all selected
+                                          ClusterTrustBundles will be unified and deduplicated.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                  configMap:
+                                    description: configMap information about the configMap
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          ConfigMap will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the ConfigMap,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional specify whether the
+                                          ConfigMap or its keys must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  downwardAPI:
+                                    description: downwardAPI information about the
+                                      downwardAPI data to project
+                                    properties:
+                                      items:
+                                        description: Items is a list of DownwardAPIVolume
+                                          file
+                                        items:
+                                          description: DownwardAPIVolumeFile represents
+                                            information to create the file containing
+                                            the pod field
+                                          properties:
+                                            fieldRef:
+                                              description: 'Required: Selects a field
+                                                of the pod: only annotations, labels,
+                                                name and namespace are supported.'
+                                              properties:
+                                                apiVersion:
+                                                  description: Version of the schema
+                                                    the FieldPath is written in terms
+                                                    of, defaults to "v1".
+                                                  type: string
+                                                fieldPath:
+                                                  description: Path of the field to
+                                                    select in the specified API version.
+                                                  type: string
+                                              required:
+                                              - fieldPath
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            mode:
+                                              description: |-
+                                                Optional: mode bits used to set permissions on this file, must be an octal value
+                                                between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: 'Required: Path is  the
+                                                relative path name of the file to
+                                                be created. Must not be absolute or
+                                                contain the ''..'' path. Must be utf-8
+                                                encoded. The first item of the relative
+                                                path must not start with ''..'''
+                                              type: string
+                                            resourceFieldRef:
+                                              description: |-
+                                                Selects a resource of the container: only resources limits and requests
+                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                              properties:
+                                                containerName:
+                                                  description: 'Container name: required
+                                                    for volumes, optional for env
+                                                    vars'
+                                                  type: string
+                                                divisor:
+                                                  anyOf:
+                                                  - type: integer
+                                                  - type: string
+                                                  description: Specifies the output
+                                                    format of the exposed resources,
+                                                    defaults to "1"
+                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                  x-kubernetes-int-or-string: true
+                                                resource:
+                                                  description: 'Required: resource
+                                                    to select'
+                                                  type: string
+                                              required:
+                                              - resource
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                          required:
+                                          - path
+                                          type: object
+                                        type: array
+                                    type: object
+                                  secret:
+                                    description: secret information about the secret
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          Secret will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the Secret,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional field specify whether
+                                          the Secret or its key must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  serviceAccountToken:
+                                    description: serviceAccountToken is information
+                                      about the serviceAccountToken data to project
+                                    properties:
+                                      audience:
+                                        description: |-
+                                          audience is the intended audience of the token. A recipient of a token
+                                          must identify itself with an identifier specified in the audience of the
+                                          token, and otherwise should reject the token. The audience defaults to the
+                                          identifier of the apiserver.
+                                        type: string
+                                      expirationSeconds:
+                                        description: |-
+                                          expirationSeconds is the requested duration of validity of the service
+                                          account token. As the token approaches expiration, the kubelet volume
+                                          plugin will proactively rotate the service account token. The kubelet will
+                                          start trying to rotate the token if the token is older than 80 percent of
+                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                          and must be at least 10 minutes.
+                                        format: int64
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the path relative to the mount point of the file to project the
+                                          token into.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                type: object
+                              type: array
+                          type: object
+                        quobyte:
+                          description: quobyte represents a Quobyte mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            group:
+                              description: |-
+                                group to map volume access to
+                                Default is no group
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                Defaults to false.
+                              type: boolean
+                            registry:
+                              description: |-
+                                registry represents a single or multiple Quobyte Registry services
+                                specified as a string as host:port pair (multiple entries are separated with commas)
+                                which acts as the central registry for volumes
+                              type: string
+                            tenant:
+                              description: |-
+                                tenant owning the given Quobyte volume in the Backend
+                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                              type: string
+                            user:
+                              description: |-
+                                user to map volume access to
+                                Defaults to serivceaccount user
+                              type: string
+                            volume:
+                              description: volume is a string that references an already
+                                created Quobyte volume by name.
+                              type: string
+                          required:
+                          - registry
+                          - volume
+                          type: object
+                        rbd:
+                          description: |-
+                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/rbd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            image:
+                              description: |-
+                                image is the rados image name.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            keyring:
+                              description: |-
+                                keyring is the path to key ring for RBDUser.
+                                Default is /etc/ceph/keyring.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            monitors:
+                              description: |-
+                                monitors is a collection of Ceph monitors.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            pool:
+                              description: |-
+                                pool is the rados pool name.
+                                Default is rbd.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is name of the authentication secret for RBDUser. If provided
+                                overrides keyring.
+                                Default is nil.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is the rados user name.
+                                Default is admin.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - image
+                          - monitors
+                          type: object
+                        scaleIO:
+                          description: scaleIO represents a ScaleIO persistent volume
+                            attached and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs".
+                                Default is "xfs".
+                              type: string
+                            gateway:
+                              description: gateway is the host address of the ScaleIO
+                                API Gateway.
+                              type: string
+                            protectionDomain:
+                              description: protectionDomain is the name of the ScaleIO
+                                Protection Domain for the configured storage.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef references to the secret for ScaleIO user and other
+                                sensitive information. If this is not provided, Login operation will fail.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            sslEnabled:
+                              description: sslEnabled Flag enable/disable SSL communication
+                                with Gateway, default false
+                              type: boolean
+                            storageMode:
+                              description: |-
+                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                Default is ThinProvisioned.
+                              type: string
+                            storagePool:
+                              description: storagePool is the ScaleIO Storage Pool
+                                associated with the protection domain.
+                              type: string
+                            system:
+                              description: system is the name of the storage system
+                                as configured in ScaleIO.
+                              type: string
+                            volumeName:
+                              description: |-
+                                volumeName is the name of a volume already created in the ScaleIO system
+                                that is associated with this volume source.
+                              type: string
+                          required:
+                          - gateway
+                          - secretRef
+                          - system
+                          type: object
+                        secret:
+                          description: |-
+                            secret represents a secret that should populate this volume.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values
+                                for mode bits. Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items If unspecified, each key-value pair in the Data field of the referenced
+                                Secret will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the Secret,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            optional:
+                              description: optional field specify whether the Secret
+                                or its keys must be defined
+                              type: boolean
+                            secretName:
+                              description: |-
+                                secretName is the name of the secret in the pod's namespace to use.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              type: string
+                          type: object
+                        storageos:
+                          description: storageOS represents a StorageOS volume attached
+                            and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef specifies the secret to use for obtaining the StorageOS API
+                                credentials.  If not specified, default values will be attempted.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeName:
+                              description: |-
+                                volumeName is the human-readable name of the StorageOS volume.  Volume
+                                names are only unique within a namespace.
+                              type: string
+                            volumeNamespace:
+                              description: |-
+                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                namespace is specified then the Pod's namespace will be used.  This allows the
+                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                Set VolumeName to any name to override the default behaviour.
+                                Set to "default" if you are not using namespaces within StorageOS.
+                                Namespaces that do not pre-exist within StorageOS will be created.
+                              type: string
+                          type: object
+                        vsphereVolume:
+                          description: vsphereVolume represents a vSphere volume attached
+                            and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            storagePolicyID:
+                              description: storagePolicyID is the storage Policy Based
+                                Management (SPBM) profile ID associated with the StoragePolicyName.
+                              type: string
+                            storagePolicyName:
+                              description: storagePolicyName is the storage Policy
+                                Based Management (SPBM) profile name.
+                              type: string
+                            volumePath:
+                              description: volumePath is the path that identifies
+                                vSphere volume vmdk
+                              type: string
+                          required:
+                          - volumePath
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                required:
+                - volumeMounts
+                - volumes
+                type: object
+              name:
+                description: name is the Control Center cluster name.
+                type: string
+              oneReplicaPerNode:
+                description: |-
+                  oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
+                  Enabling this configuration in an existing cluster will roll the cluster.
+                type: boolean
+              pdb:
+                description: |-
+                  configures PodDisruptionBudget for the Confluent Platform component.
+                  by default PDB is configured based on pre-detemined formula.
+                properties:
+                  enabled:
+                    description: enabled specifies whether the PodDisruptionBudget
+                      is enabled
+                    type: boolean
+                  maxUnavailable:
+                    description: maxUnavailable is the maximum number of pods that
+                      can be unavailable during the disruption.
+                    format: int32
+                    type: integer
+                required:
+                - enabled
+                type: object
+              podTemplate:
+                description: podTemplate specifies the statefulset pod template configuration.
+                properties:
+                  affinity:
+                    description: |-
+                      affinity specifies a group of affinity scheduling rules.
+                      More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
+                    properties:
+                      nodeAffinity:
+                        description: Describes node affinity scheduling rules for
+                          the pod.
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node matches the corresponding matchExpressions; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: |-
+                                An empty preferred scheduling term matches all objects with implicit weight 0
+                                (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                              properties:
+                                preference:
+                                  description: A node selector term, associated with
+                                    the corresponding weight.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                weight:
+                                  description: Weight associated with matching the
+                                    corresponding nodeSelectorTerm, in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - preference
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to an update), the system
+                              may or may not try to eventually evict the pod from its node.
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      podAffinity:
+                        description: Describes pod affinity scheduling rules (e.g.
+                          co-locate this pod in the same node, zone, etc. as some
+                          other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                      podAntiAffinity:
+                        description: Describes pod anti-affinity scheduling rules
+                          (e.g. avoid putting this pod in the same node, zone, etc.
+                          as some other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the anti-affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling anti-affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the anti-affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the anti-affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs stored with the resource and
+                      may be set by external tools to store and retrieve arbitrary metadata. They
+                      are not queryable and should be preserved when modifying objects. More
+                      info: http://kubernetes.io/docs/user-guide/annotations.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  envVars:
+                    description: |-
+                      envVars contain environment variables to be injected into containers.
+                      More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
+                    items:
+                      description: EnvVar represents an environment variable present
+                        in a Container.
+                      properties:
+                        name:
+                          description: Name of the environment variable. Must be a
+                            C_IDENTIFIER.
+                          type: string
+                        value:
+                          description: |-
+                            Variable references $(VAR_NAME) are expanded
+                            using the previously defined environment variables in the container and
+                            any service environment variables. If a variable cannot be resolved,
+                            the reference in the input string will be unchanged. Double $$ are reduced
+                            to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                            "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                            Escaped references will never be expanded, regardless of whether the variable
+                            exists or not.
+                            Defaults to "".
+                          type: string
+                        valueFrom:
+                          description: Source for the environment variable's value.
+                            Cannot be used if value is not empty.
+                          properties:
+                            configMapKeyRef:
+                              description: Selects a key of a ConfigMap.
+                              properties:
+                                key:
+                                  description: The key to select.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the ConfigMap or its
+                                    key must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            fieldRef:
+                              description: |-
+                                Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                              properties:
+                                apiVersion:
+                                  description: Version of the schema the FieldPath
+                                    is written in terms of, defaults to "v1".
+                                  type: string
+                                fieldPath:
+                                  description: Path of the field to select in the
+                                    specified API version.
+                                  type: string
+                              required:
+                              - fieldPath
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            resourceFieldRef:
+                              description: |-
+                                Selects a resource of the container: only resources limits and requests
+                                (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                              properties:
+                                containerName:
+                                  description: 'Container name: required for volumes,
+                                    optional for env vars'
+                                  type: string
+                                divisor:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: Specifies the output format of the
+                                    exposed resources, defaults to "1"
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                resource:
+                                  description: 'Required: resource to select'
+                                  type: string
+                              required:
+                              - resource
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            secretKeyRef:
+                              description: Selects a key of a secret in the pod's
+                                namespace
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the Secret or its key
+                                    must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs that can be used to organize and categorize
+                      (scope and select) objects.
+                      More info: http://kubernetes.io/docs/user-guide/labels.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  podSecurityContext:
+                    description: |-
+                      PodSecurityContext holds pod-level security attributes and common container settings.
+                      Some fields are also present in container.securityContext.  Field values of
+                      container.securityContext take precedence over field values of PodSecurityContext.
+                    properties:
+                      fsGroup:
+                        description: |-
+                          A special supplemental group that applies to all containers in a pod.
+                          Some volume types allow the Kubelet to change the ownership of that volume
+                          to be owned by the pod:
+
+
+                          1. The owning GID will be the FSGroup
+                          2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+                          3. The permission bits are OR'd with rw-rw----
+
+
+                          If unset, the Kubelet will not modify the ownership and permissions of any volume.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      fsGroupChangePolicy:
+                        description: |-
+                          fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+                          before being exposed inside Pod. This field will only apply to
+                          volume types which support fsGroup based ownership(and permissions).
+                          It will have no effect on ephemeral volume types such as: secret, configmaps
+                          and emptydir.
+                          Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to all containers.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in SecurityContext.  If set in
+                          both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+                          takes precedence for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by the containers in this pod.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      supplementalGroups:
+                        description: |-
+                          A list of groups applied to the first process run in each container, in addition
+                          to the container's primary GID, the fsGroup (if specified), and group memberships
+                          defined in the container image for the uid of the container process. If unspecified,
+                          no additional groups are added to any container. Note that group memberships
+                          defined in the container image for the uid of the container process are still effective,
+                          even if they are not included in this list.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          format: int64
+                          type: integer
+                        type: array
+                      sysctls:
+                        description: |-
+                          Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+                          sysctls (by the container runtime) might fail to launch.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          description: Sysctl defines a kernel parameter to be set
+                          properties:
+                            name:
+                              description: Name of a property to set
+                              type: string
+                            value:
+                              description: Value of a property to set
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        type: array
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options within a container's SecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  priorityClassName:
+                    description: priorityClassName specifies the priority class for
+                      the pod (if any).
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  probe:
+                    description: probe contains the fields for standard Kubernetes
+                      readiness/liveness probe configuration.
+                    properties:
+                      liveness:
+                        description: |-
+                          liveness configures the Kubernetes probe settings. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                      readiness:
+                        description: |-
+                          readiness configures the Kubernetes probe setting. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  resources:
+                    description: resources describe the compute resource requirements.
+                    properties:
+                      claims:
+                        description: |-
+                          Claims lists the names of resources, defined in spec.resourceClaims,
+                          that are used by this container.
+
+
+                          This is an alpha field and requires enabling the
+                          DynamicResourceAllocation feature gate.
+
+
+                          This field is immutable. It can only be set for containers.
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: |-
+                                Name must match the name of one entry in pod.spec.resourceClaims of
+                                the Pod where this field is used. It makes that resource available
+                                inside a container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Limits describes the maximum amount of compute resources allowed.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Requests describes the minimum amount of compute resources required.
+                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                    type: object
+                  securityContext:
+                    description: |-
+                      SecurityContext holds security configuration that will be applied to a container.
+                      Some fields are present in both SecurityContext and PodSecurityContext.  When both
+                      are set, the values in SecurityContext take precedence.
+                    properties:
+                      allowPrivilegeEscalation:
+                        description: |-
+                          AllowPrivilegeEscalation controls whether a process can gain more
+                          privileges than its parent process. This bool directly controls if
+                          the no_new_privs flag will be set on the container process.
+                          AllowPrivilegeEscalation is true always when the container is:
+                          1) run as Privileged
+                          2) has CAP_SYS_ADMIN
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      capabilities:
+                        description: |-
+                          The capabilities to add/drop when running containers.
+                          Defaults to the default set of capabilities granted by the container runtime.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          add:
+                            description: Added capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                          drop:
+                            description: Removed capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                        type: object
+                      privileged:
+                        description: |-
+                          Run container in privileged mode.
+                          Processes in privileged containers are essentially equivalent to root on the host.
+                          Defaults to false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      procMount:
+                        description: |-
+                          procMount denotes the type of proc mount to use for the containers.
+                          The default is DefaultProcMount which uses the container runtime defaults for
+                          readonly paths and masked paths.
+                          This requires the ProcMountType feature flag to be enabled.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      readOnlyRootFilesystem:
+                        description: |-
+                          Whether this container has a read-only root filesystem.
+                          Default is false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to the container.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by this container. If seccomp options are
+                          provided at both the pod & container level, the container options
+                          override the pod options.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options from the PodSecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of the service account used to run this pod.
+                      More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
+                    type: string
+                  terminationGracePeriodSeconds:
+                    description: terminationGracePeriodSeconds is the grace period
+                      before the pod is deleted.
+                    format: int64
+                    type: integer
+                  tolerations:
+                    description: |-
+                      tolerations specify the pods to schedule onto the nodes with matching taints, using
+                      the triple `<key,value,effect>` and the matching operator `<operator>`.
+                    items:
+                      description: |-
+                        The pod this Toleration is attached to tolerates any taint that matches
+                        the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: |-
+                            Effect indicates the taint effect to match. Empty means match all taint effects.
+                            When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          type: string
+                        key:
+                          description: |-
+                            Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                            If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          type: string
+                        operator:
+                          description: |-
+                            Operator represents a key's relationship to the value.
+                            Valid operators are Exists and Equal. Defaults to Equal.
+                            Exists is equivalent to wildcard for value, so that a pod can
+                            tolerate all taints of a particular category.
+                          type: string
+                        tolerationSeconds:
+                          description: |-
+                            TolerationSeconds represents the period of time the toleration (which must be
+                            of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                            it is not set, which means tolerate the taint forever (do not evict). Zero and
+                            negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          type: integer
+                        value:
+                          description: |-
+                            Value is the taint value the toleration matches to.
+                            If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          type: string
+                      type: object
+                    type: array
+                  topologySpreadConstraints:
+                    description: |-
+                      topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
+                      schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
+                    items:
+                      description: TopologySpreadConstraint specifies how to spread
+                        matching pods among the given topology.
+                      properties:
+                        labelSelector:
+                          description: |-
+                            LabelSelector is used to find matching pods.
+                            Pods that match this label selector are counted to determine the number of pods
+                            in their corresponding topology domain.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        matchLabelKeys:
+                          description: |-
+                            MatchLabelKeys is a set of pod label keys to select the pods over which
+                            spreading will be calculated. The keys are used to lookup values from the
+                            incoming pod labels, those key-value labels are ANDed with labelSelector
+                            to select the group of existing pods over which spreading will be calculated
+                            for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                            MatchLabelKeys cannot be set when LabelSelector isn't set.
+                            Keys that don't exist in the incoming pod labels will
+                            be ignored. A null or empty list means only match against labelSelector.
+
+
+                            This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        maxSkew:
+                          description: |-
+                            MaxSkew describes the degree to which pods may be unevenly distributed.
+                            When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                            between the number of matching pods in the target topology and the global minimum.
+                            The global minimum is the minimum number of matching pods in an eligible domain
+                            or zero if the number of eligible domains is less than MinDomains.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 2/2/1:
+                            In this case, the global minimum is 1.
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |   P   |
+                            - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                            scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                            violate MaxSkew(1).
+                            - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                            When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                            to topologies that satisfy it.
+                            It's a required field. Default value is 1 and 0 is not allowed.
+                          format: int32
+                          type: integer
+                        minDomains:
+                          description: |-
+                            MinDomains indicates a minimum number of eligible domains.
+                            When the number of eligible domains with matching topology keys is less than minDomains,
+                            Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                            And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                            this value has no effect on scheduling.
+                            As a result, when the number of eligible domains is less than minDomains,
+                            scheduler won't schedule more than maxSkew Pods to those domains.
+                            If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                            Valid values are integers greater than 0.
+                            When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+                            For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                            labelSelector spread as 2/2/2:
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |  P P  |
+                            The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                            In this situation, new pod with the same labelSelector cannot be scheduled,
+                            because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                            it will violate MaxSkew.
+
+
+                            This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
+                          format: int32
+                          type: integer
+                        nodeAffinityPolicy:
+                          description: |-
+                            NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                            when calculating pod topology spread skew. Options are:
+                            - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                            - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+                            If this value is nil, the behavior is equivalent to the Honor policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        nodeTaintsPolicy:
+                          description: |-
+                            NodeTaintsPolicy indicates how we will treat node taints when calculating
+                            pod topology spread skew. Options are:
+                            - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                            has a toleration, are included.
+                            - Ignore: node taints are ignored. All nodes are included.
+
+
+                            If this value is nil, the behavior is equivalent to the Ignore policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        topologyKey:
+                          description: |-
+                            TopologyKey is the key of node labels. Nodes that have a label with this key
+                            and identical values are considered to be in the same topology.
+                            We consider each <key, value> as a "bucket", and try to put balanced number
+                            of pods into each bucket.
+                            We define a domain as a particular instance of a topology.
+                            Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                            nodeAffinityPolicy and nodeTaintsPolicy.
+                            e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                            And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                            It's a required field.
+                          type: string
+                        whenUnsatisfiable:
+                          description: |-
+                            WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                            the spread constraint.
+                            - DoNotSchedule (default) tells the scheduler not to schedule it.
+                            - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                              but giving higher precedence to topologies that would help reduce the
+                              skew.
+                            A constraint is considered "Unsatisfiable" for an incoming pod
+                            if and only if every possible node assignment for that pod would violate
+                            "MaxSkew" on some topology.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 3/1/1:
+                            | zone1 | zone2 | zone3 |
+                            | P P P |   P   |   P   |
+                            If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                            to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                            MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                            won't make it *more* imbalanced.
+                            It's a required field.
+                          type: string
+                      required:
+                      - maxSkew
+                      - topologyKey
+                      - whenUnsatisfiable
+                      type: object
+                    type: array
+                type: object
+              replicas:
+                description: |-
+                  replicas is the desired number of replicas.
+                  A change to this setting will roll the cluster.
+                format: int32
+                type: integer
+              storageClass:
+                description: storageClass references the user-provided storage class.
+                properties:
+                  name:
+                    description: name is the storage class name.
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - name
+                type: object
+              telemetry:
+                description: telemetry specifies the Confluent telemetry reporter
+                  configuration.
+                properties:
+                  global:
+                    description: |-
+                      global allows disabling telemetry configuration.
+                      If CFK is deployed with telemetry, this field is only
+                      used to disable telemetry. The default value is `true` if
+                      telemetry is enabled at the global level.
+                    type: boolean
+                type: object
+              tls:
+                description: tls specifies the TLS configurations.
+                properties:
+                  autoGeneratedCerts:
+                    description: |-
+                      autoGeneratedCerts specifies that the certificates are auto-generated based on
+                      the CA key pair provided.
+                    type: boolean
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                    minLength: 1
+                    type: string
+                  fips:
+                    description: |-
+                      fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
+                      TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                    properties:
+                      enabled:
+                        description: enabled specifies whether to enable the FIPS
+                          configuration for cp components.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                  ignoreTrustStoreConfig:
+                    description: |-
+                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                      for the Confluent component.
+                    type: boolean
+                  jksPassword:
+                    description: jksPassword references the secret containing the
+                      JKS password.
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the name of the secret containing the JKS password.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  secretRef:
+                    description: |-
+                      secretRef references the secret containing the certificates.
+                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+            required:
+            - dataVolumeCapacity
+            - image
+            type: object
+          status:
+            description: status defines the observed state of the Control Center cluster.
+            properties:
+              arbitraryData:
+                description: arbitraryData is the map for any arbitrary data associated
+                  with this Confluent component.
+                x-kubernetes-preserve-unknown-fields: true
+              authorizationType:
+                description: authorizationType is the authorization type for this
+                  Confluent component.
+                type: string
+              clusterName:
+                description: clusterName is the name of the Confluent Platform component
+                  cluster.
+                type: string
+              clusterNamespace:
+                description: clusterNamespace is the namespace where the Confluent
+                  Platform component cluster is running.
+                type: string
+              conditions:
+                description: conditions specify the latest available observations
+                  of the current state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              controlCenterName:
+                description: name is the name of the Control Center cluster.
+                type: string
+              currentReplicas:
+                description: currentReplicas is the number of currently running replicas.
+                format: int32
+                type: integer
+              id:
+                description: id is the identifier of the Control Center cluster.
+                format: int32
+                type: integer
+              internalSecrets:
+                description: |-
+                  internalSecrets are internal secrets created
+                  by CFK for this Confluent component.
+                items:
+                  type: string
+                type: array
+              internalTopicNames:
+                description: internalTopicNames are the topics used by the component
+                  for internal use.
+                items:
+                  type: string
+                type: array
+              kafka:
+                description: kafka is the Kafka client side status for the Control
+                  Center cluster.
+                properties:
+                  authenticationType:
+                    description: authenticationType describes the authentication method
+                      for the Kafka cluster.
+                    type: string
+                  bootstrapEndpoint:
+                    description: bootstrapEndpoint specifies the Kafka bootstrap endpoint.
+                    type: string
+                  tls:
+                    description: tls indicates whether TLS is enabled for the Kafka
+                      dependency.
+                    type: boolean
+                type: object
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              operatorVersion:
+                description: operatorVersion is the internal version of CFK.
+                type: string
+              phase:
+                description: |-
+                  phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
+                  or 'RUNNING'
+                  'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
+                  'RUNNING' means the Confluent Platform component has been successfully deployed.
+                type: string
+              rbac:
+                description: rbac contains the RBAC-related status when RBAC is enabled.
+                properties:
+                  clusterID:
+                    description: clusterID specifies the id of the cluster.
+                    type: string
+                  internalRolebindings:
+                    description: internalRolebindings specifies the internal rolebindings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              readyReplicas:
+                description: readyReplicas is the number of currently ready replicas.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the number of replicas.
+                format: int32
+                type: integer
+              restConfig:
+                description: restConfig is the REST API configuration of the Control
+                  Center cluster.
+                properties:
+                  advertisedExternalEndpoints:
+                    description: advertisedExternalEndpoints specifies other advertised
+                      endpoints used, especially for Kafka.
+                    items:
+                      type: string
+                    type: array
+                  authenticationType:
+                    description: authenticationType shows the authentication type
+                      configured by the listener.
+                    type: string
+                  externalAccessType:
+                    description: externalAccessType shows the external access type
+                      used for the listener.
+                    type: string
+                  externalEndpoint:
+                    description: externalEndpoint specifies the external endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  internalEndpoint:
+                    description: internalEndpoint specifies the internal endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  tls:
+                    description: tls shows whether TLS is configured for the listener.
+                    type: boolean
+                type: object
+              selector:
+                description: |-
+                  selector gets the label selector of the child pod.
+                  The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkarestclasses.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkarestclasses.yaml
new file mode 100644
index 000000000..4eb8d72fc
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkarestclasses.yaml
@@ -0,0 +1,557 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: kafkarestclasses.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: KafkaRestClass
+    listKind: KafkaRestClassList
+    plural: kafkarestclasses
+    shortNames:
+    - krc
+    - kafkarestclass
+    singular: kafkarestclass
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KafkaRestClass is the schema for the Kafka REST API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the KafkaRestClass.
+            properties:
+              kafkaClusterRef:
+                description: kafkaClusterRef specifies the name of the Kafka cluster.
+                properties:
+                  name:
+                    description: name specifies the name of the Confluent Platform
+                      component cluster.
+                    type: string
+                  namespace:
+                    description: namespace specifies the namespace where the Confluent
+                      Platform component cluster is running.
+                    type: string
+                required:
+                - name
+                type: object
+              kafkaRest:
+                description: kafkaRest specifies the Kafka REST API configuration.
+                properties:
+                  authentication:
+                    description: authentication specifies the REST API authentication
+                      mechanism.
+                    properties:
+                      basic:
+                        description: basic specifies the basic authentication settings
+                          for the REST API client.
+                        properties:
+                          debug:
+                            description: debug enables the basic authentication debug
+                              logs for JaaS configuration.
+                            type: boolean
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            minLength: 1
+                            type: string
+                          restrictedRoles:
+                            description: |-
+                              restrictedRoles specify the restricted roles on the server side only.
+                              Changes will be only reflected in Control Center.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            minItems: 1
+                            type: array
+                          roles:
+                            description: |-
+                              roles specify the roles on the server side only.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            type: array
+                          secretRef:
+                            description: |-
+                              secretRef defines secret reference to pass the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      bearer:
+                        description: bearer specifies the bearer authentication settings
+                          for the REST API client.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauth:
+                        description: oauth specifies the OAuth authentication settings
+                          for the REST API client.
+                        properties:
+                          configuration:
+                            description: configuration specifies the OAuth server
+                              settings.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          directoryPathInContainer:
+                            description: directoryPathInContainer allows to pass the
+                              basic credential through a directory path in the container.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef defines secret reference to pass
+                              the required credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - configuration
+                        type: object
+                      type:
+                        description: type specifies the REST API authentication type.
+                          Valid options are `basic`, `bearer`, `mtls` and `oauth`.
+                        enum:
+                        - basic
+                        - bearer
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  endpoint:
+                    description: endpoint specifies where Confluent REST API is running.
+                    minLength: 1
+                    pattern: ^https?://.*
+                    type: string
+                  kafkaClusterID:
+                    description: |-
+                      kafkaClusterID specifies the id of Kafka cluster.
+                      It takes precedence over using the Kafka REST API to get the cluster id.
+                    minLength: 1
+                    type: string
+                  tls:
+                    description: "tls specifies the custom TLS structure for the application
+                      resources,\n\t// e.g. connector, topic, schema, of the Confluent
+                      Platform components.\n\t// +optional"
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer contains the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, `jksPassword.txt` keys are mounted.
+                        minLength: 1
+                        type: string
+                      jksPassword:
+                        description: jksPassword specifies the secret name that contains
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef specifies the secret name that contains the certificates.
+                          More info about certificates key/value format: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                type: object
+              secondaryKafkaClusterRef:
+                description: secondaryKafkaClusterRef specifies the name of the secondary
+                  Kafka cluster when using centralized RBAC.
+                properties:
+                  name:
+                    description: name specifies the name of the Confluent Platform
+                      component cluster.
+                    type: string
+                  namespace:
+                    description: namespace specifies the namespace where the Confluent
+                      Platform component cluster is running.
+                    type: string
+                required:
+                - name
+                type: object
+              secondaryKafkaRest:
+                description: secondaryKafkaRest specifies the secondary Kafka REST
+                  API configuration when using centralized RBAC.
+                properties:
+                  authentication:
+                    description: authentication specifies the REST API authentication
+                      mechanism.
+                    properties:
+                      basic:
+                        description: basic specifies the basic authentication settings
+                          for the REST API client.
+                        properties:
+                          debug:
+                            description: debug enables the basic authentication debug
+                              logs for JaaS configuration.
+                            type: boolean
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            minLength: 1
+                            type: string
+                          restrictedRoles:
+                            description: |-
+                              restrictedRoles specify the restricted roles on the server side only.
+                              Changes will be only reflected in Control Center.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            minItems: 1
+                            type: array
+                          roles:
+                            description: |-
+                              roles specify the roles on the server side only.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            type: array
+                          secretRef:
+                            description: |-
+                              secretRef defines secret reference to pass the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      bearer:
+                        description: bearer specifies the bearer authentication settings
+                          for the REST API client.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauth:
+                        description: oauth specifies the OAuth authentication settings
+                          for the REST API client.
+                        properties:
+                          configuration:
+                            description: configuration specifies the OAuth server
+                              settings.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          directoryPathInContainer:
+                            description: directoryPathInContainer allows to pass the
+                              basic credential through a directory path in the container.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef defines secret reference to pass
+                              the required credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - configuration
+                        type: object
+                      type:
+                        description: type specifies the REST API authentication type.
+                          Valid options are `basic`, `bearer`, `mtls` and `oauth`.
+                        enum:
+                        - basic
+                        - bearer
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  endpoint:
+                    description: endpoint specifies where Confluent REST API is running.
+                    minLength: 1
+                    pattern: ^https?://.*
+                    type: string
+                  kafkaClusterID:
+                    description: |-
+                      kafkaClusterID specifies the id of Kafka cluster.
+                      It takes precedence over using the Kafka REST API to get the cluster id.
+                    minLength: 1
+                    type: string
+                  tls:
+                    description: "tls specifies the custom TLS structure for the application
+                      resources,\n\t// e.g. connector, topic, schema, of the Confluent
+                      Platform components.\n\t// +optional"
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer contains the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, `jksPassword.txt` keys are mounted.
+                        minLength: 1
+                        type: string
+                      jksPassword:
+                        description: jksPassword specifies the secret name that contains
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef specifies the secret name that contains the certificates.
+                          More info about certificates key/value format: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                type: object
+            type: object
+          status:
+            description: status defines the observed state of the KafkaRestClass.
+            properties:
+              conditions:
+                description: conditions are the latest available observed state of
+                  the kafkaRestClass.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              endpoint:
+                description: endpoint specifies the Kafka REST API / MDS endpoint.
+                type: string
+              kafkaClusterID:
+                description: |-
+                  kafkaClusterID specifies the id of the Kafka cluster.
+                  If using centralized RBAC and kafkaRestClass is for the secondary Kafka cluster, it will be the cluster id of the secondary Kafka cluster.
+                type: string
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkarestproxies.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkarestproxies.yaml
new file mode 100644
index 000000000..2311a6118
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkarestproxies.yaml
@@ -0,0 +1,5834 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: kafkarestproxies.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: KafkaRestProxy
+    listKind: KafkaRestProxyList
+    plural: kafkarestproxies
+    shortNames:
+    - kafkarestproxy
+    - krp
+    singular: kafkarestproxy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.readyReplicas
+      name: Ready
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.kafka.bootstrapEndpoint
+      name: Kafka
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KafkaRestProxy is the schema for the Kafka REST Proxy API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the KafkaRestProxy cluster.
+            properties:
+              authentication:
+                description: authentication specifies the authentication configurations
+                  for the KafkaRestProxy cluster.
+                properties:
+                  basic:
+                    description: basic specifies the configuration for basic authentication.
+                    properties:
+                      debug:
+                        description: debug enables the basic authentication debug
+                          logs for JaaS configuration.
+                        type: boolean
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        minLength: 1
+                        type: string
+                      restrictedRoles:
+                        description: |-
+                          restrictedRoles specify the restricted roles on the server side only.
+                          Changes will be only reflected in Control Center.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
+                      roles:
+                        description: |-
+                          roles specify the roles on the server side only.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        type: array
+                      secretRef:
+                        description: |-
+                          secretRef defines secret reference to pass the required credentials.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                  oauth:
+                    description: oauth specifies the configuration for OAuth authentication.
+                    properties:
+                      configuration:
+                        description: configuration specifies the OAuth server settings.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      directoryPathInContainer:
+                        description: directoryPathInContainer allows to pass the basic
+                          credential through a directory path in the container.
+                        minLength: 1
+                        type: string
+                      secretRef:
+                        description: secretRef defines secret reference to pass the
+                          required credentials.
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - configuration
+                    type: object
+                  type:
+                    description: type specifies the authentication scheme for the
+                      REST API server. Valid options are `basic`, `oauth` and `mtls`.
+                    enum:
+                    - basic
+                    - mtls
+                    - oauth
+                    type: string
+                required:
+                - type
+                type: object
+              authorization:
+                description: authorization specifies the RBAC configuration for the
+                  KafkaRestProxy cluster.
+                properties:
+                  kafkaRestClassRef:
+                    description: |-
+                      kafkaRestClassRef references the KafkaRestClass
+                      which specifies the Kafka REST API connection configuration.
+                    properties:
+                      name:
+                        description: name specifies the name of the KafkaRestClass
+                          application resource.
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace of the KafkaRestClass.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  type:
+                    description: type specifies the client-side authorization type.
+                      The valid option is `rbac`.
+                    enum:
+                    - rbac
+                    type: string
+                required:
+                - type
+                type: object
+              configOverrides:
+                description: |-
+                  configOverrides specifies the configs to override the server, JVM, Log4j properties for the KafkaRestProxy cluster.
+                  A change will roll the cluster.
+                properties:
+                  jvm:
+                    description: |-
+                      jvm is a list of JVM configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  log4j:
+                    description: |-
+                      log4j is a list of Log4J configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  server:
+                    description: |-
+                      server is a list of server configuration supported by the Confluent Platform component.
+                      This will either add or update existing configuration.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              dependencies:
+                description: dependencies specifies the dependency configurations
+                  for Kafka, Interceptor, Schema Registry, and the MDS.
+                properties:
+                  interceptor:
+                    description: interceptor specifies the interceptor dependency
+                      configuration.
+                    properties:
+                      configs:
+                        description: |-
+                          configs describe the configurations for the Confluent Platform interceptor.
+                          The config override feature can be used to pass the configuration settings.
+                        items:
+                          type: string
+                        type: array
+                      consumer:
+                        description: |-
+                          consumer specifies the consumer configuration for the interceptor. If not
+                          configured, it uses the Kafka dependency configuration.
+                        properties:
+                          authentication:
+                            description: authentication defines the authentication
+                              for the Kafka cluster.
+                            properties:
+                              jaasConfig:
+                                description: jaasConfig specifies the Kafka client-side
+                                  JaaS configuration.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: jaasConfigPassThrough specifies another
+                                  way to provide the Kafka client-side JaaS configuration.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              oauthbearer:
+                                description: |-
+                                  oauthbearer is the authentication mechanism to provider principals.
+                                  Only supported in RBAC deployment.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container
+                                      where the credential is mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef specifies the name of the secret that contains the credential.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              type:
+                                description: |-
+                                  type specifies the Kafka client authentication type.
+                                  Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                                enum:
+                                - plain
+                                - oauthbearer
+                                - digest
+                                - mtls
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          bootstrapEndpoint:
+                            description: bootstrapEndpoint specifies the Kafka bootstrap
+                              endpoint.
+                            minLength: 1
+                            pattern: .+:[0-9]+
+                            type: string
+                          discovery:
+                            description: discovery specifies the capability to discover
+                              the Kafka cluster.
+                            properties:
+                              name:
+                                description: name is the name of the Confluent Platform
+                                  component cluster.
+                                type: string
+                              namespace:
+                                description: |-
+                                  namespace is where the Confluent Platform component is running.
+                                  The default value is the namespace where CFK is running.
+                                type: string
+                              secretRef:
+                                description: secretRef is the name of the secret used
+                                  to discover the Confluent Platform component.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          tls:
+                            description: tls defines the client-side TLS setting for
+                              the Kafka cluster.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                      enabled:
+                        description: enabled indicates whether the Confluent Platform
+                          interceptor is enabled or disabled.
+                        type: boolean
+                      producer:
+                        description: |-
+                          producer specifies the producer configuration for the interceptor. If not
+                          configured, it uses the Kafka dependency configuration.
+                        properties:
+                          authentication:
+                            description: authentication defines the authentication
+                              for the Kafka cluster.
+                            properties:
+                              jaasConfig:
+                                description: jaasConfig specifies the Kafka client-side
+                                  JaaS configuration.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: jaasConfigPassThrough specifies another
+                                  way to provide the Kafka client-side JaaS configuration.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              oauthbearer:
+                                description: |-
+                                  oauthbearer is the authentication mechanism to provider principals.
+                                  Only supported in RBAC deployment.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container
+                                      where the credential is mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef specifies the name of the secret that contains the credential.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              type:
+                                description: |-
+                                  type specifies the Kafka client authentication type.
+                                  Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                                enum:
+                                - plain
+                                - oauthbearer
+                                - digest
+                                - mtls
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          bootstrapEndpoint:
+                            description: bootstrapEndpoint specifies the Kafka bootstrap
+                              endpoint.
+                            minLength: 1
+                            pattern: .+:[0-9]+
+                            type: string
+                          discovery:
+                            description: discovery specifies the capability to discover
+                              the Kafka cluster.
+                            properties:
+                              name:
+                                description: name is the name of the Confluent Platform
+                                  component cluster.
+                                type: string
+                              namespace:
+                                description: |-
+                                  namespace is where the Confluent Platform component is running.
+                                  The default value is the namespace where CFK is running.
+                                type: string
+                              secretRef:
+                                description: secretRef is the name of the secret used
+                                  to discover the Confluent Platform component.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          tls:
+                            description: tls defines the client-side TLS setting for
+                              the Kafka cluster.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                      publishMs:
+                        type: integer
+                    required:
+                    - enabled
+                    type: object
+                  kafka:
+                    description: kafka specifies the Kafka dependency configuration.
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Kafka cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  mds:
+                    description: mds specifies the MDS dependencies configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the client side authentication
+                          configuration for the MDS.
+                        properties:
+                          bearer:
+                            description: bearer specifies the bearer authentication
+                              settings.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the OAuth authentication
+                              settings.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication method
+                              for the MDS. The valid option is `bearer`, `oauth`.
+                            enum:
+                            - bearer
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      endpoint:
+                        description: endpoint specifies the MDS endpoint.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      ssoProtocol:
+                        description: sso protocol, valid options are ldap and oidc.
+                        enum:
+                        - ldap
+                        - oidc
+                        type: string
+                      tls:
+                        description: ClientTLSConfig specifies the TLS configuration
+                          for the Confluent component (dependencies, listeners).
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      tokenKeyPair:
+                        description: tokenKeyPair specifies the token keypair to configure
+                          the MDS.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the MDS token key pair are mounted.
+                            minLength: 1
+                            type: string
+                          encryptedTokenKey:
+                            description: |-
+                              EncryptedTokenKey boolean value indicating whether the tokenKeypair(private used for signing) is encrypted using a passphrase. If true, cfk
+                              operator will look for a file named mdsTokenKeyPassphrase.txt containing key value pair
+                              mdsTokenKeyPassphrase=<passphrase>. Relevant only for mds server. Ignored if set for a client configuration.
+                            type: boolean
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the MDS token key pair.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    required:
+                    - authentication
+                    - endpoint
+                    - tokenKeyPair
+                    type: object
+                  schemaRegistry:
+                    description: schemaRegistry specifies the Schema Registry dependency
+                      configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication for
+                          the Schema Registry cluster.
+                        properties:
+                          basic:
+                            description: basic specifies the configuration for basic
+                              authentication.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the configuration for OAuth
+                              authentication.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication scheme
+                              for the REST API client. Valid options are `basic`,
+                              `oauth` and `mtls`.
+                            enum:
+                            - basic
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Schema Registry cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      url:
+                        description: url specifies the URL endpoint of the Schema
+                          Registry cluster.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                    required:
+                    - url
+                    type: object
+                type: object
+              externalAccess:
+                description: externalAccess specifies the external access configuration.
+                properties:
+                  loadBalancer:
+                    description: loadBalancer specifies the configuration to create
+                      a Kubernetes load balancer service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain is the domain name of the component cluster.
+                        minLength: 1
+                        type: string
+                      externalTrafficPolicy:
+                        description: externalTrafficPolicy specifies the external
+                          traffic policy for the service. Valid options are `Local`
+                          and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      loadBalancerSourceRanges:
+                        description: loadBalancerSourceRanges specify the source ranges.
+                        items:
+                          type: string
+                        type: array
+                      port:
+                        description: |-
+                          port specifies the external port for the client consumption.
+                          If not configured, the same internal/external port is configured for the component.
+                          Information about the port can be retrieved through the status API.
+                        format: int32
+                        type: integer
+                      prefix:
+                        description: |-
+                          prefix specify the prefix for the given domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      servicePorts:
+                        description: servicePorts specify the user-provided service
+                          port(s).
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - domain
+                    type: object
+                  nodePort:
+                    description: nodePort specifies the configuration to create a
+                      Kubernetes node port service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      externalTrafficPolicy:
+                        description: |-
+                          externalTrafficPolicy specifies the external traffic policy for the service.
+                          Valid options are `Local` and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      host:
+                        description: host defines the host name of the cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      nodePortOffset:
+                        description: |-
+                          nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                          to the replicas count.
+                          NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                          The default Kubernetes Node Port range is `30000` - `32762`.
+                        format: int32
+                        minimum: 0
+                        type: integer
+                      servicePorts:
+                        description: |-
+                          servicePorts specify user-provided service port(s).
+                          For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - host
+                    - nodePortOffset
+                    type: object
+                  route:
+                    description: route specifies the configuration to create a route
+                      service in OpenShift.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain specifies the domain name of the Confluent
+                          component cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      prefix:
+                        description: |-
+                          prefix specifies the component prefix when configured for the domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      wildcardPolicy:
+                        description: |-
+                          wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                          The default value is `None`.
+                        enum:
+                        - Subdomain
+                        - None
+                        type: string
+                    required:
+                    - domain
+                    type: object
+                  type:
+                    description: |-
+                      type specifies the Kubernetes external service for the component.
+                      Valid options are `loadBalancer`, `nodePort`, and `route`.
+                    enum:
+                    - loadBalancer
+                    - nodePort
+                    - route
+                    minLength: 1
+                    type: string
+                required:
+                - type
+                type: object
+              headlessService:
+                description: headlessService specifies the configuration of the Kubernetes
+                  headless service.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs.
+                      It specifies the annotations to be added to the CFK-created headless service.
+                      These annotations are merged with the injectAnnotations and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs.
+                      It specifies the labels to be added to the CFK-created headless service.
+                      These labels are merged with the injectLabels and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  publishNotReadyAddresses:
+                    description: |-
+                      publishNotReadyAddresses specifies the publishNotReadyAddresses field.
+                      For Kafka, this value must be true. The default value is true.
+                    type: boolean
+                type: object
+              image:
+                description: |-
+                  image specifies the application and the init docker image configurations.
+                  A change to this setting will roll the cluster.
+                properties:
+                  application:
+                    description: |-
+                      application is the Docker image name of the application. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  init:
+                    description: |-
+                      init is the init-container name. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  pullPolicy:
+                    description: |-
+                      pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
+                      The default value is `IfNotPresent`.
+                    enum:
+                    - Always
+                    - Never
+                    - IfNotPresent
+                    type: string
+                  pullSecretRef:
+                    description: |-
+                      pullSecretRef references the secrets in the same namespace to be used for pulling images.
+                      Image pull secrets are distinct from secrets because secrets
+                      can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
+                      More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+                    items:
+                      type: string
+                    type: array
+                required:
+                - application
+                - init
+                type: object
+              injectAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectAnnotations are the annotations injected to the internal resources that CFK created.
+                  The internal annotations are preserved and cannot be overridden.
+                  For pod annotations, use `podTemplate.annotations`.
+                type: object
+                x-kubernetes-map-type: granular
+              injectLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectLabels are the labels injected to the internal resources that CFK created.
+                  The internal labels are preserved and cannot be overridden.
+                  For pod labels, use `podTemplate.labels`.
+                type: object
+                x-kubernetes-map-type: granular
+              k8sClusterDomain:
+                description: |-
+                  k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
+                  The default is the `cluster.local` domain.
+                type: string
+              license:
+                description: license specifies the license configuration for the Confluent
+                  Platform component.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      the license key is mounted. More info:
+                      https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    minLength: 1
+                    type: string
+                  globalLicense:
+                    description: globalLicense specifies whether the Confluent Platform
+                      component shares the common global license.
+                    type: boolean
+                  secretRef:
+                    description: |-
+                      secretRef references the secret that provides the license for the Confluent Platform component.
+                      More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              metrics:
+                description: metrics specify the security settings for the metric
+                  services.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication configuration
+                      for the metrics.
+                    properties:
+                      type:
+                        description: type specifies the metrics authentication method.
+                          The valid option is `mtls`.
+                        enum:
+                        - mtls
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  prometheus:
+                    description: prometheus specifies the configuration overrides
+                      for the JMX-Prometheus exporter.
+                    properties:
+                      blacklist:
+                        items:
+                          type: string
+                        type: array
+                      rules:
+                        items:
+                          description: Rule defines the Prometheus Exporter rule override.
+                          properties:
+                            attrNameSnakeCase:
+                              type: boolean
+                            cache:
+                              type: boolean
+                            help:
+                              minLength: 1
+                              type: string
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                              x-kubernetes-map-type: granular
+                            name:
+                              minLength: 1
+                              type: string
+                            pattern:
+                              minLength: 1
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                            value:
+                              minLength: 1
+                              type: string
+                            valueFactor:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              default: 1
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        type: array
+                      whitelist:
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: tls specifies the TLS configuration for the metrics.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              mountedSecrets:
+                description: |-
+                  mountedSecrets list the secrets injected to
+                  the underlying statefulset configuration. The secret reference is mounted
+                  in the default path `/mnt/secrets/<secret-name>`. The underlying resources
+                  will follow the secret as a file configuration.
+                  More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
+                  A change to this setting will roll the cluster.
+                items:
+                  description: |-
+                    MountedSecrets provides a way to inject a custom secret to the underlying
+                    statefulset.
+                  properties:
+                    keyItems:
+                      description: keyItems are key and path names.
+                      items:
+                        description: Maps a string key to a path within a volume.
+                        properties:
+                          key:
+                            description: key is the key to project.
+                            type: string
+                          mode:
+                            description: |-
+                              mode is Optional: mode bits used to set permissions on this file.
+                              Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                              YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                              If not specified, the volume defaultMode will be used.
+                              This might be in conflict with other options that affect the file
+                              mode, like fsGroup, and the result can be other mode bits set.
+                            format: int32
+                            type: integer
+                          path:
+                            description: |-
+                              path is the relative path of the file to map the key to.
+                              May not be an absolute path.
+                              May not contain the path element '..'.
+                              May not start with the string '..'.
+                            type: string
+                        required:
+                        - key
+                        - path
+                        type: object
+                      type: array
+                    secretRef:
+                      description: secretRef references the name of the secret.
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - secretRef
+                  type: object
+                type: array
+              mountedVolumes:
+                description: |-
+                  mountedVolumes list the custom volumes that need to be mounted into the
+                  underlying statefulset.
+                  A change to this setting will roll the cluster.
+                properties:
+                  volumeMounts:
+                    description: |-
+                      volumeMounts specify the list of volume mounts for the pods in the
+                      statefulset.
+                    items:
+                      description: VolumeMount describes a mounting of a Volume within
+                        a container.
+                      properties:
+                        mountPath:
+                          description: |-
+                            Path within the container at which the volume should be mounted.  Must
+                            not contain ':'.
+                          type: string
+                        mountPropagation:
+                          description: |-
+                            mountPropagation determines how mounts are propagated from the host
+                            to container and the other way around.
+                            When not set, MountPropagationNone is used.
+                            This field is beta in 1.10.
+                          type: string
+                        name:
+                          description: This must match the Name of a Volume.
+                          type: string
+                        readOnly:
+                          description: |-
+                            Mounted read-only if true, read-write otherwise (false or unspecified).
+                            Defaults to false.
+                          type: boolean
+                        subPath:
+                          description: |-
+                            Path within the volume from which the container's volume should be mounted.
+                            Defaults to "" (volume's root).
+                          type: string
+                        subPathExpr:
+                          description: |-
+                            Expanded path within the volume from which the container's volume should be mounted.
+                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                            Defaults to "" (volume's root).
+                            SubPathExpr and SubPath are mutually exclusive.
+                          type: string
+                      required:
+                      - mountPath
+                      - name
+                      type: object
+                    type: array
+                  volumes:
+                    description: |-
+                      volumes specify the list of volumes that can be mounted into the pods
+                      of statefulset.
+                    items:
+                      description: Volume represents a named volume in a pod that
+                        may be accessed by any container in the pod.
+                      properties:
+                        awsElasticBlockStore:
+                          description: |-
+                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly value true will force the readOnly setting in VolumeMounts.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: boolean
+                            volumeID:
+                              description: |-
+                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        azureDisk:
+                          description: azureDisk represents an Azure Data Disk mount
+                            on the host and bind mount to the pod.
+                          properties:
+                            cachingMode:
+                              description: 'cachingMode is the Host Caching mode:
+                                None, Read Only, Read Write.'
+                              type: string
+                            diskName:
+                              description: diskName is the Name of the data disk in
+                                the blob storage
+                              type: string
+                            diskURI:
+                              description: diskURI is the URI of data disk in the
+                                blob storage
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is Filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            kind:
+                              description: 'kind expected values are Shared: multiple
+                                blob disks per storage account  Dedicated: single
+                                blob disk per storage account  Managed: azure managed
+                                data disk (only in managed availability set). defaults
+                                to shared'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                          required:
+                          - diskName
+                          - diskURI
+                          type: object
+                        azureFile:
+                          description: azureFile represents an Azure File Service
+                            mount on the host and bind mount to the pod.
+                          properties:
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretName:
+                              description: secretName is the  name of secret that
+                                contains Azure Storage Account Name and Key
+                              type: string
+                            shareName:
+                              description: shareName is the azure share Name
+                              type: string
+                          required:
+                          - secretName
+                          - shareName
+                          type: object
+                        cephfs:
+                          description: cephFS represents a Ceph FS mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            monitors:
+                              description: |-
+                                monitors is Required: Monitors is a collection of Ceph monitors
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            path:
+                              description: 'path is Optional: Used as the mounted
+                                root, rather than the full Ceph tree, default is /'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: boolean
+                            secretFile:
+                              description: |-
+                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is optional: User is the rados user name, default is admin
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - monitors
+                          type: object
+                        cinder:
+                          description: |-
+                            cinder represents a cinder volume attached and mounted on kubelets host machine.
+                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is optional: points to a secret object containing parameters used to connect
+                                to OpenStack.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeID:
+                              description: |-
+                                volumeID used to identify the volume in cinder.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        configMap:
+                          description: configMap represents a configMap that should
+                            populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items if unspecified, each key-value pair in the Data field of the referenced
+                                ConfigMap will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the ConfigMap,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            name:
+                              description: |-
+                                Name of the referent.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              type: string
+                            optional:
+                              description: optional specify whether the ConfigMap
+                                or its keys must be defined
+                              type: boolean
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        csi:
+                          description: csi (Container Storage Interface) represents
+                            ephemeral storage that is handled by certain external
+                            CSI drivers (Beta feature).
+                          properties:
+                            driver:
+                              description: |-
+                                driver is the name of the CSI driver that handles this volume.
+                                Consult with your admin for the correct name as registered in the cluster.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                If not provided, the empty value is passed to the associated CSI driver
+                                which will determine the default filesystem to apply.
+                              type: string
+                            nodePublishSecretRef:
+                              description: |-
+                                nodePublishSecretRef is a reference to the secret object containing
+                                sensitive information to pass to the CSI driver to complete the CSI
+                                NodePublishVolume and NodeUnpublishVolume calls.
+                                This field is optional, and  may be empty if no secret is required. If the
+                                secret object contains more than one secret, all secret references are passed.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            readOnly:
+                              description: |-
+                                readOnly specifies a read-only configuration for the volume.
+                                Defaults to false (read/write).
+                              type: boolean
+                            volumeAttributes:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                volumeAttributes stores driver-specific properties that are passed to the CSI
+                                driver. Consult your driver's documentation for supported values.
+                              type: object
+                          required:
+                          - driver
+                          type: object
+                        downwardAPI:
+                          description: downwardAPI represents downward API about the
+                            pod that should populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                Optional: mode bits to use on created files by default. Must be a
+                                Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: Items is a list of downward API volume
+                                file
+                              items:
+                                description: DownwardAPIVolumeFile represents information
+                                  to create the file containing the pod field
+                                properties:
+                                  fieldRef:
+                                    description: 'Required: Selects a field of the
+                                      pod: only annotations, labels, name and namespace
+                                      are supported.'
+                                    properties:
+                                      apiVersion:
+                                        description: Version of the schema the FieldPath
+                                          is written in terms of, defaults to "v1".
+                                        type: string
+                                      fieldPath:
+                                        description: Path of the field to select in
+                                          the specified API version.
+                                        type: string
+                                    required:
+                                    - fieldPath
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  mode:
+                                    description: |-
+                                      Optional: mode bits used to set permissions on this file, must be an octal value
+                                      between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: 'Required: Path is  the relative
+                                      path name of the file to be created. Must not
+                                      be absolute or contain the ''..'' path. Must
+                                      be utf-8 encoded. The first item of the relative
+                                      path must not start with ''..'''
+                                    type: string
+                                  resourceFieldRef:
+                                    description: |-
+                                      Selects a resource of the container: only resources limits and requests
+                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                    properties:
+                                      containerName:
+                                        description: 'Container name: required for
+                                          volumes, optional for env vars'
+                                        type: string
+                                      divisor:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: Specifies the output format of
+                                          the exposed resources, defaults to "1"
+                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                        x-kubernetes-int-or-string: true
+                                      resource:
+                                        description: 'Required: resource to select'
+                                        type: string
+                                    required:
+                                    - resource
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                required:
+                                - path
+                                type: object
+                              type: array
+                          type: object
+                        emptyDir:
+                          description: |-
+                            emptyDir represents a temporary directory that shares a pod's lifetime.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                          properties:
+                            medium:
+                              description: |-
+                                medium represents what type of storage medium should back this directory.
+                                The default is "" which means to use the node's default medium.
+                                Must be an empty string (default) or Memory.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              type: string
+                            sizeLimit:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                The size limit is also applicable for memory medium.
+                                The maximum usage on memory medium EmptyDir would be the minimum value between
+                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                The default is nil which means that the limit is undefined.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        ephemeral:
+                          description: |-
+                            ephemeral represents a volume that is handled by a cluster storage driver.
+                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                            and deleted when the pod is removed.
+
+
+                            Use this if:
+                            a) the volume is only needed while the pod runs,
+                            b) features of normal volumes like restoring from snapshot or capacity
+                               tracking are needed,
+                            c) the storage driver is specified through a storage class, and
+                            d) the storage driver supports dynamic volume provisioning through
+                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                               information on the connection between this volume type
+                               and PersistentVolumeClaim).
+
+
+                            Use PersistentVolumeClaim or one of the vendor-specific
+                            APIs for volumes that persist for longer than the lifecycle
+                            of an individual pod.
+
+
+                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                            be used that way - see the documentation of the driver for
+                            more information.
+
+
+                            A pod can use both types of ephemeral volumes and
+                            persistent volumes at the same time.
+                          properties:
+                            volumeClaimTemplate:
+                              description: |-
+                                Will be used to create a stand-alone PVC to provision the volume.
+                                The pod in which this EphemeralVolumeSource is embedded will be the
+                                owner of the PVC, i.e. the PVC will be deleted together with the
+                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                `<volume name>` is the name from the `PodSpec.Volumes` array
+                                entry. Pod validation will reject the pod if the concatenated name
+                                is not valid for a PVC (for example, too long).
+
+
+                                An existing PVC with that name that is not owned by the pod
+                                will *not* be used for the pod to avoid using an unrelated
+                                volume by mistake. Starting the pod is then blocked until
+                                the unrelated PVC is removed. If such a pre-created PVC is
+                                meant to be used by the pod, the PVC has to updated with an
+                                owner reference to the pod once the pod exists. Normally
+                                this should not be necessary, but it may be useful when
+                                manually reconstructing a broken cluster.
+
+
+                                This field is read-only and no changes will be made by Kubernetes
+                                to the PVC after it has been created.
+
+
+                                Required, must not be nil.
+                              properties:
+                                metadata:
+                                  description: |-
+                                    May contain labels and annotations that will be copied into the PVC
+                                    when creating it. No other fields are allowed and will be rejected during
+                                    validation.
+                                  type: object
+                                spec:
+                                  description: |-
+                                    The specification for the PersistentVolumeClaim. The entire content is
+                                    copied unchanged into the PVC that gets created from this
+                                    template. The same fields as in a PersistentVolumeClaim
+                                    are also valid here.
+                                  properties:
+                                    accessModes:
+                                      description: |-
+                                        accessModes contains the desired access modes the volume should have.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                      items:
+                                        type: string
+                                      type: array
+                                    dataSource:
+                                      description: |-
+                                        dataSource field can be used to specify either:
+                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                        * An existing PVC (PersistentVolumeClaim)
+                                        If the provisioner or an external controller can support the specified data source,
+                                        it will create a new volume based on the contents of the specified data source.
+                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    dataSourceRef:
+                                      description: |-
+                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                        volume is desired. This may be any object from a non-empty API group (non
+                                        core object) or a PersistentVolumeClaim object.
+                                        When this field is specified, volume binding will only succeed if the type of
+                                        the specified object matches some installed volume populator or dynamic
+                                        provisioner.
+                                        This field will replace the functionality of the dataSource field and as such
+                                        if both fields are non-empty, they must have the same value. For backwards
+                                        compatibility, when namespace isn't specified in dataSourceRef,
+                                        both fields (dataSource and dataSourceRef) will be set to the same
+                                        value automatically if one of them is empty and the other is non-empty.
+                                        When namespace is specified in dataSourceRef,
+                                        dataSource isn't set to the same value and must be empty.
+                                        There are three important differences between dataSource and dataSourceRef:
+                                        * While dataSource only allows two specific types of objects, dataSourceRef
+                                          allows any non-core object, as well as PersistentVolumeClaim objects.
+                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                          preserves all values, and generates an error if a disallowed value is
+                                          specified.
+                                        * While dataSource only allows local objects, dataSourceRef allows objects
+                                          in any namespaces.
+                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace is the namespace of resource being referenced
+                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                    resources:
+                                      description: |-
+                                        resources represents the minimum resources the volume should have.
+                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+                                        that are lower than previous value but must still be higher than capacity recorded in the
+                                        status field of the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                      properties:
+                                        limits:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Limits describes the maximum amount of compute resources allowed.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                        requests:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Requests describes the minimum amount of compute resources required.
+                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                      type: object
+                                    selector:
+                                      description: selector is a label query over
+                                        volumes to consider for binding.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    storageClassName:
+                                      description: |-
+                                        storageClassName is the name of the StorageClass required by the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                      type: string
+                                    volumeAttributesClassName:
+                                      description: |-
+                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                        If specified, the CSI driver will create or update the volume with the attributes defined
+                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+                                        will be set by the persistentvolume controller if it exists.
+                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                        exists.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+                                      type: string
+                                    volumeMode:
+                                      description: |-
+                                        volumeMode defines what type of volume is required by the claim.
+                                        Value of Filesystem is implied when not included in claim spec.
+                                      type: string
+                                    volumeName:
+                                      description: volumeName is the binding reference
+                                        to the PersistentVolume backing this claim.
+                                      type: string
+                                  type: object
+                              required:
+                              - spec
+                              type: object
+                          type: object
+                        fc:
+                          description: fc represents a Fibre Channel resource that
+                            is attached to a kubelet's host machine and then exposed
+                            to the pod.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            lun:
+                              description: 'lun is Optional: FC target lun number'
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            targetWWNs:
+                              description: 'targetWWNs is Optional: FC target worldwide
+                                names (WWNs)'
+                              items:
+                                type: string
+                              type: array
+                            wwids:
+                              description: |-
+                                wwids Optional: FC volume world wide identifiers (wwids)
+                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        flexVolume:
+                          description: |-
+                            flexVolume represents a generic volume resource that is
+                            provisioned/attached using an exec based plugin.
+                          properties:
+                            driver:
+                              description: driver is the name of the driver to use
+                                for this volume.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                              type: string
+                            options:
+                              additionalProperties:
+                                type: string
+                              description: 'options is Optional: this field holds
+                                extra command options if any.'
+                              type: object
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: secretRef is reference to the secret object containing
+                                sensitive information to pass to the plugin scripts. This may be
+                                empty if no secret object is specified. If the secret object
+                                contains more than one secret, all secrets are passed to the plugin
+                                scripts.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          required:
+                          - driver
+                          type: object
+                        flocker:
+                          description: flocker represents a Flocker volume attached
+                            to a kubelet's host machine. This depends on the Flocker
+                            control service being running
+                          properties:
+                            datasetName:
+                              description: |-
+                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                should be considered as deprecated
+                              type: string
+                            datasetUUID:
+                              description: datasetUUID is the UUID of the dataset.
+                                This is unique identifier of a Flocker dataset
+                              type: string
+                          type: object
+                        gcePersistentDisk:
+                          description: |-
+                            gcePersistentDisk represents a GCE Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              format: int32
+                              type: integer
+                            pdName:
+                              description: |-
+                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: boolean
+                          required:
+                          - pdName
+                          type: object
+                        gitRepo:
+                          description: |-
+                            gitRepo represents a git repository at a particular revision.
+                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                            into the Pod's container.
+                          properties:
+                            directory:
+                              description: |-
+                                directory is the target directory name.
+                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                the subdirectory with the given name.
+                              type: string
+                            repository:
+                              description: repository is the URL
+                              type: string
+                            revision:
+                              description: revision is the commit hash for the specified
+                                revision.
+                              type: string
+                          required:
+                          - repository
+                          type: object
+                        glusterfs:
+                          description: |-
+                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
+                          properties:
+                            endpoints:
+                              description: |-
+                                endpoints is the endpoint name that details Glusterfs topology.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            path:
+                              description: |-
+                                path is the Glusterfs volume path.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: boolean
+                          required:
+                          - endpoints
+                          - path
+                          type: object
+                        hostPath:
+                          description: |-
+                            hostPath represents a pre-existing file or directory on the host
+                            machine that is directly exposed to the container. This is generally
+                            used for system agents or other privileged things that are allowed
+                            to see the host machine. Most containers will NOT need this.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                            ---
+                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+                            mount host directories as read/write.
+                          properties:
+                            path:
+                              description: |-
+                                path of the directory on the host.
+                                If the path is a symlink, it will follow the link to the real path.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                            type:
+                              description: |-
+                                type for HostPath Volume
+                                Defaults to ""
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        iscsi:
+                          description: |-
+                            iscsi represents an ISCSI Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                          properties:
+                            chapAuthDiscovery:
+                              description: chapAuthDiscovery defines whether support
+                                iSCSI Discovery CHAP authentication
+                              type: boolean
+                            chapAuthSession:
+                              description: chapAuthSession defines whether support
+                                iSCSI Session CHAP authentication
+                              type: boolean
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            initiatorName:
+                              description: |-
+                                initiatorName is the custom iSCSI Initiator Name.
+                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                <target portal>:<volume name> will be created for the connection.
+                              type: string
+                            iqn:
+                              description: iqn is the target iSCSI Qualified Name.
+                              type: string
+                            iscsiInterface:
+                              description: |-
+                                iscsiInterface is the interface Name that uses an iSCSI transport.
+                                Defaults to 'default' (tcp).
+                              type: string
+                            lun:
+                              description: lun represents iSCSI Target Lun number.
+                              format: int32
+                              type: integer
+                            portals:
+                              description: |-
+                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              items:
+                                type: string
+                              type: array
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                              type: boolean
+                            secretRef:
+                              description: secretRef is the CHAP Secret for iSCSI
+                                target and initiator authentication
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            targetPortal:
+                              description: |-
+                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              type: string
+                          required:
+                          - iqn
+                          - lun
+                          - targetPortal
+                          type: object
+                        name:
+                          description: |-
+                            name of the volume.
+                            Must be a DNS_LABEL and unique within the pod.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                        nfs:
+                          description: |-
+                            nfs represents an NFS mount on the host that shares a pod's lifetime
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                          properties:
+                            path:
+                              description: |-
+                                path that is exported by the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the NFS export to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: boolean
+                            server:
+                              description: |-
+                                server is the hostname or IP address of the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                          required:
+                          - path
+                          - server
+                          type: object
+                        persistentVolumeClaim:
+                          description: |-
+                            persistentVolumeClaimVolumeSource represents a reference to a
+                            PersistentVolumeClaim in the same namespace.
+                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                          properties:
+                            claimName:
+                              description: |-
+                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Will force the ReadOnly setting in VolumeMounts.
+                                Default false.
+                              type: boolean
+                          required:
+                          - claimName
+                          type: object
+                        photonPersistentDisk:
+                          description: photonPersistentDisk represents a PhotonController
+                            persistent disk attached and mounted on kubelets host
+                            machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            pdID:
+                              description: pdID is the ID that identifies Photon Controller
+                                persistent disk
+                              type: string
+                          required:
+                          - pdID
+                          type: object
+                        portworxVolume:
+                          description: portworxVolume represents a portworx volume
+                            attached and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fSType represents the filesystem type to mount
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            volumeID:
+                              description: volumeID uniquely identifies a Portworx
+                                volume
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        projected:
+                          description: projected items for all in one resources secrets,
+                            configmaps, and downward API
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode are the mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            sources:
+                              description: sources is the list of volume projections
+                              items:
+                                description: Projection that may be projected along
+                                  with other supported volume types
+                                properties:
+                                  clusterTrustBundle:
+                                    description: |-
+                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                      of ClusterTrustBundle objects in an auto-updating file.
+
+
+                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+                                      ClusterTrustBundle objects can either be selected by name, or by the
+                                      combination of signer name and a label selector.
+
+
+                                      Kubelet performs aggressive normalization of the PEM contents written
+                                      into the pod filesystem.  Esoteric PEM features such as inter-block
+                                      comments and block headers are stripped.  Certificates are deduplicated.
+                                      The ordering of certificates within the file is arbitrary, and Kubelet
+                                      may change the order over time.
+                                    properties:
+                                      labelSelector:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this label selector.  Only has
+                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                          interpreted as "match nothing".  If set but empty, interpreted as "match
+                                          everything".
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      name:
+                                        description: |-
+                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                          with signerName and labelSelector.
+                                        type: string
+                                      optional:
+                                        description: |-
+                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                          aren't available.  If using name, then the named ClusterTrustBundle is
+                                          allowed not to exist.  If using signerName, then the combination of
+                                          signerName and labelSelector is allowed to match zero
+                                          ClusterTrustBundles.
+                                        type: boolean
+                                      path:
+                                        description: Relative path from the volume
+                                          root to write the bundle.
+                                        type: string
+                                      signerName:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this signer name.
+                                          Mutually-exclusive with name.  The contents of all selected
+                                          ClusterTrustBundles will be unified and deduplicated.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                  configMap:
+                                    description: configMap information about the configMap
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          ConfigMap will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the ConfigMap,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional specify whether the
+                                          ConfigMap or its keys must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  downwardAPI:
+                                    description: downwardAPI information about the
+                                      downwardAPI data to project
+                                    properties:
+                                      items:
+                                        description: Items is a list of DownwardAPIVolume
+                                          file
+                                        items:
+                                          description: DownwardAPIVolumeFile represents
+                                            information to create the file containing
+                                            the pod field
+                                          properties:
+                                            fieldRef:
+                                              description: 'Required: Selects a field
+                                                of the pod: only annotations, labels,
+                                                name and namespace are supported.'
+                                              properties:
+                                                apiVersion:
+                                                  description: Version of the schema
+                                                    the FieldPath is written in terms
+                                                    of, defaults to "v1".
+                                                  type: string
+                                                fieldPath:
+                                                  description: Path of the field to
+                                                    select in the specified API version.
+                                                  type: string
+                                              required:
+                                              - fieldPath
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            mode:
+                                              description: |-
+                                                Optional: mode bits used to set permissions on this file, must be an octal value
+                                                between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: 'Required: Path is  the
+                                                relative path name of the file to
+                                                be created. Must not be absolute or
+                                                contain the ''..'' path. Must be utf-8
+                                                encoded. The first item of the relative
+                                                path must not start with ''..'''
+                                              type: string
+                                            resourceFieldRef:
+                                              description: |-
+                                                Selects a resource of the container: only resources limits and requests
+                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                              properties:
+                                                containerName:
+                                                  description: 'Container name: required
+                                                    for volumes, optional for env
+                                                    vars'
+                                                  type: string
+                                                divisor:
+                                                  anyOf:
+                                                  - type: integer
+                                                  - type: string
+                                                  description: Specifies the output
+                                                    format of the exposed resources,
+                                                    defaults to "1"
+                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                  x-kubernetes-int-or-string: true
+                                                resource:
+                                                  description: 'Required: resource
+                                                    to select'
+                                                  type: string
+                                              required:
+                                              - resource
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                          required:
+                                          - path
+                                          type: object
+                                        type: array
+                                    type: object
+                                  secret:
+                                    description: secret information about the secret
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          Secret will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the Secret,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional field specify whether
+                                          the Secret or its key must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  serviceAccountToken:
+                                    description: serviceAccountToken is information
+                                      about the serviceAccountToken data to project
+                                    properties:
+                                      audience:
+                                        description: |-
+                                          audience is the intended audience of the token. A recipient of a token
+                                          must identify itself with an identifier specified in the audience of the
+                                          token, and otherwise should reject the token. The audience defaults to the
+                                          identifier of the apiserver.
+                                        type: string
+                                      expirationSeconds:
+                                        description: |-
+                                          expirationSeconds is the requested duration of validity of the service
+                                          account token. As the token approaches expiration, the kubelet volume
+                                          plugin will proactively rotate the service account token. The kubelet will
+                                          start trying to rotate the token if the token is older than 80 percent of
+                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                          and must be at least 10 minutes.
+                                        format: int64
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the path relative to the mount point of the file to project the
+                                          token into.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                type: object
+                              type: array
+                          type: object
+                        quobyte:
+                          description: quobyte represents a Quobyte mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            group:
+                              description: |-
+                                group to map volume access to
+                                Default is no group
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                Defaults to false.
+                              type: boolean
+                            registry:
+                              description: |-
+                                registry represents a single or multiple Quobyte Registry services
+                                specified as a string as host:port pair (multiple entries are separated with commas)
+                                which acts as the central registry for volumes
+                              type: string
+                            tenant:
+                              description: |-
+                                tenant owning the given Quobyte volume in the Backend
+                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                              type: string
+                            user:
+                              description: |-
+                                user to map volume access to
+                                Defaults to serivceaccount user
+                              type: string
+                            volume:
+                              description: volume is a string that references an already
+                                created Quobyte volume by name.
+                              type: string
+                          required:
+                          - registry
+                          - volume
+                          type: object
+                        rbd:
+                          description: |-
+                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/rbd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            image:
+                              description: |-
+                                image is the rados image name.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            keyring:
+                              description: |-
+                                keyring is the path to key ring for RBDUser.
+                                Default is /etc/ceph/keyring.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            monitors:
+                              description: |-
+                                monitors is a collection of Ceph monitors.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            pool:
+                              description: |-
+                                pool is the rados pool name.
+                                Default is rbd.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is name of the authentication secret for RBDUser. If provided
+                                overrides keyring.
+                                Default is nil.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is the rados user name.
+                                Default is admin.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - image
+                          - monitors
+                          type: object
+                        scaleIO:
+                          description: scaleIO represents a ScaleIO persistent volume
+                            attached and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs".
+                                Default is "xfs".
+                              type: string
+                            gateway:
+                              description: gateway is the host address of the ScaleIO
+                                API Gateway.
+                              type: string
+                            protectionDomain:
+                              description: protectionDomain is the name of the ScaleIO
+                                Protection Domain for the configured storage.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef references to the secret for ScaleIO user and other
+                                sensitive information. If this is not provided, Login operation will fail.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            sslEnabled:
+                              description: sslEnabled Flag enable/disable SSL communication
+                                with Gateway, default false
+                              type: boolean
+                            storageMode:
+                              description: |-
+                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                Default is ThinProvisioned.
+                              type: string
+                            storagePool:
+                              description: storagePool is the ScaleIO Storage Pool
+                                associated with the protection domain.
+                              type: string
+                            system:
+                              description: system is the name of the storage system
+                                as configured in ScaleIO.
+                              type: string
+                            volumeName:
+                              description: |-
+                                volumeName is the name of a volume already created in the ScaleIO system
+                                that is associated with this volume source.
+                              type: string
+                          required:
+                          - gateway
+                          - secretRef
+                          - system
+                          type: object
+                        secret:
+                          description: |-
+                            secret represents a secret that should populate this volume.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values
+                                for mode bits. Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items If unspecified, each key-value pair in the Data field of the referenced
+                                Secret will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the Secret,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            optional:
+                              description: optional field specify whether the Secret
+                                or its keys must be defined
+                              type: boolean
+                            secretName:
+                              description: |-
+                                secretName is the name of the secret in the pod's namespace to use.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              type: string
+                          type: object
+                        storageos:
+                          description: storageOS represents a StorageOS volume attached
+                            and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef specifies the secret to use for obtaining the StorageOS API
+                                credentials.  If not specified, default values will be attempted.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeName:
+                              description: |-
+                                volumeName is the human-readable name of the StorageOS volume.  Volume
+                                names are only unique within a namespace.
+                              type: string
+                            volumeNamespace:
+                              description: |-
+                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                namespace is specified then the Pod's namespace will be used.  This allows the
+                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                Set VolumeName to any name to override the default behaviour.
+                                Set to "default" if you are not using namespaces within StorageOS.
+                                Namespaces that do not pre-exist within StorageOS will be created.
+                              type: string
+                          type: object
+                        vsphereVolume:
+                          description: vsphereVolume represents a vSphere volume attached
+                            and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            storagePolicyID:
+                              description: storagePolicyID is the storage Policy Based
+                                Management (SPBM) profile ID associated with the StoragePolicyName.
+                              type: string
+                            storagePolicyName:
+                              description: storagePolicyName is the storage Policy
+                                Based Management (SPBM) profile name.
+                              type: string
+                            volumePath:
+                              description: volumePath is the path that identifies
+                                vSphere volume vmdk
+                              type: string
+                          required:
+                          - volumePath
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                required:
+                - volumeMounts
+                - volumes
+                type: object
+              oneReplicaPerNode:
+                description: |-
+                  oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
+                  Enabling this configuration in an existing cluster will roll the cluster.
+                type: boolean
+              pdb:
+                description: |-
+                  configures PodDisruptionBudget for the Confluent Platform component.
+                  by default PDB is configured based on pre-detemined formula.
+                properties:
+                  enabled:
+                    description: enabled specifies whether the PodDisruptionBudget
+                      is enabled
+                    type: boolean
+                  maxUnavailable:
+                    description: maxUnavailable is the maximum number of pods that
+                      can be unavailable during the disruption.
+                    format: int32
+                    type: integer
+                required:
+                - enabled
+                type: object
+              podTemplate:
+                description: podTemplate specifies the statefulset pod template configuration.
+                properties:
+                  affinity:
+                    description: |-
+                      affinity specifies a group of affinity scheduling rules.
+                      More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
+                    properties:
+                      nodeAffinity:
+                        description: Describes node affinity scheduling rules for
+                          the pod.
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node matches the corresponding matchExpressions; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: |-
+                                An empty preferred scheduling term matches all objects with implicit weight 0
+                                (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                              properties:
+                                preference:
+                                  description: A node selector term, associated with
+                                    the corresponding weight.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                weight:
+                                  description: Weight associated with matching the
+                                    corresponding nodeSelectorTerm, in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - preference
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to an update), the system
+                              may or may not try to eventually evict the pod from its node.
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      podAffinity:
+                        description: Describes pod affinity scheduling rules (e.g.
+                          co-locate this pod in the same node, zone, etc. as some
+                          other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                      podAntiAffinity:
+                        description: Describes pod anti-affinity scheduling rules
+                          (e.g. avoid putting this pod in the same node, zone, etc.
+                          as some other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the anti-affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling anti-affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the anti-affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the anti-affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs stored with the resource and
+                      may be set by external tools to store and retrieve arbitrary metadata. They
+                      are not queryable and should be preserved when modifying objects. More
+                      info: http://kubernetes.io/docs/user-guide/annotations.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  envVars:
+                    description: |-
+                      envVars contain environment variables to be injected into containers.
+                      More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
+                    items:
+                      description: EnvVar represents an environment variable present
+                        in a Container.
+                      properties:
+                        name:
+                          description: Name of the environment variable. Must be a
+                            C_IDENTIFIER.
+                          type: string
+                        value:
+                          description: |-
+                            Variable references $(VAR_NAME) are expanded
+                            using the previously defined environment variables in the container and
+                            any service environment variables. If a variable cannot be resolved,
+                            the reference in the input string will be unchanged. Double $$ are reduced
+                            to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                            "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                            Escaped references will never be expanded, regardless of whether the variable
+                            exists or not.
+                            Defaults to "".
+                          type: string
+                        valueFrom:
+                          description: Source for the environment variable's value.
+                            Cannot be used if value is not empty.
+                          properties:
+                            configMapKeyRef:
+                              description: Selects a key of a ConfigMap.
+                              properties:
+                                key:
+                                  description: The key to select.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the ConfigMap or its
+                                    key must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            fieldRef:
+                              description: |-
+                                Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                              properties:
+                                apiVersion:
+                                  description: Version of the schema the FieldPath
+                                    is written in terms of, defaults to "v1".
+                                  type: string
+                                fieldPath:
+                                  description: Path of the field to select in the
+                                    specified API version.
+                                  type: string
+                              required:
+                              - fieldPath
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            resourceFieldRef:
+                              description: |-
+                                Selects a resource of the container: only resources limits and requests
+                                (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                              properties:
+                                containerName:
+                                  description: 'Container name: required for volumes,
+                                    optional for env vars'
+                                  type: string
+                                divisor:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: Specifies the output format of the
+                                    exposed resources, defaults to "1"
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                resource:
+                                  description: 'Required: resource to select'
+                                  type: string
+                              required:
+                              - resource
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            secretKeyRef:
+                              description: Selects a key of a secret in the pod's
+                                namespace
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the Secret or its key
+                                    must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs that can be used to organize and categorize
+                      (scope and select) objects.
+                      More info: http://kubernetes.io/docs/user-guide/labels.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  podSecurityContext:
+                    description: |-
+                      PodSecurityContext holds pod-level security attributes and common container settings.
+                      Some fields are also present in container.securityContext.  Field values of
+                      container.securityContext take precedence over field values of PodSecurityContext.
+                    properties:
+                      fsGroup:
+                        description: |-
+                          A special supplemental group that applies to all containers in a pod.
+                          Some volume types allow the Kubelet to change the ownership of that volume
+                          to be owned by the pod:
+
+
+                          1. The owning GID will be the FSGroup
+                          2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+                          3. The permission bits are OR'd with rw-rw----
+
+
+                          If unset, the Kubelet will not modify the ownership and permissions of any volume.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      fsGroupChangePolicy:
+                        description: |-
+                          fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+                          before being exposed inside Pod. This field will only apply to
+                          volume types which support fsGroup based ownership(and permissions).
+                          It will have no effect on ephemeral volume types such as: secret, configmaps
+                          and emptydir.
+                          Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to all containers.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in SecurityContext.  If set in
+                          both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+                          takes precedence for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by the containers in this pod.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      supplementalGroups:
+                        description: |-
+                          A list of groups applied to the first process run in each container, in addition
+                          to the container's primary GID, the fsGroup (if specified), and group memberships
+                          defined in the container image for the uid of the container process. If unspecified,
+                          no additional groups are added to any container. Note that group memberships
+                          defined in the container image for the uid of the container process are still effective,
+                          even if they are not included in this list.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          format: int64
+                          type: integer
+                        type: array
+                      sysctls:
+                        description: |-
+                          Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+                          sysctls (by the container runtime) might fail to launch.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          description: Sysctl defines a kernel parameter to be set
+                          properties:
+                            name:
+                              description: Name of a property to set
+                              type: string
+                            value:
+                              description: Value of a property to set
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        type: array
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options within a container's SecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  priorityClassName:
+                    description: priorityClassName specifies the priority class for
+                      the pod (if any).
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  probe:
+                    description: probe contains the fields for standard Kubernetes
+                      readiness/liveness probe configuration.
+                    properties:
+                      liveness:
+                        description: |-
+                          liveness configures the Kubernetes probe settings. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                      readiness:
+                        description: |-
+                          readiness configures the Kubernetes probe setting. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  resources:
+                    description: resources describe the compute resource requirements.
+                    properties:
+                      claims:
+                        description: |-
+                          Claims lists the names of resources, defined in spec.resourceClaims,
+                          that are used by this container.
+
+
+                          This is an alpha field and requires enabling the
+                          DynamicResourceAllocation feature gate.
+
+
+                          This field is immutable. It can only be set for containers.
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: |-
+                                Name must match the name of one entry in pod.spec.resourceClaims of
+                                the Pod where this field is used. It makes that resource available
+                                inside a container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Limits describes the maximum amount of compute resources allowed.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Requests describes the minimum amount of compute resources required.
+                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                    type: object
+                  securityContext:
+                    description: |-
+                      SecurityContext holds security configuration that will be applied to a container.
+                      Some fields are present in both SecurityContext and PodSecurityContext.  When both
+                      are set, the values in SecurityContext take precedence.
+                    properties:
+                      allowPrivilegeEscalation:
+                        description: |-
+                          AllowPrivilegeEscalation controls whether a process can gain more
+                          privileges than its parent process. This bool directly controls if
+                          the no_new_privs flag will be set on the container process.
+                          AllowPrivilegeEscalation is true always when the container is:
+                          1) run as Privileged
+                          2) has CAP_SYS_ADMIN
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      capabilities:
+                        description: |-
+                          The capabilities to add/drop when running containers.
+                          Defaults to the default set of capabilities granted by the container runtime.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          add:
+                            description: Added capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                          drop:
+                            description: Removed capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                        type: object
+                      privileged:
+                        description: |-
+                          Run container in privileged mode.
+                          Processes in privileged containers are essentially equivalent to root on the host.
+                          Defaults to false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      procMount:
+                        description: |-
+                          procMount denotes the type of proc mount to use for the containers.
+                          The default is DefaultProcMount which uses the container runtime defaults for
+                          readonly paths and masked paths.
+                          This requires the ProcMountType feature flag to be enabled.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      readOnlyRootFilesystem:
+                        description: |-
+                          Whether this container has a read-only root filesystem.
+                          Default is false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to the container.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by this container. If seccomp options are
+                          provided at both the pod & container level, the container options
+                          override the pod options.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options from the PodSecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of the service account used to run this pod.
+                      More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
+                    type: string
+                  terminationGracePeriodSeconds:
+                    description: terminationGracePeriodSeconds is the grace period
+                      before the pod is deleted.
+                    format: int64
+                    type: integer
+                  tolerations:
+                    description: |-
+                      tolerations specify the pods to schedule onto the nodes with matching taints, using
+                      the triple `<key,value,effect>` and the matching operator `<operator>`.
+                    items:
+                      description: |-
+                        The pod this Toleration is attached to tolerates any taint that matches
+                        the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: |-
+                            Effect indicates the taint effect to match. Empty means match all taint effects.
+                            When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          type: string
+                        key:
+                          description: |-
+                            Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                            If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          type: string
+                        operator:
+                          description: |-
+                            Operator represents a key's relationship to the value.
+                            Valid operators are Exists and Equal. Defaults to Equal.
+                            Exists is equivalent to wildcard for value, so that a pod can
+                            tolerate all taints of a particular category.
+                          type: string
+                        tolerationSeconds:
+                          description: |-
+                            TolerationSeconds represents the period of time the toleration (which must be
+                            of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                            it is not set, which means tolerate the taint forever (do not evict). Zero and
+                            negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          type: integer
+                        value:
+                          description: |-
+                            Value is the taint value the toleration matches to.
+                            If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          type: string
+                      type: object
+                    type: array
+                  topologySpreadConstraints:
+                    description: |-
+                      topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
+                      schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
+                    items:
+                      description: TopologySpreadConstraint specifies how to spread
+                        matching pods among the given topology.
+                      properties:
+                        labelSelector:
+                          description: |-
+                            LabelSelector is used to find matching pods.
+                            Pods that match this label selector are counted to determine the number of pods
+                            in their corresponding topology domain.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        matchLabelKeys:
+                          description: |-
+                            MatchLabelKeys is a set of pod label keys to select the pods over which
+                            spreading will be calculated. The keys are used to lookup values from the
+                            incoming pod labels, those key-value labels are ANDed with labelSelector
+                            to select the group of existing pods over which spreading will be calculated
+                            for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                            MatchLabelKeys cannot be set when LabelSelector isn't set.
+                            Keys that don't exist in the incoming pod labels will
+                            be ignored. A null or empty list means only match against labelSelector.
+
+
+                            This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        maxSkew:
+                          description: |-
+                            MaxSkew describes the degree to which pods may be unevenly distributed.
+                            When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                            between the number of matching pods in the target topology and the global minimum.
+                            The global minimum is the minimum number of matching pods in an eligible domain
+                            or zero if the number of eligible domains is less than MinDomains.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 2/2/1:
+                            In this case, the global minimum is 1.
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |   P   |
+                            - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                            scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                            violate MaxSkew(1).
+                            - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                            When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                            to topologies that satisfy it.
+                            It's a required field. Default value is 1 and 0 is not allowed.
+                          format: int32
+                          type: integer
+                        minDomains:
+                          description: |-
+                            MinDomains indicates a minimum number of eligible domains.
+                            When the number of eligible domains with matching topology keys is less than minDomains,
+                            Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                            And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                            this value has no effect on scheduling.
+                            As a result, when the number of eligible domains is less than minDomains,
+                            scheduler won't schedule more than maxSkew Pods to those domains.
+                            If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                            Valid values are integers greater than 0.
+                            When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+                            For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                            labelSelector spread as 2/2/2:
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |  P P  |
+                            The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                            In this situation, new pod with the same labelSelector cannot be scheduled,
+                            because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                            it will violate MaxSkew.
+
+
+                            This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
+                          format: int32
+                          type: integer
+                        nodeAffinityPolicy:
+                          description: |-
+                            NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                            when calculating pod topology spread skew. Options are:
+                            - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                            - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+                            If this value is nil, the behavior is equivalent to the Honor policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        nodeTaintsPolicy:
+                          description: |-
+                            NodeTaintsPolicy indicates how we will treat node taints when calculating
+                            pod topology spread skew. Options are:
+                            - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                            has a toleration, are included.
+                            - Ignore: node taints are ignored. All nodes are included.
+
+
+                            If this value is nil, the behavior is equivalent to the Ignore policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        topologyKey:
+                          description: |-
+                            TopologyKey is the key of node labels. Nodes that have a label with this key
+                            and identical values are considered to be in the same topology.
+                            We consider each <key, value> as a "bucket", and try to put balanced number
+                            of pods into each bucket.
+                            We define a domain as a particular instance of a topology.
+                            Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                            nodeAffinityPolicy and nodeTaintsPolicy.
+                            e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                            And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                            It's a required field.
+                          type: string
+                        whenUnsatisfiable:
+                          description: |-
+                            WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                            the spread constraint.
+                            - DoNotSchedule (default) tells the scheduler not to schedule it.
+                            - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                              but giving higher precedence to topologies that would help reduce the
+                              skew.
+                            A constraint is considered "Unsatisfiable" for an incoming pod
+                            if and only if every possible node assignment for that pod would violate
+                            "MaxSkew" on some topology.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 3/1/1:
+                            | zone1 | zone2 | zone3 |
+                            | P P P |   P   |   P   |
+                            If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                            to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                            MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                            won't make it *more* imbalanced.
+                            It's a required field.
+                          type: string
+                      required:
+                      - maxSkew
+                      - topologyKey
+                      - whenUnsatisfiable
+                      type: object
+                    type: array
+                type: object
+              replicas:
+                description: |-
+                  replicas is the desired number of replicas.
+                  A change to this setting will roll the cluster.
+                format: int32
+                type: integer
+              telemetry:
+                description: telemetry specifies the Confluent telemetry reporter
+                  configuration.
+                properties:
+                  global:
+                    description: |-
+                      global allows disabling telemetry configuration.
+                      If CFK is deployed with telemetry, this field is only
+                      used to disable telemetry. The default value is `true` if
+                      telemetry is enabled at the global level.
+                    type: boolean
+                type: object
+              tls:
+                description: tls specifies the TLS configurations for the KafkaRestProxy
+                  cluster.
+                properties:
+                  autoGeneratedCerts:
+                    description: |-
+                      autoGeneratedCerts specifies that the certificates are auto-generated based on
+                      the CA key pair provided.
+                    type: boolean
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                    minLength: 1
+                    type: string
+                  fips:
+                    description: |-
+                      fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
+                      TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                    properties:
+                      enabled:
+                        description: enabled specifies whether to enable the FIPS
+                          configuration for cp components.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                  ignoreTrustStoreConfig:
+                    description: |-
+                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                      for the Confluent component.
+                    type: boolean
+                  jksPassword:
+                    description: jksPassword references the secret containing the
+                      JKS password.
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the name of the secret containing the JKS password.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  secretRef:
+                    description: |-
+                      secretRef references the secret containing the certificates.
+                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+            required:
+            - image
+            type: object
+          status:
+            description: status defines the observed state of the KafkaRestProxy cluster.
+            properties:
+              arbitraryData:
+                description: arbitraryData is the map for any arbitrary data associated
+                  with this Confluent component.
+                x-kubernetes-preserve-unknown-fields: true
+              authorizationType:
+                description: authorizationType is the authorization type for this
+                  Confluent component.
+                type: string
+              clusterName:
+                description: clusterName is the name of the Confluent Platform component
+                  cluster.
+                type: string
+              clusterNamespace:
+                description: clusterNamespace is the namespace where the Confluent
+                  Platform component cluster is running.
+                type: string
+              conditions:
+                description: conditions specify the latest available observations
+                  of the current state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              currentReplicas:
+                description: currentReplicas is the number of currently running replicas.
+                format: int32
+                type: integer
+              internalSecrets:
+                description: |-
+                  internalSecrets are internal secrets created
+                  by CFK for this Confluent component.
+                items:
+                  type: string
+                type: array
+              internalTopicNames:
+                description: internalTopicNames are the topics used by the component
+                  for internal use.
+                items:
+                  type: string
+                type: array
+              kafka:
+                description: kafka is the Kafka client side status for the KafkaRestProxy
+                  cluster.
+                properties:
+                  authenticationType:
+                    description: authenticationType describes the authentication method
+                      for the Kafka cluster.
+                    type: string
+                  bootstrapEndpoint:
+                    description: bootstrapEndpoint specifies the Kafka bootstrap endpoint.
+                    type: string
+                  tls:
+                    description: tls indicates whether TLS is enabled for the Kafka
+                      dependency.
+                    type: boolean
+                type: object
+              metricPrefix:
+                description: metricPrefix is the prefix for the JMX metric of the
+                  KafkaRestProxy.
+                type: string
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              operatorVersion:
+                description: operatorVersion is the internal version of CFK.
+                type: string
+              phase:
+                description: |-
+                  phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
+                  or 'RUNNING'
+                  'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
+                  'RUNNING' means the Confluent Platform component has been successfully deployed.
+                type: string
+              rbac:
+                description: rbac contains the RBAC-related status when RBAC is enabled.
+                properties:
+                  clusterID:
+                    description: clusterID specifies the id of the cluster.
+                    type: string
+                  internalRolebindings:
+                    description: internalRolebindings specifies the internal rolebindings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              readyReplicas:
+                description: readyReplicas is the number of currently ready replicas.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the number of replicas.
+                format: int32
+                type: integer
+              restConfig:
+                description: restConfig is the REST API configuration of the KafkaRestProxy.
+                properties:
+                  advertisedExternalEndpoints:
+                    description: advertisedExternalEndpoints specifies other advertised
+                      endpoints used, especially for Kafka.
+                    items:
+                      type: string
+                    type: array
+                  authenticationType:
+                    description: authenticationType shows the authentication type
+                      configured by the listener.
+                    type: string
+                  externalAccessType:
+                    description: externalAccessType shows the external access type
+                      used for the listener.
+                    type: string
+                  externalEndpoint:
+                    description: externalEndpoint specifies the external endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  internalEndpoint:
+                    description: internalEndpoint specifies the internal endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  tls:
+                    description: tls shows whether TLS is configured for the listener.
+                    type: boolean
+                type: object
+              selector:
+                description: |-
+                  selector gets the label selector of the child pod.
+                  The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkas.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkas.yaml
new file mode 100644
index 000000000..ad422466d
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkas.yaml
@@ -0,0 +1,10948 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: kafkas.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: Kafka
+    listKind: KafkaList
+    plural: kafkas
+    shortNames:
+    - kafka
+    - broker
+    singular: kafka
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.readyReplicas
+      name: Ready
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.zookeeperConnect
+      name: Zookeeper
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Kafka is the schema for the Kafka API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the Kafka cluster.
+            properties:
+              authorization:
+                description: authorization specifies the authorization configuration.
+                properties:
+                  superUsers:
+                    description: |-
+                      superUsers specify the super users to give the admin privilege on the Kafka Cluster.
+                      This list takes the format as `User:<user-name>`
+                    items:
+                      type: string
+                    type: array
+                  type:
+                    description: type specifies the authorization type. The valid
+                      options are `rbac` and `simple`.
+                    enum:
+                    - rbac
+                    - simple
+                    type: string
+                required:
+                - type
+                type: object
+              configOverrides:
+                description: configOverrides specifies the configs to override the
+                  server, JVM, Log4j properties for the Kafka cluster.
+                properties:
+                  jvm:
+                    description: |-
+                      jvm is a list of JVM configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  log4j:
+                    description: |-
+                      log4j is a list of Log4J configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  server:
+                    description: |-
+                      server is a list of server configuration supported by the Confluent Platform component.
+                      This will either add or update existing configuration.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              dataVolumeCapacity:
+                anyOf:
+                - type: integer
+                - type: string
+                description: dataVolumeCapacity specifies the persistent volume capacity
+                  for the Kafka cluster.
+                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                x-kubernetes-int-or-string: true
+              dependencies:
+                description: dependencies specify the Kafka dependencies, such as
+                  Zookeeper and centralized MDS.
+                properties:
+                  kRaftController:
+                    description: |-
+                      kRaftController specifies the dependency configuration for the KRaftController cluster.
+                      You cannot configure both zookeeper and kRaftController dependencies.
+                    properties:
+                      clusterRef:
+                        description: clusterRef specifies the name of the KRaft Controller
+                          cluster.
+                        properties:
+                          name:
+                            description: name specifies the name of the Confluent
+                              Platform component cluster.
+                            type: string
+                          namespace:
+                            description: namespace specifies the namespace where the
+                              Confluent Platform component cluster is running.
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      controllerListener:
+                        description: |-
+                          controllerListener specifies the controller listener which must match
+                          the controller listener on the referenced KRaft Controller cluster.
+                        properties:
+                          authentication:
+                            description: authentication specifies the authentication
+                              configuration for the listener.
+                            properties:
+                              jaasConfig:
+                                description: |-
+                                  jaasConfig specifies the JaaS configuration.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: |-
+                                  jaasConfigPassThrough specifies another way to provide JaaS configuration.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              principalMappingRules:
+                                items:
+                                  type: string
+                                type: array
+                              type:
+                                description: |-
+                                  type specifies the Kafka or Zookeeper authentication type.
+                                  Valid options are `plain`, `digest`, `mtls`, `ldap` & `oauth`.
+                                enum:
+                                - plain
+                                - digest
+                                - mtls
+                                - ldap
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          tls:
+                            description: tls specifies the TLS configuration for the
+                              listener.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                    type: object
+                  kafkaRest:
+                    description: kafkaRest provides the REST client configuration
+                      for the MDS when RBAC is enabled.
+                    properties:
+                      authentication:
+                        description: authentication specifies the Kafka authentication
+                          for Kafka REST API or MDS.
+                        properties:
+                          bearer:
+                            description: |-
+                              bearer is the authentication mechanism to provide principals.
+                              Only supported in RBAC deployment.
+                              Required when authentication type is set to `bearer`.
+                              This field will be deprecated, please configure oauthbearer instead.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provide principals.
+                              Only supported in RBAC deployment.
+                              Required when authentication type is set to `oauthbearer`.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `bearer`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - bearer
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: |-
+                          bootstrapEndpoint specifies Kafka bootstrap endpoint for the admin REST API. It is not needed when RBAC is enabled.
+                          If not configured, then default to the replication listener endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      endpoint:
+                        description: endpoint specifies the custom MDS http|s endpoint.
+                          Not required to configure in most of the scenarios.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      tls:
+                        description: tls specifies the client-side TLS configuration
+                          to connect to the Kafka REST API.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  mds:
+                    description: mds specifies the dependency configuration for the
+                      primary MDS.
+                    properties:
+                      endpoint:
+                        description: endpoint defines the primary Kafka cluster boostrap
+                          endpoint.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      kafka:
+                        description: kafka specifies the dependency configuration
+                          for Kafka cluster.
+                        properties:
+                          authentication:
+                            description: authentication defines the authentication
+                              for the Kafka cluster.
+                            properties:
+                              jaasConfig:
+                                description: jaasConfig specifies the Kafka client-side
+                                  JaaS configuration.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: jaasConfigPassThrough specifies another
+                                  way to provide the Kafka client-side JaaS configuration.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              oauthbearer:
+                                description: |-
+                                  oauthbearer is the authentication mechanism to provider principals.
+                                  Only supported in RBAC deployment.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container
+                                      where the credential is mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef specifies the name of the secret that contains the credential.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              type:
+                                description: |-
+                                  type specifies the Kafka client authentication type.
+                                  Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                                enum:
+                                - plain
+                                - oauthbearer
+                                - digest
+                                - mtls
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          bootstrapEndpoint:
+                            description: bootstrapEndpoint specifies the Kafka bootstrap
+                              endpoint.
+                            minLength: 1
+                            pattern: .+:[0-9]+
+                            type: string
+                          discovery:
+                            description: discovery specifies the capability to discover
+                              the Kafka cluster.
+                            properties:
+                              name:
+                                description: name is the name of the Confluent Platform
+                                  component cluster.
+                                type: string
+                              namespace:
+                                description: |-
+                                  namespace is where the Confluent Platform component is running.
+                                  The default value is the namespace where CFK is running.
+                                type: string
+                              secretRef:
+                                description: secretRef is the name of the secret used
+                                  to discover the Confluent Platform component.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          tls:
+                            description: tls defines the client-side TLS setting for
+                              the Kafka cluster.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the primary
+                          MDS.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      tokenKeyPair:
+                        description: tokenKeyPair specifies the token key pair for
+                          the MDS.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the MDS token key pair are mounted.
+                            minLength: 1
+                            type: string
+                          encryptedTokenKey:
+                            description: |-
+                              EncryptedTokenKey boolean value indicating whether the tokenKeypair(private used for signing) is encrypted using a passphrase. If true, cfk
+                              operator will look for a file named mdsTokenKeyPassphrase.txt containing key value pair
+                              mdsTokenKeyPassphrase=<passphrase>. Relevant only for mds server. Ignored if set for a client configuration.
+                            type: boolean
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the MDS token key pair.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    required:
+                    - endpoint
+                    - kafka
+                    - tokenKeyPair
+                    type: object
+                  schemaRegistry:
+                    description: schemaRegistry specifies the dependency configuration
+                      for the Schema Registry cluster.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication for
+                          the Schema Registry cluster.
+                        properties:
+                          basic:
+                            description: basic specifies the configuration for basic
+                              authentication.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the configuration for OAuth
+                              authentication.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication scheme
+                              for the REST API client. Valid options are `basic`,
+                              `oauth` and `mtls`.
+                            enum:
+                            - basic
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Schema Registry cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      url:
+                        description: url specifies the URL endpoint of the Schema
+                          Registry cluster.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                    required:
+                    - url
+                    type: object
+                  zookeeper:
+                    description: |-
+                      zookeeper specifies the dependency configuration for Zookeeper.
+                      You cannot configure both zookeeper and kRaftController dependencies.
+                    properties:
+                      authentication:
+                        description: authentication specifies the client side authentication
+                          configuration of Zookeeper for Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Zookeeper cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      endpoint:
+                        description: endpoint specifies the Zookeeper endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      tls:
+                        description: tls specifies the TLS configuration of Zookeeper
+                          for Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                type: object
+              fips:
+                description: |-
+                  fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the Kafka cluster's
+                  TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                properties:
+                  enabled:
+                    description: enabled specifies whether to enable the FIPS configuration
+                      for cp components.
+                    type: boolean
+                required:
+                - enabled
+                type: object
+              headlessService:
+                description: headlessService specifies the configuration of the Kubernetes
+                  headless service.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs.
+                      It specifies the annotations to be added to the CFK-created headless service.
+                      These annotations are merged with the injectAnnotations and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs.
+                      It specifies the labels to be added to the CFK-created headless service.
+                      These labels are merged with the injectLabels and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  publishNotReadyAddresses:
+                    description: |-
+                      publishNotReadyAddresses specifies the publishNotReadyAddresses field.
+                      For Kafka, this value must be true. The default value is true.
+                    type: boolean
+                type: object
+              identityProvider:
+                description: |-
+                  identityProvider specifies the identity provider configuration.
+                  It is only required for the Kafka authentication type `ldap`.
+                  When the MDS is enabled, this property is ignored, and
+                  the LDAP configuration in `spec.services.mds.provider` will be used.
+                properties:
+                  ldap:
+                    description: ldap defines the LDAP service configuration.
+                    properties:
+                      address:
+                        description: address defines the LDAP server address.
+                        type: string
+                      authentication:
+                        description: LdapAuthentication specifies the LDAP authentication
+                          configuration.
+                        properties:
+                          simple:
+                            description: simple specifies simple authentication configuration
+                              for the LDAP.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer defines the directory path in the container
+                                  where the credentials are mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef references the name of the
+                                  secret that contains the credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: type defines the authentication method for
+                              LDAP. Valid options are `simple` and `mtls`.
+                            enum:
+                            - simple
+                            - mtls
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      configurations:
+                        description: configurations defines the LDAP configurations
+                          for Confluent RBAC.
+                        properties:
+                          groupMemberAttribute:
+                            description: groupMemberAttribute specifies the LDAP group
+                              member attribute.
+                            minLength: 1
+                            type: string
+                          groupMemberAttributePattern:
+                            description: groupMemberAttributePattern specifies the
+                              regular expression pattern for the LDAP group member
+                              attribute.
+                            minLength: 1
+                            type: string
+                          groupNameAttribute:
+                            description: groupNameAttribute specifies the LDAP group
+                              name attribute.
+                            minLength: 1
+                            type: string
+                          groupObjectClass:
+                            description: groupObjectClass specifies the LDAP group
+                              object class.
+                            minLength: 1
+                            type: string
+                          groupSearchBase:
+                            description: groupSearchBase specifies the LDAP search
+                              base for the group-based search.
+                            minLength: 1
+                            type: string
+                          groupSearchFilter:
+                            description: groupSearchFilter specifies the LDAP search
+                              filter for the group-based search.
+                            minLength: 1
+                            type: string
+                          groupSearchScope:
+                            description: groupSearchScope specifies the LDAP search
+                              scope for the group-based search.
+                            format: int32
+                            type: integer
+                          userMemberOfAttributePattern:
+                            description: userMemberOfAttributePattern specifies the
+                              regular expression pattern for the LDAP user member
+                              attribute.
+                            minLength: 1
+                            type: string
+                          userNameAttribute:
+                            description: userNameAttribute specifies the LDAP username
+                              attribute.
+                            minLength: 1
+                            type: string
+                          userObjectClass:
+                            description: userObjectClass specifies the LDAP user object
+                              class.
+                            minLength: 1
+                            type: string
+                          userSearchBase:
+                            description: userSearchBase specifies the LDAP search
+                              base for the user-based search.
+                            minLength: 1
+                            type: string
+                          userSearchFilter:
+                            description: userSearchFilter specifies the LDAP search
+                              filter for the user-based search.
+                            minLength: 1
+                            type: string
+                          userSearchScope:
+                            description: userSearchScope specifies the LDAP search
+                              scope for the user-based search.
+                            format: int32
+                            type: integer
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the LDAP.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    required:
+                    - address
+                    - authentication
+                    - configurations
+                    type: object
+                  oauth:
+                    description: oauth defines the OAuth service configuration.
+                    properties:
+                      configurations:
+                        description: configurations defines the OAuth configurations.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the OAuth
+                          IDP.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    required:
+                    - configurations
+                    type: object
+                  oidc:
+                    description: |-
+                      this field has been superseded with sso field
+                      oidc defines the OIDC service configuration.
+                    properties:
+                      clientCredentials:
+                        description: clientCredentials define the IDP clientID and
+                          clientSecret.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the credentials are mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      configurations:
+                        description: configurations defines the OIDC configurations.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          authorizeBaseEndpointUri:
+                            description: authorizeBaseEndpointUri specifies the base
+                              uri for authorize endpoint.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimScope:
+                            description: |-
+                              groupsClaimScope specifies additional scope needed for the token to contain groups claim (field).
+                              Leave this field empty (or null) if id token always contains the claims identified as groups.
+                            minLength: 1
+                            type: string
+                          issuer:
+                            description: |-
+                              issuer specifies the authorization server's URL.
+                              This value should match the issuer claim ("iss") in id tokens issued by Authorization Server?
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          refreshToken:
+                            description: refreshToken specifies whether offline_access
+                              scope should be requested in the authorization URI.
+                            type: boolean
+                          sessionMaxTimeout:
+                            description: sessionMaxTimeout specifies the maximum expiration
+                              time for a user's session.
+                            format: int32
+                            type: integer
+                          sessionTokenExpiry:
+                            description: sessionTokenExpiry specifies the validity
+                              of cookie issued by Confluent.
+                            format: int32
+                            type: integer
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenBaseEndpointUri:
+                            description: tokenBaseEndpointUri specifies the base uri
+                              for token endpoint.
+                            minLength: 1
+                            type: string
+                        required:
+                        - authorizeBaseEndpointUri
+                        - issuer
+                        - jwksEndpointUri
+                        - refreshToken
+                        - tokenBaseEndpointUri
+                        type: object
+                      enabled:
+                        default: true
+                        description: |-
+                          enabled specifies whether the SSO is enabled.
+                          default is true.
+                        type: boolean
+                    required:
+                    - clientCredentials
+                    - configurations
+                    type: object
+                  sso:
+                    description: sso defines the SSO service configuration.
+                    properties:
+                      clientCredentials:
+                        description: clientCredentials define the IDP clientID and
+                          clientSecret.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the credentials are mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      configurations:
+                        description: configurations defines the OIDC configurations.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          authorizeBaseEndpointUri:
+                            description: authorizeBaseEndpointUri specifies the base
+                              uri for authorize endpoint.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimScope:
+                            description: |-
+                              groupsClaimScope specifies additional scope needed for the token to contain groups claim (field).
+                              Leave this field empty (or null) if id token always contains the claims identified as groups.
+                            minLength: 1
+                            type: string
+                          issuer:
+                            description: |-
+                              issuer specifies the authorization server's URL.
+                              This value should match the issuer claim ("iss") in id tokens issued by Authorization Server?
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          refreshToken:
+                            description: refreshToken specifies whether offline_access
+                              scope should be requested in the authorization URI.
+                            type: boolean
+                          sessionMaxTimeout:
+                            description: sessionMaxTimeout specifies the maximum expiration
+                              time for a user's session.
+                            format: int32
+                            type: integer
+                          sessionTokenExpiry:
+                            description: sessionTokenExpiry specifies the validity
+                              of cookie issued by Confluent.
+                            format: int32
+                            type: integer
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenBaseEndpointUri:
+                            description: tokenBaseEndpointUri specifies the base uri
+                              for token endpoint.
+                            minLength: 1
+                            type: string
+                        required:
+                        - authorizeBaseEndpointUri
+                        - issuer
+                        - jwksEndpointUri
+                        - refreshToken
+                        - tokenBaseEndpointUri
+                        type: object
+                      enabled:
+                        default: true
+                        description: |-
+                          enabled specifies whether the SSO is enabled.
+                          default is true.
+                        type: boolean
+                    required:
+                    - clientCredentials
+                    - configurations
+                    type: object
+                  type:
+                    description: This field has been deprecated and its value will
+                      be ignored if set.
+                    type: string
+                type: object
+              image:
+                description: |-
+                  image specifies the application and the init docker image configurations.
+                  A change to this setting will roll the cluster.
+                properties:
+                  application:
+                    description: |-
+                      application is the Docker image name of the application. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  init:
+                    description: |-
+                      init is the init-container name. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  pullPolicy:
+                    description: |-
+                      pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
+                      The default value is `IfNotPresent`.
+                    enum:
+                    - Always
+                    - Never
+                    - IfNotPresent
+                    type: string
+                  pullSecretRef:
+                    description: |-
+                      pullSecretRef references the secrets in the same namespace to be used for pulling images.
+                      Image pull secrets are distinct from secrets because secrets
+                      can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
+                      More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+                    items:
+                      type: string
+                    type: array
+                required:
+                - application
+                - init
+                type: object
+              injectAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectAnnotations are the annotations injected to the internal resources that CFK created.
+                  The internal annotations are preserved and cannot be overridden.
+                  For pod annotations, use `podTemplate.annotations`.
+                type: object
+                x-kubernetes-map-type: granular
+              injectLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectLabels are the labels injected to the internal resources that CFK created.
+                  The internal labels are preserved and cannot be overridden.
+                  For pod labels, use `podTemplate.labels`.
+                type: object
+                x-kubernetes-map-type: granular
+              k8sClusterDomain:
+                description: |-
+                  k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
+                  The default is the `cluster.local` domain.
+                type: string
+              license:
+                description: license specifies the license configuration for the Confluent
+                  Platform component.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      the license key is mounted. More info:
+                      https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    minLength: 1
+                    type: string
+                  globalLicense:
+                    description: globalLicense specifies whether the Confluent Platform
+                      component shares the common global license.
+                    type: boolean
+                  secretRef:
+                    description: |-
+                      secretRef references the secret that provides the license for the Confluent Platform component.
+                      More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              listeners:
+                description: listeners specify the listeners configurations.
+                properties:
+                  custom:
+                    description: custom defines the list of KafkaCustomListener.
+                    items:
+                      description: KafkaCustomListener defines the Kafka custom listener.
+                      properties:
+                        authentication:
+                          description: authentication specifies the authentication
+                            configuration for the listener.
+                          properties:
+                            jaasConfig:
+                              description: |-
+                                jaasConfig specifies the JaaS configuration.
+                                More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                              properties:
+                                secretRef:
+                                  description: |-
+                                    secretRef references the secret containing the required credentials.
+                                    More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - secretRef
+                              type: object
+                            jaasConfigPassThrough:
+                              description: |-
+                                jaasConfigPassThrough specifies another way to provide JaaS configuration.
+                                More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                              properties:
+                                directoryPathInContainer:
+                                  description: |-
+                                    directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                    More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                  minLength: 1
+                                  type: string
+                                secretRef:
+                                  description: |-
+                                    secretRef references the secret containing the required credentials for authentication.
+                                    More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              type: object
+                            oauthSettings:
+                              description: |-
+                                oauthSettings specifies the OAuth settings.
+                                This needs to passed with the authentication type `oauth`.
+                              properties:
+                                audience:
+                                  description: audience specifies the audience claim
+                                    in the JWT payload.
+                                  minLength: 1
+                                  type: string
+                                expectedIssuer:
+                                  description: expectedIssuer specifies the expected
+                                    issuer in the JWT payload.
+                                  minLength: 1
+                                  type: string
+                                groupsClaimName:
+                                  description: groupsClaimName specifies the name
+                                    of claim in token for identifying the groups of
+                                    subject in the JWT payload.
+                                  minLength: 1
+                                  type: string
+                                jwksEndpointUri:
+                                  description: |-
+                                    jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                    It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                  minLength: 1
+                                  type: string
+                                loginConnectTimeoutMs:
+                                  description: LoginConnectTimeoutMs sets connect
+                                    timeout with IDP in ms
+                                  format: int32
+                                  type: integer
+                                loginReadTimeoutMs:
+                                  description: LoginReadTimeoutMs sets read timeout
+                                    with IDP in ms
+                                  format: int32
+                                  type: integer
+                                loginRetryBackoffMaxMs:
+                                  description: LoginRetryBackoffMaxMs sets max retry
+                                    backoff with IDP in ms
+                                  format: int32
+                                  type: integer
+                                loginRetryBackoffMs:
+                                  description: LoginRetryBackoffMs sets retry backoff
+                                    with IDP in ms
+                                  format: int32
+                                  type: integer
+                                scope:
+                                  description: |-
+                                    scope is optional and required only when your identity provider doesn't have
+                                    a default scope or your groups claim is linked to a scope.
+                                  minLength: 1
+                                  type: string
+                                subClaimName:
+                                  description: subClaimName specifies name of claim
+                                    in JWT to use for the subject.
+                                  minLength: 1
+                                  type: string
+                                tokenEndpointUri:
+                                  description: |-
+                                    tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                    This is required for OAuth for inter broker communication along with
+                                    clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                  minLength: 1
+                                  type: string
+                              type: object
+                            principalMappingRules:
+                              items:
+                                type: string
+                              type: array
+                            type:
+                              description: |-
+                                type specifies the Kafka or Zookeeper authentication type.
+                                Valid options are `plain`, `digest`, `mtls`, `ldap` & `oauth`.
+                              enum:
+                              - plain
+                              - digest
+                              - mtls
+                              - ldap
+                              - oauth
+                              type: string
+                          required:
+                          - type
+                          type: object
+                        externalAccess:
+                          description: externalAccess defines the external access
+                            configuration for the Kafka cluster.
+                          properties:
+                            loadBalancer:
+                              description: loadBalancer specifies the configuration
+                                to create Kubernetes load balancer services.
+                              properties:
+                                advertisedPort:
+                                  description: |-
+                                    advertisedPort specifies the advertised port for Kafka external access.
+                                    If not configured, it will be the same as the listener port.
+                                    Information about the advertised port can be retrieved through the status API.
+                                  format: int32
+                                  type: integer
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: annotations is a map of string key
+                                    and value pairs. It specifies Kubernetes annotations
+                                    for this service.
+                                  type: object
+                                  x-kubernetes-map-type: granular
+                                bootstrapPrefix:
+                                  description: |-
+                                    bootstrapPrefix specifies the prefix for the Kafka bootstrap advertised endpoint and will be added as `bootstrapPrefix.domain`.
+                                    The default value is the Kafka cluster name.
+                                  minLength: 1
+                                  type: string
+                                brokerPrefix:
+                                  description: |-
+                                    brokerPrefix specifies the prefix for the Kafka broker advertised endpoint and will be added as `brokerPrefix.domain`.
+                                    The default value is `b`, such as `b#.domain` where `#` starts from `0` to the replicas count.
+                                  minLength: 1
+                                  type: string
+                                domain:
+                                  description: domain is the domain name of the component
+                                    cluster.
+                                  minLength: 1
+                                  type: string
+                                externalTrafficPolicy:
+                                  description: externalTrafficPolicy specifies the
+                                    external traffic policy for the service. Valid
+                                    options are `Local` and `Cluster`.
+                                  enum:
+                                  - Local
+                                  - Cluster
+                                  type: string
+                                labels:
+                                  additionalProperties:
+                                    type: string
+                                  description: labels is a map of string key and value
+                                    pairs. It specifies Kubernetes labels for this
+                                    service.
+                                  type: object
+                                  x-kubernetes-map-type: granular
+                                loadBalancerSourceRanges:
+                                  description: loadBalancerSourceRanges specify the
+                                    source ranges.
+                                  items:
+                                    type: string
+                                  type: array
+                                servicePorts:
+                                  description: servicePorts specify the user-provided
+                                    service port(s).
+                                  items:
+                                    description: ServicePort contains information
+                                      on service's port.
+                                    properties:
+                                      appProtocol:
+                                        description: |-
+                                          The application protocol for this port.
+                                          This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                          This field follows standard Kubernetes label syntax.
+                                          Valid values are either:
+
+
+                                          * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                          RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                          * Kubernetes-defined prefixed names:
+                                            * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                            * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                            * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                          * Other protocols should use implementation-defined prefixed names such as
+                                          mycompany.com/my-custom-protocol.
+                                        type: string
+                                      name:
+                                        description: |-
+                                          The name of this port within the service. This must be a DNS_LABEL.
+                                          All ports within a ServiceSpec must have unique names. When considering
+                                          the endpoints for a Service, this must match the 'name' field in the
+                                          EndpointPort.
+                                          Optional if only one ServicePort is defined on this service.
+                                        type: string
+                                      nodePort:
+                                        description: |-
+                                          The port on each node on which this service is exposed when type is
+                                          NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                          specified, in-range, and not in use it will be used, otherwise the
+                                          operation will fail.  If not specified, a port will be allocated if this
+                                          Service requires one.  If this field is specified when creating a
+                                          Service which does not need it, creation will fail. This field will be
+                                          wiped when updating a Service to no longer need it (e.g. changing type
+                                          from NodePort to ClusterIP).
+                                          More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                        format: int32
+                                        type: integer
+                                      port:
+                                        description: The port that will be exposed
+                                          by this service.
+                                        format: int32
+                                        type: integer
+                                      protocol:
+                                        default: TCP
+                                        description: |-
+                                          The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                          Default is TCP.
+                                        type: string
+                                      targetPort:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Number or name of the port to access on the pods targeted by the service.
+                                          Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                          If this is a string, it will be looked up as a named port in the
+                                          target Pod's container ports. If this is not specified, the value
+                                          of the 'port' field is used (an identity map).
+                                          This field is ignored for services with clusterIP=None, and should be
+                                          omitted or set equal to the 'port' field.
+                                          More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                        x-kubernetes-int-or-string: true
+                                    required:
+                                    - port
+                                    type: object
+                                  type: array
+                                sessionAffinity:
+                                  description: |-
+                                    sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                    The default value is `None`.
+                                    More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                  enum:
+                                  - ClientIP
+                                  - None
+                                  type: string
+                                sessionAffinityConfig:
+                                  description: SessionAffinityConfig contains the
+                                    configurations of the session affinity.
+                                  properties:
+                                    clientIP:
+                                      description: clientIP contains the configurations
+                                        of Client IP based session affinity.
+                                      properties:
+                                        timeoutSeconds:
+                                          description: |-
+                                            timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                            The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                            Default value is 10800(for 3 hours).
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                  type: object
+                              required:
+                              - domain
+                              type: object
+                            nodePort:
+                              description: nodePort specifies the configuration to
+                                create Kubernetes node port services.
+                              properties:
+                                advertisedURL:
+                                  description: |-
+                                    advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                    If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                    set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                    This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                    the external DNS must be resolved inside the Kubernetes cluster.
+                                  properties:
+                                    enabled:
+                                      description: |-
+                                        enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                        Has no effect with Zookeeper, which will always create a listener per pod.
+                                      type: boolean
+                                    prefix:
+                                      description: |-
+                                        prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                        If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                        It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                      minLength: 1
+                                      type: string
+                                  required:
+                                  - enabled
+                                  type: object
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: annotations is a map of string key
+                                    and value pairs. It specifies Kubernetes annotations
+                                    for this service.
+                                  type: object
+                                  x-kubernetes-map-type: granular
+                                externalTrafficPolicy:
+                                  description: |-
+                                    externalTrafficPolicy specifies the external traffic policy for the service.
+                                    Valid options are `Local` and `Cluster`.
+                                  enum:
+                                  - Local
+                                  - Cluster
+                                  type: string
+                                host:
+                                  description: host defines the host name of the cluster.
+                                  minLength: 1
+                                  type: string
+                                labels:
+                                  additionalProperties:
+                                    type: string
+                                  description: labels is a map of string key and value
+                                    pairs. It specifies Kubernetes labels for this
+                                    service.
+                                  type: object
+                                  x-kubernetes-map-type: granular
+                                nodePortOffset:
+                                  description: |-
+                                    nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                    to the replicas count.
+                                    NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                    The default Kubernetes Node Port range is `30000` - `32762`.
+                                  format: int32
+                                  minimum: 0
+                                  type: integer
+                                servicePorts:
+                                  description: |-
+                                    servicePorts specify user-provided service port(s).
+                                    For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                  items:
+                                    description: ServicePort contains information
+                                      on service's port.
+                                    properties:
+                                      appProtocol:
+                                        description: |-
+                                          The application protocol for this port.
+                                          This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                          This field follows standard Kubernetes label syntax.
+                                          Valid values are either:
+
+
+                                          * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                          RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                          * Kubernetes-defined prefixed names:
+                                            * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                            * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                            * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                          * Other protocols should use implementation-defined prefixed names such as
+                                          mycompany.com/my-custom-protocol.
+                                        type: string
+                                      name:
+                                        description: |-
+                                          The name of this port within the service. This must be a DNS_LABEL.
+                                          All ports within a ServiceSpec must have unique names. When considering
+                                          the endpoints for a Service, this must match the 'name' field in the
+                                          EndpointPort.
+                                          Optional if only one ServicePort is defined on this service.
+                                        type: string
+                                      nodePort:
+                                        description: |-
+                                          The port on each node on which this service is exposed when type is
+                                          NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                          specified, in-range, and not in use it will be used, otherwise the
+                                          operation will fail.  If not specified, a port will be allocated if this
+                                          Service requires one.  If this field is specified when creating a
+                                          Service which does not need it, creation will fail. This field will be
+                                          wiped when updating a Service to no longer need it (e.g. changing type
+                                          from NodePort to ClusterIP).
+                                          More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                        format: int32
+                                        type: integer
+                                      port:
+                                        description: The port that will be exposed
+                                          by this service.
+                                        format: int32
+                                        type: integer
+                                      protocol:
+                                        default: TCP
+                                        description: |-
+                                          The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                          Default is TCP.
+                                        type: string
+                                      targetPort:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: |-
+                                          Number or name of the port to access on the pods targeted by the service.
+                                          Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                          If this is a string, it will be looked up as a named port in the
+                                          target Pod's container ports. If this is not specified, the value
+                                          of the 'port' field is used (an identity map).
+                                          This field is ignored for services with clusterIP=None, and should be
+                                          omitted or set equal to the 'port' field.
+                                          More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                        x-kubernetes-int-or-string: true
+                                    required:
+                                    - port
+                                    type: object
+                                  type: array
+                                sessionAffinity:
+                                  description: |-
+                                    sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                    The default value is `None`.
+                                    More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                  enum:
+                                  - ClientIP
+                                  - None
+                                  type: string
+                                sessionAffinityConfig:
+                                  description: SessionAffinityConfig contains the
+                                    configurations of the session affinity.
+                                  properties:
+                                    clientIP:
+                                      description: clientIP contains the configurations
+                                        of Client IP based session affinity.
+                                      properties:
+                                        timeoutSeconds:
+                                          description: |-
+                                            timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                            The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                            Default value is 10800(for 3 hours).
+                                          format: int32
+                                          type: integer
+                                      type: object
+                                  type: object
+                              required:
+                              - host
+                              - nodePortOffset
+                              type: object
+                            route:
+                              description: route specifies the configuration to create
+                                route services in OpenShift.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: annotations is a map of string key
+                                    and value pairs. It specifies Kubernetes annotations
+                                    for this service.
+                                  type: object
+                                  x-kubernetes-map-type: granular
+                                bootstrapPrefix:
+                                  description: |-
+                                    bootstrapPrefix specifies the prefix for the Kafka bootstrap advertised endpoint and will be added as `bootstrapPrefix.domain`.
+                                    The default value is the Kafka cluster name.
+                                  minLength: 1
+                                  type: string
+                                brokerPrefix:
+                                  description: |-
+                                    brokerPrefix specifies the prefix for the Kafka broker advertised endpoint and will be added as `brokerPrefix.domain`.
+                                    The default value is `b`, such as `b#.domain` where `#` starts from `0` to the replicas count.
+                                  minLength: 1
+                                  type: string
+                                domain:
+                                  description: domain specifies the domain name of
+                                    the Confluent component cluster.
+                                  minLength: 1
+                                  type: string
+                                labels:
+                                  additionalProperties:
+                                    type: string
+                                  description: labels is a map of string key and value
+                                    pairs. It specifies Kubernetes labels for this
+                                    service.
+                                  type: object
+                                  x-kubernetes-map-type: granular
+                                wildcardPolicy:
+                                  description: |-
+                                    wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                    The default value is `None`.
+                                  enum:
+                                  - Subdomain
+                                  - None
+                                  type: string
+                              required:
+                              - domain
+                              type: object
+                            staticForHostBasedRouting:
+                              description: |-
+                                staticForHostBasedRouting enables external access by doing host based
+                                routing through the SNI capability.
+                                With this schema, CFK only configures Kafka advertised listeners, and no Kubernetes external
+                                service is created.
+                              properties:
+                                brokerPrefix:
+                                  description: |-
+                                    brokerPrefix specifies the prefix for the broker advertised endpoints and are added as `brokerPrefix.domain`.
+                                    If not configured, it will add `b` as a prefix, such as `b#.domain` where `#` will start from `0` to the replicas count.
+                                  minLength: 1
+                                  type: string
+                                domain:
+                                  description: domain specifies the domain name for
+                                    the Kafka cluster.
+                                  minLength: 1
+                                  type: string
+                                port:
+                                  description: port specifies the port to be used
+                                    in the advertised listener for a broker.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - domain
+                              - port
+                              type: object
+                            staticForPortBasedRouting:
+                              description: |-
+                                staticForPortBasedRouting enables external access by port routing.
+                                With this schema, CFK only configures Kafka advertised listeners, and no Kubernetes external
+                                service is created.
+                              properties:
+                                host:
+                                  description: host defines the host name to be used
+                                    in the advertised listener for a broker.
+                                  minLength: 1
+                                  type: string
+                                portOffset:
+                                  description: |-
+                                    portOffset specifies the starting port number. The port numbers go in ascending order with
+                                    respect to the replicas count.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - host
+                              - portOffset
+                              type: object
+                            type:
+                              description: |-
+                                type specifies the Kubernetes service for external access.
+                                Valid options are `loadBalancer`, `nodePort`, `route`, `staticForPortBasedRouting`, and `staticForHostBasedRouting`.
+                              enum:
+                              - loadBalancer
+                              - nodePort
+                              - route
+                              - staticForPortBasedRouting
+                              - staticForHostBasedRouting
+                              type: string
+                          required:
+                          - type
+                          type: object
+                        name:
+                          description: |-
+                            name specifies the name of the custom listener.
+                            `internal`, `external`, and `token` are reserved by CFK and
+                            can't be used for this property.
+                          maxLength: 30
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        port:
+                          description: |-
+                            port binds the given port to the custom listener. Port numbers lower than `9093` are
+                            reserved by CFK.
+                          format: int32
+                          minimum: 9093
+                          type: integer
+                        tls:
+                          description: tls specifies the TLS configuration for the
+                            listener.
+                          properties:
+                            directoryPathInContainer:
+                              description: |-
+                                directoryPathInContainer specifies the directory path in the container where
+                                `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                              minLength: 1
+                              type: string
+                            enabled:
+                              description: enabled specifies to enable the TLS configuration
+                                for the Confluent component.
+                              type: boolean
+                            ignoreTrustStoreConfig:
+                              description: |-
+                                ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                for the Confluent component.
+                              type: boolean
+                            jksPassword:
+                              description: jksPassword references the secret containing
+                                the JKS password.
+                              properties:
+                                secretRef:
+                                  description: |-
+                                    secretRef references the name of the secret containing the JKS password.
+                                    More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                  maxLength: 30
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                              required:
+                              - secretRef
+                              type: object
+                            secretRef:
+                              description: |-
+                                secretRef references the secret containing the certificates.
+                                More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                              maxLength: 30
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                          required:
+                          - enabled
+                          type: object
+                      required:
+                      - name
+                      - port
+                      type: object
+                    type: array
+                  external:
+                    description: external specifies the Kafka external listener.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication configuration
+                          for the listener.
+                        properties:
+                          jaasConfig:
+                            description: |-
+                              jaasConfig specifies the JaaS configuration.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: |-
+                              jaasConfigPassThrough specifies another way to provide JaaS configuration.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          principalMappingRules:
+                            items:
+                              type: string
+                            type: array
+                          type:
+                            description: |-
+                              type specifies the Kafka or Zookeeper authentication type.
+                              Valid options are `plain`, `digest`, `mtls`, `ldap` & `oauth`.
+                            enum:
+                            - plain
+                            - digest
+                            - mtls
+                            - ldap
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      externalAccess:
+                        description: externalAccess defines the external access configuration
+                          for the Kafka cluster.
+                        properties:
+                          loadBalancer:
+                            description: loadBalancer specifies the configuration
+                              to create Kubernetes load balancer services.
+                            properties:
+                              advertisedPort:
+                                description: |-
+                                  advertisedPort specifies the advertised port for Kafka external access.
+                                  If not configured, it will be the same as the listener port.
+                                  Information about the advertised port can be retrieved through the status API.
+                                format: int32
+                                type: integer
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              bootstrapPrefix:
+                                description: |-
+                                  bootstrapPrefix specifies the prefix for the Kafka bootstrap advertised endpoint and will be added as `bootstrapPrefix.domain`.
+                                  The default value is the Kafka cluster name.
+                                minLength: 1
+                                type: string
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the Kafka broker advertised endpoint and will be added as `brokerPrefix.domain`.
+                                  The default value is `b`, such as `b#.domain` where `#` starts from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain is the domain name of the component
+                                  cluster.
+                                minLength: 1
+                                type: string
+                              externalTrafficPolicy:
+                                description: externalTrafficPolicy specifies the external
+                                  traffic policy for the service. Valid options are
+                                  `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              loadBalancerSourceRanges:
+                                description: loadBalancerSourceRanges specify the
+                                  source ranges.
+                                items:
+                                  type: string
+                                type: array
+                              servicePorts:
+                                description: servicePorts specify the user-provided
+                                  service port(s).
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - domain
+                            type: object
+                          nodePort:
+                            description: nodePort specifies the configuration to create
+                              Kubernetes node port services.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              externalTrafficPolicy:
+                                description: |-
+                                  externalTrafficPolicy specifies the external traffic policy for the service.
+                                  Valid options are `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              host:
+                                description: host defines the host name of the cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              nodePortOffset:
+                                description: |-
+                                  nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                  to the replicas count.
+                                  NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                  The default Kubernetes Node Port range is `30000` - `32762`.
+                                format: int32
+                                minimum: 0
+                                type: integer
+                              servicePorts:
+                                description: |-
+                                  servicePorts specify user-provided service port(s).
+                                  For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - host
+                            - nodePortOffset
+                            type: object
+                          route:
+                            description: route specifies the configuration to create
+                              route services in OpenShift.
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              bootstrapPrefix:
+                                description: |-
+                                  bootstrapPrefix specifies the prefix for the Kafka bootstrap advertised endpoint and will be added as `bootstrapPrefix.domain`.
+                                  The default value is the Kafka cluster name.
+                                minLength: 1
+                                type: string
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the Kafka broker advertised endpoint and will be added as `brokerPrefix.domain`.
+                                  The default value is `b`, such as `b#.domain` where `#` starts from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain specifies the domain name of the
+                                  Confluent component cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              wildcardPolicy:
+                                description: |-
+                                  wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                  The default value is `None`.
+                                enum:
+                                - Subdomain
+                                - None
+                                type: string
+                            required:
+                            - domain
+                            type: object
+                          staticForHostBasedRouting:
+                            description: |-
+                              staticForHostBasedRouting enables external access by doing host based
+                              routing through the SNI capability.
+                              With this schema, CFK only configures Kafka advertised listeners, and no Kubernetes external
+                              service is created.
+                            properties:
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the broker advertised endpoints and are added as `brokerPrefix.domain`.
+                                  If not configured, it will add `b` as a prefix, such as `b#.domain` where `#` will start from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain specifies the domain name for
+                                  the Kafka cluster.
+                                minLength: 1
+                                type: string
+                              port:
+                                description: port specifies the port to be used in
+                                  the advertised listener for a broker.
+                                format: int32
+                                type: integer
+                            required:
+                            - domain
+                            - port
+                            type: object
+                          staticForPortBasedRouting:
+                            description: |-
+                              staticForPortBasedRouting enables external access by port routing.
+                              With this schema, CFK only configures Kafka advertised listeners, and no Kubernetes external
+                              service is created.
+                            properties:
+                              host:
+                                description: host defines the host name to be used
+                                  in the advertised listener for a broker.
+                                minLength: 1
+                                type: string
+                              portOffset:
+                                description: |-
+                                  portOffset specifies the starting port number. The port numbers go in ascending order with
+                                  respect to the replicas count.
+                                format: int32
+                                type: integer
+                            required:
+                            - host
+                            - portOffset
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kubernetes service for external access.
+                              Valid options are `loadBalancer`, `nodePort`, `route`, `staticForPortBasedRouting`, and `staticForHostBasedRouting`.
+                            enum:
+                            - loadBalancer
+                            - nodePort
+                            - route
+                            - staticForPortBasedRouting
+                            - staticForHostBasedRouting
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the listener.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  internal:
+                    description: internal specifies the internal listener.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication configuration
+                          for the listener.
+                        properties:
+                          jaasConfig:
+                            description: |-
+                              jaasConfig specifies the JaaS configuration.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: |-
+                              jaasConfigPassThrough specifies another way to provide JaaS configuration.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          principalMappingRules:
+                            items:
+                              type: string
+                            type: array
+                          type:
+                            description: |-
+                              type specifies the Kafka or Zookeeper authentication type.
+                              Valid options are `plain`, `digest`, `mtls`, `ldap` & `oauth`.
+                            enum:
+                            - plain
+                            - digest
+                            - mtls
+                            - ldap
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the listener.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  replication:
+                    description: replication specifies the Kafka replication listener.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication configuration
+                          for the listener.
+                        properties:
+                          jaasConfig:
+                            description: |-
+                              jaasConfig specifies the JaaS configuration.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: |-
+                              jaasConfigPassThrough specifies another way to provide JaaS configuration.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          principalMappingRules:
+                            items:
+                              type: string
+                            type: array
+                          type:
+                            description: |-
+                              type specifies the Kafka or Zookeeper authentication type.
+                              Valid options are `plain`, `digest`, `mtls`, `ldap` & `oauth`.
+                            enum:
+                            - plain
+                            - digest
+                            - mtls
+                            - ldap
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      externalAccess:
+                        description: externalAccess defines the external access configuration
+                          for the Kafka cluster.
+                        properties:
+                          loadBalancer:
+                            description: loadBalancer specifies the configuration
+                              to create Kubernetes load balancer services.
+                            properties:
+                              advertisedPort:
+                                description: |-
+                                  advertisedPort specifies the advertised port for Kafka external access.
+                                  If not configured, it will be the same as the listener port.
+                                  Information about the advertised port can be retrieved through the status API.
+                                format: int32
+                                type: integer
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              bootstrapPrefix:
+                                description: |-
+                                  bootstrapPrefix specifies the prefix for the Kafka bootstrap advertised endpoint and will be added as `bootstrapPrefix.domain`.
+                                  The default value is the Kafka cluster name.
+                                minLength: 1
+                                type: string
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the Kafka broker advertised endpoint and will be added as `brokerPrefix.domain`.
+                                  The default value is `b`, such as `b#.domain` where `#` starts from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain is the domain name of the component
+                                  cluster.
+                                minLength: 1
+                                type: string
+                              externalTrafficPolicy:
+                                description: externalTrafficPolicy specifies the external
+                                  traffic policy for the service. Valid options are
+                                  `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              loadBalancerSourceRanges:
+                                description: loadBalancerSourceRanges specify the
+                                  source ranges.
+                                items:
+                                  type: string
+                                type: array
+                              servicePorts:
+                                description: servicePorts specify the user-provided
+                                  service port(s).
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - domain
+                            type: object
+                          nodePort:
+                            description: nodePort specifies the configuration to create
+                              Kubernetes node port services.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              externalTrafficPolicy:
+                                description: |-
+                                  externalTrafficPolicy specifies the external traffic policy for the service.
+                                  Valid options are `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              host:
+                                description: host defines the host name of the cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              nodePortOffset:
+                                description: |-
+                                  nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                  to the replicas count.
+                                  NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                  The default Kubernetes Node Port range is `30000` - `32762`.
+                                format: int32
+                                minimum: 0
+                                type: integer
+                              servicePorts:
+                                description: |-
+                                  servicePorts specify user-provided service port(s).
+                                  For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - host
+                            - nodePortOffset
+                            type: object
+                          route:
+                            description: route specifies the configuration to create
+                              route services in OpenShift.
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              bootstrapPrefix:
+                                description: |-
+                                  bootstrapPrefix specifies the prefix for the Kafka bootstrap advertised endpoint and will be added as `bootstrapPrefix.domain`.
+                                  The default value is the Kafka cluster name.
+                                minLength: 1
+                                type: string
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the Kafka broker advertised endpoint and will be added as `brokerPrefix.domain`.
+                                  The default value is `b`, such as `b#.domain` where `#` starts from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain specifies the domain name of the
+                                  Confluent component cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              wildcardPolicy:
+                                description: |-
+                                  wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                  The default value is `None`.
+                                enum:
+                                - Subdomain
+                                - None
+                                type: string
+                            required:
+                            - domain
+                            type: object
+                          staticForHostBasedRouting:
+                            description: |-
+                              staticForHostBasedRouting enables external access by doing host based
+                              routing through the SNI capability.
+                              With this schema, CFK only configures Kafka advertised listeners, and no Kubernetes external
+                              service is created.
+                            properties:
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the broker advertised endpoints and are added as `brokerPrefix.domain`.
+                                  If not configured, it will add `b` as a prefix, such as `b#.domain` where `#` will start from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain specifies the domain name for
+                                  the Kafka cluster.
+                                minLength: 1
+                                type: string
+                              port:
+                                description: port specifies the port to be used in
+                                  the advertised listener for a broker.
+                                format: int32
+                                type: integer
+                            required:
+                            - domain
+                            - port
+                            type: object
+                          staticForPortBasedRouting:
+                            description: |-
+                              staticForPortBasedRouting enables external access by port routing.
+                              With this schema, CFK only configures Kafka advertised listeners, and no Kubernetes external
+                              service is created.
+                            properties:
+                              host:
+                                description: host defines the host name to be used
+                                  in the advertised listener for a broker.
+                                minLength: 1
+                                type: string
+                              portOffset:
+                                description: |-
+                                  portOffset specifies the starting port number. The port numbers go in ascending order with
+                                  respect to the replicas count.
+                                format: int32
+                                type: integer
+                            required:
+                            - host
+                            - portOffset
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kubernetes service for external access.
+                              Valid options are `loadBalancer`, `nodePort`, `route`, `staticForPortBasedRouting`, and `staticForHostBasedRouting`.
+                            enum:
+                            - loadBalancer
+                            - nodePort
+                            - route
+                            - staticForPortBasedRouting
+                            - staticForHostBasedRouting
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the listener.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                type: object
+              metricReporter:
+                description: |-
+                  metricsReporter specifies the configuration of the metric reporter. The metric reporter is enabled by default.
+                  If authentication and TLS are not set, the metrics reporter uses internal listener's authentication and TLS .
+                properties:
+                  authentication:
+                    description: authentication specifies the Kafka client-side authentication
+                      configuration.
+                    properties:
+                      jaasConfig:
+                        description: jaasConfig specifies the Kafka client-side JaaS
+                          configuration.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      jaasConfigPassThrough:
+                        description: jaasConfigPassThrough specifies another way to
+                          provide the Kafka client-side JaaS configuration.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the required credentials for authentication.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauthSettings:
+                        description: |-
+                          oauthSettings specifies the OAuth settings.
+                          This needs to passed with the authentication type `oauth`.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      oauthbearer:
+                        description: |-
+                          oauthbearer is the authentication mechanism to provider principals.
+                          Only supported in RBAC deployment.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      type:
+                        description: |-
+                          type specifies the Kafka client authentication type.
+                          Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                        enum:
+                        - plain
+                        - oauthbearer
+                        - digest
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  bootstrapEndpoint:
+                    description: bootstrapEndpoint specifies the Kafka bootstrap endpoint.
+                    type: string
+                  enabled:
+                    description: enabled specifies whether to enable or disable the
+                      metric reporter.
+                    type: boolean
+                  replicationFactor:
+                    description: replicationFactor specifies the number of replicas
+                      in the metric topic.
+                    format: int32
+                    type: integer
+                  tls:
+                    description: tls specifies the Kafka client-side TLS configuration.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                required:
+                - enabled
+                type: object
+              metrics:
+                description: metrics specify the security settings for the metric
+                  services.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication configuration
+                      for the metrics.
+                    properties:
+                      type:
+                        description: type specifies the metrics authentication method.
+                          The valid option is `mtls`.
+                        enum:
+                        - mtls
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  prometheus:
+                    description: prometheus specifies the configuration overrides
+                      for the JMX-Prometheus exporter.
+                    properties:
+                      blacklist:
+                        items:
+                          type: string
+                        type: array
+                      rules:
+                        items:
+                          description: Rule defines the Prometheus Exporter rule override.
+                          properties:
+                            attrNameSnakeCase:
+                              type: boolean
+                            cache:
+                              type: boolean
+                            help:
+                              minLength: 1
+                              type: string
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                              x-kubernetes-map-type: granular
+                            name:
+                              minLength: 1
+                              type: string
+                            pattern:
+                              minLength: 1
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                            value:
+                              minLength: 1
+                              type: string
+                            valueFactor:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              default: 1
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        type: array
+                      whitelist:
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: tls specifies the TLS configuration for the metrics.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              mountedSecrets:
+                description: |-
+                  mountedSecrets list the secrets injected to
+                  the underlying statefulset configuration. The secret reference is mounted
+                  in the default path `/mnt/secrets/<secret-name>`. The underlying resources
+                  will follow the secret as a file configuration.
+                  More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
+                  A change to this setting will roll the cluster.
+                items:
+                  description: |-
+                    MountedSecrets provides a way to inject a custom secret to the underlying
+                    statefulset.
+                  properties:
+                    keyItems:
+                      description: keyItems are key and path names.
+                      items:
+                        description: Maps a string key to a path within a volume.
+                        properties:
+                          key:
+                            description: key is the key to project.
+                            type: string
+                          mode:
+                            description: |-
+                              mode is Optional: mode bits used to set permissions on this file.
+                              Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                              YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                              If not specified, the volume defaultMode will be used.
+                              This might be in conflict with other options that affect the file
+                              mode, like fsGroup, and the result can be other mode bits set.
+                            format: int32
+                            type: integer
+                          path:
+                            description: |-
+                              path is the relative path of the file to map the key to.
+                              May not be an absolute path.
+                              May not contain the path element '..'.
+                              May not start with the string '..'.
+                            type: string
+                        required:
+                        - key
+                        - path
+                        type: object
+                      type: array
+                    secretRef:
+                      description: secretRef references the name of the secret.
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - secretRef
+                  type: object
+                type: array
+              mountedVolumes:
+                description: |-
+                  mountedVolumes list the custom volumes that need to be mounted into the
+                  underlying statefulset.
+                  A change to this setting will roll the cluster.
+                properties:
+                  volumeMounts:
+                    description: |-
+                      volumeMounts specify the list of volume mounts for the pods in the
+                      statefulset.
+                    items:
+                      description: VolumeMount describes a mounting of a Volume within
+                        a container.
+                      properties:
+                        mountPath:
+                          description: |-
+                            Path within the container at which the volume should be mounted.  Must
+                            not contain ':'.
+                          type: string
+                        mountPropagation:
+                          description: |-
+                            mountPropagation determines how mounts are propagated from the host
+                            to container and the other way around.
+                            When not set, MountPropagationNone is used.
+                            This field is beta in 1.10.
+                          type: string
+                        name:
+                          description: This must match the Name of a Volume.
+                          type: string
+                        readOnly:
+                          description: |-
+                            Mounted read-only if true, read-write otherwise (false or unspecified).
+                            Defaults to false.
+                          type: boolean
+                        subPath:
+                          description: |-
+                            Path within the volume from which the container's volume should be mounted.
+                            Defaults to "" (volume's root).
+                          type: string
+                        subPathExpr:
+                          description: |-
+                            Expanded path within the volume from which the container's volume should be mounted.
+                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                            Defaults to "" (volume's root).
+                            SubPathExpr and SubPath are mutually exclusive.
+                          type: string
+                      required:
+                      - mountPath
+                      - name
+                      type: object
+                    type: array
+                  volumes:
+                    description: |-
+                      volumes specify the list of volumes that can be mounted into the pods
+                      of statefulset.
+                    items:
+                      description: Volume represents a named volume in a pod that
+                        may be accessed by any container in the pod.
+                      properties:
+                        awsElasticBlockStore:
+                          description: |-
+                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly value true will force the readOnly setting in VolumeMounts.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: boolean
+                            volumeID:
+                              description: |-
+                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        azureDisk:
+                          description: azureDisk represents an Azure Data Disk mount
+                            on the host and bind mount to the pod.
+                          properties:
+                            cachingMode:
+                              description: 'cachingMode is the Host Caching mode:
+                                None, Read Only, Read Write.'
+                              type: string
+                            diskName:
+                              description: diskName is the Name of the data disk in
+                                the blob storage
+                              type: string
+                            diskURI:
+                              description: diskURI is the URI of data disk in the
+                                blob storage
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is Filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            kind:
+                              description: 'kind expected values are Shared: multiple
+                                blob disks per storage account  Dedicated: single
+                                blob disk per storage account  Managed: azure managed
+                                data disk (only in managed availability set). defaults
+                                to shared'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                          required:
+                          - diskName
+                          - diskURI
+                          type: object
+                        azureFile:
+                          description: azureFile represents an Azure File Service
+                            mount on the host and bind mount to the pod.
+                          properties:
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretName:
+                              description: secretName is the  name of secret that
+                                contains Azure Storage Account Name and Key
+                              type: string
+                            shareName:
+                              description: shareName is the azure share Name
+                              type: string
+                          required:
+                          - secretName
+                          - shareName
+                          type: object
+                        cephfs:
+                          description: cephFS represents a Ceph FS mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            monitors:
+                              description: |-
+                                monitors is Required: Monitors is a collection of Ceph monitors
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            path:
+                              description: 'path is Optional: Used as the mounted
+                                root, rather than the full Ceph tree, default is /'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: boolean
+                            secretFile:
+                              description: |-
+                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is optional: User is the rados user name, default is admin
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - monitors
+                          type: object
+                        cinder:
+                          description: |-
+                            cinder represents a cinder volume attached and mounted on kubelets host machine.
+                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is optional: points to a secret object containing parameters used to connect
+                                to OpenStack.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeID:
+                              description: |-
+                                volumeID used to identify the volume in cinder.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        configMap:
+                          description: configMap represents a configMap that should
+                            populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items if unspecified, each key-value pair in the Data field of the referenced
+                                ConfigMap will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the ConfigMap,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            name:
+                              description: |-
+                                Name of the referent.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              type: string
+                            optional:
+                              description: optional specify whether the ConfigMap
+                                or its keys must be defined
+                              type: boolean
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        csi:
+                          description: csi (Container Storage Interface) represents
+                            ephemeral storage that is handled by certain external
+                            CSI drivers (Beta feature).
+                          properties:
+                            driver:
+                              description: |-
+                                driver is the name of the CSI driver that handles this volume.
+                                Consult with your admin for the correct name as registered in the cluster.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                If not provided, the empty value is passed to the associated CSI driver
+                                which will determine the default filesystem to apply.
+                              type: string
+                            nodePublishSecretRef:
+                              description: |-
+                                nodePublishSecretRef is a reference to the secret object containing
+                                sensitive information to pass to the CSI driver to complete the CSI
+                                NodePublishVolume and NodeUnpublishVolume calls.
+                                This field is optional, and  may be empty if no secret is required. If the
+                                secret object contains more than one secret, all secret references are passed.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            readOnly:
+                              description: |-
+                                readOnly specifies a read-only configuration for the volume.
+                                Defaults to false (read/write).
+                              type: boolean
+                            volumeAttributes:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                volumeAttributes stores driver-specific properties that are passed to the CSI
+                                driver. Consult your driver's documentation for supported values.
+                              type: object
+                          required:
+                          - driver
+                          type: object
+                        downwardAPI:
+                          description: downwardAPI represents downward API about the
+                            pod that should populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                Optional: mode bits to use on created files by default. Must be a
+                                Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: Items is a list of downward API volume
+                                file
+                              items:
+                                description: DownwardAPIVolumeFile represents information
+                                  to create the file containing the pod field
+                                properties:
+                                  fieldRef:
+                                    description: 'Required: Selects a field of the
+                                      pod: only annotations, labels, name and namespace
+                                      are supported.'
+                                    properties:
+                                      apiVersion:
+                                        description: Version of the schema the FieldPath
+                                          is written in terms of, defaults to "v1".
+                                        type: string
+                                      fieldPath:
+                                        description: Path of the field to select in
+                                          the specified API version.
+                                        type: string
+                                    required:
+                                    - fieldPath
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  mode:
+                                    description: |-
+                                      Optional: mode bits used to set permissions on this file, must be an octal value
+                                      between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: 'Required: Path is  the relative
+                                      path name of the file to be created. Must not
+                                      be absolute or contain the ''..'' path. Must
+                                      be utf-8 encoded. The first item of the relative
+                                      path must not start with ''..'''
+                                    type: string
+                                  resourceFieldRef:
+                                    description: |-
+                                      Selects a resource of the container: only resources limits and requests
+                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                    properties:
+                                      containerName:
+                                        description: 'Container name: required for
+                                          volumes, optional for env vars'
+                                        type: string
+                                      divisor:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: Specifies the output format of
+                                          the exposed resources, defaults to "1"
+                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                        x-kubernetes-int-or-string: true
+                                      resource:
+                                        description: 'Required: resource to select'
+                                        type: string
+                                    required:
+                                    - resource
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                required:
+                                - path
+                                type: object
+                              type: array
+                          type: object
+                        emptyDir:
+                          description: |-
+                            emptyDir represents a temporary directory that shares a pod's lifetime.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                          properties:
+                            medium:
+                              description: |-
+                                medium represents what type of storage medium should back this directory.
+                                The default is "" which means to use the node's default medium.
+                                Must be an empty string (default) or Memory.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              type: string
+                            sizeLimit:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                The size limit is also applicable for memory medium.
+                                The maximum usage on memory medium EmptyDir would be the minimum value between
+                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                The default is nil which means that the limit is undefined.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        ephemeral:
+                          description: |-
+                            ephemeral represents a volume that is handled by a cluster storage driver.
+                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                            and deleted when the pod is removed.
+
+
+                            Use this if:
+                            a) the volume is only needed while the pod runs,
+                            b) features of normal volumes like restoring from snapshot or capacity
+                               tracking are needed,
+                            c) the storage driver is specified through a storage class, and
+                            d) the storage driver supports dynamic volume provisioning through
+                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                               information on the connection between this volume type
+                               and PersistentVolumeClaim).
+
+
+                            Use PersistentVolumeClaim or one of the vendor-specific
+                            APIs for volumes that persist for longer than the lifecycle
+                            of an individual pod.
+
+
+                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                            be used that way - see the documentation of the driver for
+                            more information.
+
+
+                            A pod can use both types of ephemeral volumes and
+                            persistent volumes at the same time.
+                          properties:
+                            volumeClaimTemplate:
+                              description: |-
+                                Will be used to create a stand-alone PVC to provision the volume.
+                                The pod in which this EphemeralVolumeSource is embedded will be the
+                                owner of the PVC, i.e. the PVC will be deleted together with the
+                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                `<volume name>` is the name from the `PodSpec.Volumes` array
+                                entry. Pod validation will reject the pod if the concatenated name
+                                is not valid for a PVC (for example, too long).
+
+
+                                An existing PVC with that name that is not owned by the pod
+                                will *not* be used for the pod to avoid using an unrelated
+                                volume by mistake. Starting the pod is then blocked until
+                                the unrelated PVC is removed. If such a pre-created PVC is
+                                meant to be used by the pod, the PVC has to updated with an
+                                owner reference to the pod once the pod exists. Normally
+                                this should not be necessary, but it may be useful when
+                                manually reconstructing a broken cluster.
+
+
+                                This field is read-only and no changes will be made by Kubernetes
+                                to the PVC after it has been created.
+
+
+                                Required, must not be nil.
+                              properties:
+                                metadata:
+                                  description: |-
+                                    May contain labels and annotations that will be copied into the PVC
+                                    when creating it. No other fields are allowed and will be rejected during
+                                    validation.
+                                  type: object
+                                spec:
+                                  description: |-
+                                    The specification for the PersistentVolumeClaim. The entire content is
+                                    copied unchanged into the PVC that gets created from this
+                                    template. The same fields as in a PersistentVolumeClaim
+                                    are also valid here.
+                                  properties:
+                                    accessModes:
+                                      description: |-
+                                        accessModes contains the desired access modes the volume should have.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                      items:
+                                        type: string
+                                      type: array
+                                    dataSource:
+                                      description: |-
+                                        dataSource field can be used to specify either:
+                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                        * An existing PVC (PersistentVolumeClaim)
+                                        If the provisioner or an external controller can support the specified data source,
+                                        it will create a new volume based on the contents of the specified data source.
+                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    dataSourceRef:
+                                      description: |-
+                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                        volume is desired. This may be any object from a non-empty API group (non
+                                        core object) or a PersistentVolumeClaim object.
+                                        When this field is specified, volume binding will only succeed if the type of
+                                        the specified object matches some installed volume populator or dynamic
+                                        provisioner.
+                                        This field will replace the functionality of the dataSource field and as such
+                                        if both fields are non-empty, they must have the same value. For backwards
+                                        compatibility, when namespace isn't specified in dataSourceRef,
+                                        both fields (dataSource and dataSourceRef) will be set to the same
+                                        value automatically if one of them is empty and the other is non-empty.
+                                        When namespace is specified in dataSourceRef,
+                                        dataSource isn't set to the same value and must be empty.
+                                        There are three important differences between dataSource and dataSourceRef:
+                                        * While dataSource only allows two specific types of objects, dataSourceRef
+                                          allows any non-core object, as well as PersistentVolumeClaim objects.
+                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                          preserves all values, and generates an error if a disallowed value is
+                                          specified.
+                                        * While dataSource only allows local objects, dataSourceRef allows objects
+                                          in any namespaces.
+                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace is the namespace of resource being referenced
+                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                    resources:
+                                      description: |-
+                                        resources represents the minimum resources the volume should have.
+                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+                                        that are lower than previous value but must still be higher than capacity recorded in the
+                                        status field of the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                      properties:
+                                        limits:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Limits describes the maximum amount of compute resources allowed.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                        requests:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Requests describes the minimum amount of compute resources required.
+                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                      type: object
+                                    selector:
+                                      description: selector is a label query over
+                                        volumes to consider for binding.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    storageClassName:
+                                      description: |-
+                                        storageClassName is the name of the StorageClass required by the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                      type: string
+                                    volumeAttributesClassName:
+                                      description: |-
+                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                        If specified, the CSI driver will create or update the volume with the attributes defined
+                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+                                        will be set by the persistentvolume controller if it exists.
+                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                        exists.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+                                      type: string
+                                    volumeMode:
+                                      description: |-
+                                        volumeMode defines what type of volume is required by the claim.
+                                        Value of Filesystem is implied when not included in claim spec.
+                                      type: string
+                                    volumeName:
+                                      description: volumeName is the binding reference
+                                        to the PersistentVolume backing this claim.
+                                      type: string
+                                  type: object
+                              required:
+                              - spec
+                              type: object
+                          type: object
+                        fc:
+                          description: fc represents a Fibre Channel resource that
+                            is attached to a kubelet's host machine and then exposed
+                            to the pod.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            lun:
+                              description: 'lun is Optional: FC target lun number'
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            targetWWNs:
+                              description: 'targetWWNs is Optional: FC target worldwide
+                                names (WWNs)'
+                              items:
+                                type: string
+                              type: array
+                            wwids:
+                              description: |-
+                                wwids Optional: FC volume world wide identifiers (wwids)
+                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        flexVolume:
+                          description: |-
+                            flexVolume represents a generic volume resource that is
+                            provisioned/attached using an exec based plugin.
+                          properties:
+                            driver:
+                              description: driver is the name of the driver to use
+                                for this volume.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                              type: string
+                            options:
+                              additionalProperties:
+                                type: string
+                              description: 'options is Optional: this field holds
+                                extra command options if any.'
+                              type: object
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: secretRef is reference to the secret object containing
+                                sensitive information to pass to the plugin scripts. This may be
+                                empty if no secret object is specified. If the secret object
+                                contains more than one secret, all secrets are passed to the plugin
+                                scripts.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          required:
+                          - driver
+                          type: object
+                        flocker:
+                          description: flocker represents a Flocker volume attached
+                            to a kubelet's host machine. This depends on the Flocker
+                            control service being running
+                          properties:
+                            datasetName:
+                              description: |-
+                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                should be considered as deprecated
+                              type: string
+                            datasetUUID:
+                              description: datasetUUID is the UUID of the dataset.
+                                This is unique identifier of a Flocker dataset
+                              type: string
+                          type: object
+                        gcePersistentDisk:
+                          description: |-
+                            gcePersistentDisk represents a GCE Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              format: int32
+                              type: integer
+                            pdName:
+                              description: |-
+                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: boolean
+                          required:
+                          - pdName
+                          type: object
+                        gitRepo:
+                          description: |-
+                            gitRepo represents a git repository at a particular revision.
+                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                            into the Pod's container.
+                          properties:
+                            directory:
+                              description: |-
+                                directory is the target directory name.
+                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                the subdirectory with the given name.
+                              type: string
+                            repository:
+                              description: repository is the URL
+                              type: string
+                            revision:
+                              description: revision is the commit hash for the specified
+                                revision.
+                              type: string
+                          required:
+                          - repository
+                          type: object
+                        glusterfs:
+                          description: |-
+                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
+                          properties:
+                            endpoints:
+                              description: |-
+                                endpoints is the endpoint name that details Glusterfs topology.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            path:
+                              description: |-
+                                path is the Glusterfs volume path.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: boolean
+                          required:
+                          - endpoints
+                          - path
+                          type: object
+                        hostPath:
+                          description: |-
+                            hostPath represents a pre-existing file or directory on the host
+                            machine that is directly exposed to the container. This is generally
+                            used for system agents or other privileged things that are allowed
+                            to see the host machine. Most containers will NOT need this.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                            ---
+                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+                            mount host directories as read/write.
+                          properties:
+                            path:
+                              description: |-
+                                path of the directory on the host.
+                                If the path is a symlink, it will follow the link to the real path.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                            type:
+                              description: |-
+                                type for HostPath Volume
+                                Defaults to ""
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        iscsi:
+                          description: |-
+                            iscsi represents an ISCSI Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                          properties:
+                            chapAuthDiscovery:
+                              description: chapAuthDiscovery defines whether support
+                                iSCSI Discovery CHAP authentication
+                              type: boolean
+                            chapAuthSession:
+                              description: chapAuthSession defines whether support
+                                iSCSI Session CHAP authentication
+                              type: boolean
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            initiatorName:
+                              description: |-
+                                initiatorName is the custom iSCSI Initiator Name.
+                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                <target portal>:<volume name> will be created for the connection.
+                              type: string
+                            iqn:
+                              description: iqn is the target iSCSI Qualified Name.
+                              type: string
+                            iscsiInterface:
+                              description: |-
+                                iscsiInterface is the interface Name that uses an iSCSI transport.
+                                Defaults to 'default' (tcp).
+                              type: string
+                            lun:
+                              description: lun represents iSCSI Target Lun number.
+                              format: int32
+                              type: integer
+                            portals:
+                              description: |-
+                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              items:
+                                type: string
+                              type: array
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                              type: boolean
+                            secretRef:
+                              description: secretRef is the CHAP Secret for iSCSI
+                                target and initiator authentication
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            targetPortal:
+                              description: |-
+                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              type: string
+                          required:
+                          - iqn
+                          - lun
+                          - targetPortal
+                          type: object
+                        name:
+                          description: |-
+                            name of the volume.
+                            Must be a DNS_LABEL and unique within the pod.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                        nfs:
+                          description: |-
+                            nfs represents an NFS mount on the host that shares a pod's lifetime
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                          properties:
+                            path:
+                              description: |-
+                                path that is exported by the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the NFS export to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: boolean
+                            server:
+                              description: |-
+                                server is the hostname or IP address of the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                          required:
+                          - path
+                          - server
+                          type: object
+                        persistentVolumeClaim:
+                          description: |-
+                            persistentVolumeClaimVolumeSource represents a reference to a
+                            PersistentVolumeClaim in the same namespace.
+                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                          properties:
+                            claimName:
+                              description: |-
+                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Will force the ReadOnly setting in VolumeMounts.
+                                Default false.
+                              type: boolean
+                          required:
+                          - claimName
+                          type: object
+                        photonPersistentDisk:
+                          description: photonPersistentDisk represents a PhotonController
+                            persistent disk attached and mounted on kubelets host
+                            machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            pdID:
+                              description: pdID is the ID that identifies Photon Controller
+                                persistent disk
+                              type: string
+                          required:
+                          - pdID
+                          type: object
+                        portworxVolume:
+                          description: portworxVolume represents a portworx volume
+                            attached and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fSType represents the filesystem type to mount
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            volumeID:
+                              description: volumeID uniquely identifies a Portworx
+                                volume
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        projected:
+                          description: projected items for all in one resources secrets,
+                            configmaps, and downward API
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode are the mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            sources:
+                              description: sources is the list of volume projections
+                              items:
+                                description: Projection that may be projected along
+                                  with other supported volume types
+                                properties:
+                                  clusterTrustBundle:
+                                    description: |-
+                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                      of ClusterTrustBundle objects in an auto-updating file.
+
+
+                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+                                      ClusterTrustBundle objects can either be selected by name, or by the
+                                      combination of signer name and a label selector.
+
+
+                                      Kubelet performs aggressive normalization of the PEM contents written
+                                      into the pod filesystem.  Esoteric PEM features such as inter-block
+                                      comments and block headers are stripped.  Certificates are deduplicated.
+                                      The ordering of certificates within the file is arbitrary, and Kubelet
+                                      may change the order over time.
+                                    properties:
+                                      labelSelector:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this label selector.  Only has
+                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                          interpreted as "match nothing".  If set but empty, interpreted as "match
+                                          everything".
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      name:
+                                        description: |-
+                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                          with signerName and labelSelector.
+                                        type: string
+                                      optional:
+                                        description: |-
+                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                          aren't available.  If using name, then the named ClusterTrustBundle is
+                                          allowed not to exist.  If using signerName, then the combination of
+                                          signerName and labelSelector is allowed to match zero
+                                          ClusterTrustBundles.
+                                        type: boolean
+                                      path:
+                                        description: Relative path from the volume
+                                          root to write the bundle.
+                                        type: string
+                                      signerName:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this signer name.
+                                          Mutually-exclusive with name.  The contents of all selected
+                                          ClusterTrustBundles will be unified and deduplicated.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                  configMap:
+                                    description: configMap information about the configMap
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          ConfigMap will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the ConfigMap,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional specify whether the
+                                          ConfigMap or its keys must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  downwardAPI:
+                                    description: downwardAPI information about the
+                                      downwardAPI data to project
+                                    properties:
+                                      items:
+                                        description: Items is a list of DownwardAPIVolume
+                                          file
+                                        items:
+                                          description: DownwardAPIVolumeFile represents
+                                            information to create the file containing
+                                            the pod field
+                                          properties:
+                                            fieldRef:
+                                              description: 'Required: Selects a field
+                                                of the pod: only annotations, labels,
+                                                name and namespace are supported.'
+                                              properties:
+                                                apiVersion:
+                                                  description: Version of the schema
+                                                    the FieldPath is written in terms
+                                                    of, defaults to "v1".
+                                                  type: string
+                                                fieldPath:
+                                                  description: Path of the field to
+                                                    select in the specified API version.
+                                                  type: string
+                                              required:
+                                              - fieldPath
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            mode:
+                                              description: |-
+                                                Optional: mode bits used to set permissions on this file, must be an octal value
+                                                between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: 'Required: Path is  the
+                                                relative path name of the file to
+                                                be created. Must not be absolute or
+                                                contain the ''..'' path. Must be utf-8
+                                                encoded. The first item of the relative
+                                                path must not start with ''..'''
+                                              type: string
+                                            resourceFieldRef:
+                                              description: |-
+                                                Selects a resource of the container: only resources limits and requests
+                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                              properties:
+                                                containerName:
+                                                  description: 'Container name: required
+                                                    for volumes, optional for env
+                                                    vars'
+                                                  type: string
+                                                divisor:
+                                                  anyOf:
+                                                  - type: integer
+                                                  - type: string
+                                                  description: Specifies the output
+                                                    format of the exposed resources,
+                                                    defaults to "1"
+                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                  x-kubernetes-int-or-string: true
+                                                resource:
+                                                  description: 'Required: resource
+                                                    to select'
+                                                  type: string
+                                              required:
+                                              - resource
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                          required:
+                                          - path
+                                          type: object
+                                        type: array
+                                    type: object
+                                  secret:
+                                    description: secret information about the secret
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          Secret will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the Secret,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional field specify whether
+                                          the Secret or its key must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  serviceAccountToken:
+                                    description: serviceAccountToken is information
+                                      about the serviceAccountToken data to project
+                                    properties:
+                                      audience:
+                                        description: |-
+                                          audience is the intended audience of the token. A recipient of a token
+                                          must identify itself with an identifier specified in the audience of the
+                                          token, and otherwise should reject the token. The audience defaults to the
+                                          identifier of the apiserver.
+                                        type: string
+                                      expirationSeconds:
+                                        description: |-
+                                          expirationSeconds is the requested duration of validity of the service
+                                          account token. As the token approaches expiration, the kubelet volume
+                                          plugin will proactively rotate the service account token. The kubelet will
+                                          start trying to rotate the token if the token is older than 80 percent of
+                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                          and must be at least 10 minutes.
+                                        format: int64
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the path relative to the mount point of the file to project the
+                                          token into.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                type: object
+                              type: array
+                          type: object
+                        quobyte:
+                          description: quobyte represents a Quobyte mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            group:
+                              description: |-
+                                group to map volume access to
+                                Default is no group
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                Defaults to false.
+                              type: boolean
+                            registry:
+                              description: |-
+                                registry represents a single or multiple Quobyte Registry services
+                                specified as a string as host:port pair (multiple entries are separated with commas)
+                                which acts as the central registry for volumes
+                              type: string
+                            tenant:
+                              description: |-
+                                tenant owning the given Quobyte volume in the Backend
+                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                              type: string
+                            user:
+                              description: |-
+                                user to map volume access to
+                                Defaults to serivceaccount user
+                              type: string
+                            volume:
+                              description: volume is a string that references an already
+                                created Quobyte volume by name.
+                              type: string
+                          required:
+                          - registry
+                          - volume
+                          type: object
+                        rbd:
+                          description: |-
+                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/rbd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            image:
+                              description: |-
+                                image is the rados image name.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            keyring:
+                              description: |-
+                                keyring is the path to key ring for RBDUser.
+                                Default is /etc/ceph/keyring.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            monitors:
+                              description: |-
+                                monitors is a collection of Ceph monitors.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            pool:
+                              description: |-
+                                pool is the rados pool name.
+                                Default is rbd.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is name of the authentication secret for RBDUser. If provided
+                                overrides keyring.
+                                Default is nil.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is the rados user name.
+                                Default is admin.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - image
+                          - monitors
+                          type: object
+                        scaleIO:
+                          description: scaleIO represents a ScaleIO persistent volume
+                            attached and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs".
+                                Default is "xfs".
+                              type: string
+                            gateway:
+                              description: gateway is the host address of the ScaleIO
+                                API Gateway.
+                              type: string
+                            protectionDomain:
+                              description: protectionDomain is the name of the ScaleIO
+                                Protection Domain for the configured storage.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef references to the secret for ScaleIO user and other
+                                sensitive information. If this is not provided, Login operation will fail.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            sslEnabled:
+                              description: sslEnabled Flag enable/disable SSL communication
+                                with Gateway, default false
+                              type: boolean
+                            storageMode:
+                              description: |-
+                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                Default is ThinProvisioned.
+                              type: string
+                            storagePool:
+                              description: storagePool is the ScaleIO Storage Pool
+                                associated with the protection domain.
+                              type: string
+                            system:
+                              description: system is the name of the storage system
+                                as configured in ScaleIO.
+                              type: string
+                            volumeName:
+                              description: |-
+                                volumeName is the name of a volume already created in the ScaleIO system
+                                that is associated with this volume source.
+                              type: string
+                          required:
+                          - gateway
+                          - secretRef
+                          - system
+                          type: object
+                        secret:
+                          description: |-
+                            secret represents a secret that should populate this volume.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values
+                                for mode bits. Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items If unspecified, each key-value pair in the Data field of the referenced
+                                Secret will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the Secret,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            optional:
+                              description: optional field specify whether the Secret
+                                or its keys must be defined
+                              type: boolean
+                            secretName:
+                              description: |-
+                                secretName is the name of the secret in the pod's namespace to use.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              type: string
+                          type: object
+                        storageos:
+                          description: storageOS represents a StorageOS volume attached
+                            and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef specifies the secret to use for obtaining the StorageOS API
+                                credentials.  If not specified, default values will be attempted.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeName:
+                              description: |-
+                                volumeName is the human-readable name of the StorageOS volume.  Volume
+                                names are only unique within a namespace.
+                              type: string
+                            volumeNamespace:
+                              description: |-
+                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                namespace is specified then the Pod's namespace will be used.  This allows the
+                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                Set VolumeName to any name to override the default behaviour.
+                                Set to "default" if you are not using namespaces within StorageOS.
+                                Namespaces that do not pre-exist within StorageOS will be created.
+                              type: string
+                          type: object
+                        vsphereVolume:
+                          description: vsphereVolume represents a vSphere volume attached
+                            and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            storagePolicyID:
+                              description: storagePolicyID is the storage Policy Based
+                                Management (SPBM) profile ID associated with the StoragePolicyName.
+                              type: string
+                            storagePolicyName:
+                              description: storagePolicyName is the storage Policy
+                                Based Management (SPBM) profile name.
+                              type: string
+                            volumePath:
+                              description: volumePath is the path that identifies
+                                vSphere volume vmdk
+                              type: string
+                          required:
+                          - volumePath
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                required:
+                - volumeMounts
+                - volumes
+                type: object
+              oneReplicaPerNode:
+                description: |-
+                  oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
+                  Enabling this configuration in an existing cluster will roll the cluster.
+                type: boolean
+              passwordEncoder:
+                description: passwordEncoder specifies password encoder secret for
+                  Kafka.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer contains the directory path in the container where
+                      the required secret is mounted.
+                      Directory should have the file `password-encoder.txt`. The contents should include a new password.
+                      Old password is optional and required only for rotation.
+                      More info: https://docs.confluent.io/operator/current/co-password-encoder-secret.
+                    type: string
+                  secretRef:
+                    description: |-
+                      secretRef specifies the secret name. The secret should have the key
+                      `password-encoder.txt`. The contents should include a new password.
+                      Old password is optional and required only for rotation.
+                      More info: https://docs.confluent.io/operator/current/co-password-encoder-secret.
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              pdb:
+                description: |-
+                  configures PodDisruptionBudget for the Confluent Platform component.
+                  by default PDB is configured based on pre-detemined formula.
+                properties:
+                  enabled:
+                    description: enabled specifies whether the PodDisruptionBudget
+                      is enabled
+                    type: boolean
+                  maxUnavailable:
+                    description: maxUnavailable is the maximum number of pods that
+                      can be unavailable during the disruption.
+                    format: int32
+                    type: integer
+                required:
+                - enabled
+                type: object
+              podTemplate:
+                description: podTemplate specifies the statefulset pod template configuration.
+                properties:
+                  affinity:
+                    description: |-
+                      affinity specifies a group of affinity scheduling rules.
+                      More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
+                    properties:
+                      nodeAffinity:
+                        description: Describes node affinity scheduling rules for
+                          the pod.
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node matches the corresponding matchExpressions; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: |-
+                                An empty preferred scheduling term matches all objects with implicit weight 0
+                                (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                              properties:
+                                preference:
+                                  description: A node selector term, associated with
+                                    the corresponding weight.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                weight:
+                                  description: Weight associated with matching the
+                                    corresponding nodeSelectorTerm, in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - preference
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to an update), the system
+                              may or may not try to eventually evict the pod from its node.
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      podAffinity:
+                        description: Describes pod affinity scheduling rules (e.g.
+                          co-locate this pod in the same node, zone, etc. as some
+                          other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                      podAntiAffinity:
+                        description: Describes pod anti-affinity scheduling rules
+                          (e.g. avoid putting this pod in the same node, zone, etc.
+                          as some other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the anti-affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling anti-affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the anti-affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the anti-affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs stored with the resource and
+                      may be set by external tools to store and retrieve arbitrary metadata. They
+                      are not queryable and should be preserved when modifying objects. More
+                      info: http://kubernetes.io/docs/user-guide/annotations.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  envVars:
+                    description: |-
+                      envVars contain environment variables to be injected into containers.
+                      More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
+                    items:
+                      description: EnvVar represents an environment variable present
+                        in a Container.
+                      properties:
+                        name:
+                          description: Name of the environment variable. Must be a
+                            C_IDENTIFIER.
+                          type: string
+                        value:
+                          description: |-
+                            Variable references $(VAR_NAME) are expanded
+                            using the previously defined environment variables in the container and
+                            any service environment variables. If a variable cannot be resolved,
+                            the reference in the input string will be unchanged. Double $$ are reduced
+                            to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                            "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                            Escaped references will never be expanded, regardless of whether the variable
+                            exists or not.
+                            Defaults to "".
+                          type: string
+                        valueFrom:
+                          description: Source for the environment variable's value.
+                            Cannot be used if value is not empty.
+                          properties:
+                            configMapKeyRef:
+                              description: Selects a key of a ConfigMap.
+                              properties:
+                                key:
+                                  description: The key to select.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the ConfigMap or its
+                                    key must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            fieldRef:
+                              description: |-
+                                Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                              properties:
+                                apiVersion:
+                                  description: Version of the schema the FieldPath
+                                    is written in terms of, defaults to "v1".
+                                  type: string
+                                fieldPath:
+                                  description: Path of the field to select in the
+                                    specified API version.
+                                  type: string
+                              required:
+                              - fieldPath
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            resourceFieldRef:
+                              description: |-
+                                Selects a resource of the container: only resources limits and requests
+                                (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                              properties:
+                                containerName:
+                                  description: 'Container name: required for volumes,
+                                    optional for env vars'
+                                  type: string
+                                divisor:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: Specifies the output format of the
+                                    exposed resources, defaults to "1"
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                resource:
+                                  description: 'Required: resource to select'
+                                  type: string
+                              required:
+                              - resource
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            secretKeyRef:
+                              description: Selects a key of a secret in the pod's
+                                namespace
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the Secret or its key
+                                    must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs that can be used to organize and categorize
+                      (scope and select) objects.
+                      More info: http://kubernetes.io/docs/user-guide/labels.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  podSecurityContext:
+                    description: |-
+                      PodSecurityContext holds pod-level security attributes and common container settings.
+                      Some fields are also present in container.securityContext.  Field values of
+                      container.securityContext take precedence over field values of PodSecurityContext.
+                    properties:
+                      fsGroup:
+                        description: |-
+                          A special supplemental group that applies to all containers in a pod.
+                          Some volume types allow the Kubelet to change the ownership of that volume
+                          to be owned by the pod:
+
+
+                          1. The owning GID will be the FSGroup
+                          2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+                          3. The permission bits are OR'd with rw-rw----
+
+
+                          If unset, the Kubelet will not modify the ownership and permissions of any volume.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      fsGroupChangePolicy:
+                        description: |-
+                          fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+                          before being exposed inside Pod. This field will only apply to
+                          volume types which support fsGroup based ownership(and permissions).
+                          It will have no effect on ephemeral volume types such as: secret, configmaps
+                          and emptydir.
+                          Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to all containers.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in SecurityContext.  If set in
+                          both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+                          takes precedence for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by the containers in this pod.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      supplementalGroups:
+                        description: |-
+                          A list of groups applied to the first process run in each container, in addition
+                          to the container's primary GID, the fsGroup (if specified), and group memberships
+                          defined in the container image for the uid of the container process. If unspecified,
+                          no additional groups are added to any container. Note that group memberships
+                          defined in the container image for the uid of the container process are still effective,
+                          even if they are not included in this list.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          format: int64
+                          type: integer
+                        type: array
+                      sysctls:
+                        description: |-
+                          Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+                          sysctls (by the container runtime) might fail to launch.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          description: Sysctl defines a kernel parameter to be set
+                          properties:
+                            name:
+                              description: Name of a property to set
+                              type: string
+                            value:
+                              description: Value of a property to set
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        type: array
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options within a container's SecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  priorityClassName:
+                    description: priorityClassName specifies the priority class for
+                      the pod (if any).
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  probe:
+                    description: probe contains the fields for standard Kubernetes
+                      readiness/liveness probe configuration.
+                    properties:
+                      liveness:
+                        description: |-
+                          liveness configures the Kubernetes probe settings. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                      readiness:
+                        description: |-
+                          readiness configures the Kubernetes probe setting. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  resources:
+                    description: resources describe the compute resource requirements.
+                    properties:
+                      claims:
+                        description: |-
+                          Claims lists the names of resources, defined in spec.resourceClaims,
+                          that are used by this container.
+
+
+                          This is an alpha field and requires enabling the
+                          DynamicResourceAllocation feature gate.
+
+
+                          This field is immutable. It can only be set for containers.
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: |-
+                                Name must match the name of one entry in pod.spec.resourceClaims of
+                                the Pod where this field is used. It makes that resource available
+                                inside a container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Limits describes the maximum amount of compute resources allowed.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Requests describes the minimum amount of compute resources required.
+                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                    type: object
+                  securityContext:
+                    description: |-
+                      SecurityContext holds security configuration that will be applied to a container.
+                      Some fields are present in both SecurityContext and PodSecurityContext.  When both
+                      are set, the values in SecurityContext take precedence.
+                    properties:
+                      allowPrivilegeEscalation:
+                        description: |-
+                          AllowPrivilegeEscalation controls whether a process can gain more
+                          privileges than its parent process. This bool directly controls if
+                          the no_new_privs flag will be set on the container process.
+                          AllowPrivilegeEscalation is true always when the container is:
+                          1) run as Privileged
+                          2) has CAP_SYS_ADMIN
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      capabilities:
+                        description: |-
+                          The capabilities to add/drop when running containers.
+                          Defaults to the default set of capabilities granted by the container runtime.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          add:
+                            description: Added capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                          drop:
+                            description: Removed capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                        type: object
+                      privileged:
+                        description: |-
+                          Run container in privileged mode.
+                          Processes in privileged containers are essentially equivalent to root on the host.
+                          Defaults to false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      procMount:
+                        description: |-
+                          procMount denotes the type of proc mount to use for the containers.
+                          The default is DefaultProcMount which uses the container runtime defaults for
+                          readonly paths and masked paths.
+                          This requires the ProcMountType feature flag to be enabled.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      readOnlyRootFilesystem:
+                        description: |-
+                          Whether this container has a read-only root filesystem.
+                          Default is false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to the container.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by this container. If seccomp options are
+                          provided at both the pod & container level, the container options
+                          override the pod options.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options from the PodSecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of the service account used to run this pod.
+                      More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
+                    type: string
+                  terminationGracePeriodSeconds:
+                    description: terminationGracePeriodSeconds is the grace period
+                      before the pod is deleted.
+                    format: int64
+                    type: integer
+                  tolerations:
+                    description: |-
+                      tolerations specify the pods to schedule onto the nodes with matching taints, using
+                      the triple `<key,value,effect>` and the matching operator `<operator>`.
+                    items:
+                      description: |-
+                        The pod this Toleration is attached to tolerates any taint that matches
+                        the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: |-
+                            Effect indicates the taint effect to match. Empty means match all taint effects.
+                            When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          type: string
+                        key:
+                          description: |-
+                            Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                            If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          type: string
+                        operator:
+                          description: |-
+                            Operator represents a key's relationship to the value.
+                            Valid operators are Exists and Equal. Defaults to Equal.
+                            Exists is equivalent to wildcard for value, so that a pod can
+                            tolerate all taints of a particular category.
+                          type: string
+                        tolerationSeconds:
+                          description: |-
+                            TolerationSeconds represents the period of time the toleration (which must be
+                            of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                            it is not set, which means tolerate the taint forever (do not evict). Zero and
+                            negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          type: integer
+                        value:
+                          description: |-
+                            Value is the taint value the toleration matches to.
+                            If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          type: string
+                      type: object
+                    type: array
+                  topologySpreadConstraints:
+                    description: |-
+                      topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
+                      schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
+                    items:
+                      description: TopologySpreadConstraint specifies how to spread
+                        matching pods among the given topology.
+                      properties:
+                        labelSelector:
+                          description: |-
+                            LabelSelector is used to find matching pods.
+                            Pods that match this label selector are counted to determine the number of pods
+                            in their corresponding topology domain.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        matchLabelKeys:
+                          description: |-
+                            MatchLabelKeys is a set of pod label keys to select the pods over which
+                            spreading will be calculated. The keys are used to lookup values from the
+                            incoming pod labels, those key-value labels are ANDed with labelSelector
+                            to select the group of existing pods over which spreading will be calculated
+                            for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                            MatchLabelKeys cannot be set when LabelSelector isn't set.
+                            Keys that don't exist in the incoming pod labels will
+                            be ignored. A null or empty list means only match against labelSelector.
+
+
+                            This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        maxSkew:
+                          description: |-
+                            MaxSkew describes the degree to which pods may be unevenly distributed.
+                            When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                            between the number of matching pods in the target topology and the global minimum.
+                            The global minimum is the minimum number of matching pods in an eligible domain
+                            or zero if the number of eligible domains is less than MinDomains.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 2/2/1:
+                            In this case, the global minimum is 1.
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |   P   |
+                            - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                            scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                            violate MaxSkew(1).
+                            - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                            When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                            to topologies that satisfy it.
+                            It's a required field. Default value is 1 and 0 is not allowed.
+                          format: int32
+                          type: integer
+                        minDomains:
+                          description: |-
+                            MinDomains indicates a minimum number of eligible domains.
+                            When the number of eligible domains with matching topology keys is less than minDomains,
+                            Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                            And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                            this value has no effect on scheduling.
+                            As a result, when the number of eligible domains is less than minDomains,
+                            scheduler won't schedule more than maxSkew Pods to those domains.
+                            If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                            Valid values are integers greater than 0.
+                            When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+                            For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                            labelSelector spread as 2/2/2:
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |  P P  |
+                            The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                            In this situation, new pod with the same labelSelector cannot be scheduled,
+                            because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                            it will violate MaxSkew.
+
+
+                            This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
+                          format: int32
+                          type: integer
+                        nodeAffinityPolicy:
+                          description: |-
+                            NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                            when calculating pod topology spread skew. Options are:
+                            - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                            - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+                            If this value is nil, the behavior is equivalent to the Honor policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        nodeTaintsPolicy:
+                          description: |-
+                            NodeTaintsPolicy indicates how we will treat node taints when calculating
+                            pod topology spread skew. Options are:
+                            - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                            has a toleration, are included.
+                            - Ignore: node taints are ignored. All nodes are included.
+
+
+                            If this value is nil, the behavior is equivalent to the Ignore policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        topologyKey:
+                          description: |-
+                            TopologyKey is the key of node labels. Nodes that have a label with this key
+                            and identical values are considered to be in the same topology.
+                            We consider each <key, value> as a "bucket", and try to put balanced number
+                            of pods into each bucket.
+                            We define a domain as a particular instance of a topology.
+                            Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                            nodeAffinityPolicy and nodeTaintsPolicy.
+                            e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                            And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                            It's a required field.
+                          type: string
+                        whenUnsatisfiable:
+                          description: |-
+                            WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                            the spread constraint.
+                            - DoNotSchedule (default) tells the scheduler not to schedule it.
+                            - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                              but giving higher precedence to topologies that would help reduce the
+                              skew.
+                            A constraint is considered "Unsatisfiable" for an incoming pod
+                            if and only if every possible node assignment for that pod would violate
+                            "MaxSkew" on some topology.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 3/1/1:
+                            | zone1 | zone2 | zone3 |
+                            | P P P |   P   |   P   |
+                            If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                            to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                            MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                            won't make it *more* imbalanced.
+                            It's a required field.
+                          type: string
+                      required:
+                      - maxSkew
+                      - topologyKey
+                      - whenUnsatisfiable
+                      type: object
+                    type: array
+                type: object
+              rackAssignment:
+                description: rackAssignment specifies the rack awareness capability
+                  of the Kafka cluster.
+                properties:
+                  availabilityZoneCount:
+                    description: |-
+                      availabilityZoneCount configures `broker.rack` with the formula (`pod_id % azCount`).
+                      This is mainly for backwards compatibility with Operator 1.x.
+                    format: int32
+                    type: integer
+                  nodeLabels:
+                    description: |-
+                      nodeLabels use the Kubernetes node API
+                      to retrieve the label values to be used in `broker.rack`. This
+                      feature requires CFK to run with the cluster-level access.
+                    items:
+                      type: string
+                    minItems: 1
+                    type: array
+                type: object
+              replicas:
+                description: |-
+                  replicas is the desired number of replicas.
+                  A change to this setting will roll the cluster.
+                format: int32
+                type: integer
+              services:
+                description: services specify the supported Kafka services.
+                properties:
+                  kafkaRest:
+                    description: kafkaRest specifies the embedded REST API server
+                      configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the REST API server
+                          authentication configuration.
+                        properties:
+                          basic:
+                            description: basic specifies the configuration for basic
+                              authentication.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the configuration for OAuth
+                              authentication.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication scheme
+                              for the REST API server. Valid options are `basic`,
+                              `oauth` and `mtls`.
+                            enum:
+                            - basic
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      externalAccess:
+                        description: externalAccess specifies the external access
+                          configuration.
+                        properties:
+                          loadBalancer:
+                            description: loadBalancer specifies the configuration
+                              to create a Kubernetes load balancer service.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                  This configuration will not take effect if MDS enabled dual listener setup.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              domain:
+                                description: domain is the domain name of the component
+                                  cluster.
+                                minLength: 1
+                                type: string
+                              externalTrafficPolicy:
+                                description: externalTrafficPolicy specifies the external
+                                  traffic policy for the service. Valid options are
+                                  `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              loadBalancerSourceRanges:
+                                description: loadBalancerSourceRanges specify the
+                                  source ranges.
+                                items:
+                                  type: string
+                                type: array
+                              port:
+                                description: |-
+                                  port specifies the external port for the client consumption.
+                                  If not configured, the same internal/external port is configured for the component.
+                                  Information about the port can be retrieved through the status API.
+                                format: int32
+                                type: integer
+                              prefix:
+                                description: |-
+                                  prefix specify the prefix for the given domain.
+                                  The default value is the name of the cluster.
+                                minLength: 1
+                                type: string
+                              servicePorts:
+                                description: servicePorts specify the user-provided
+                                  service port(s).
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - domain
+                            type: object
+                          nodePort:
+                            description: nodePort specifies the configuration to create
+                              a Kubernetes node port service.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              externalTrafficPolicy:
+                                description: |-
+                                  externalTrafficPolicy specifies the external traffic policy for the service.
+                                  Valid options are `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              host:
+                                description: host defines the host name of the cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              nodePortOffset:
+                                description: |-
+                                  nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                  to the replicas count.
+                                  NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                  The default Kubernetes Node Port range is `30000` - `32762`.
+                                format: int32
+                                minimum: 0
+                                type: integer
+                              servicePorts:
+                                description: |-
+                                  servicePorts specify user-provided service port(s).
+                                  For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - host
+                            - nodePortOffset
+                            type: object
+                          route:
+                            description: route specifies the configuration to create
+                              a route service in OpenShift.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                  This configuration will not take effect if MDS enabled dual listener setup.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              domain:
+                                description: domain specifies the domain name of the
+                                  Confluent component cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              prefix:
+                                description: |-
+                                  prefix specifies the component prefix when configured for the domain.
+                                  The default value is the name of the cluster.
+                                minLength: 1
+                                type: string
+                              wildcardPolicy:
+                                description: |-
+                                  wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                  The default value is `None`.
+                                enum:
+                                - Subdomain
+                                - None
+                                type: string
+                            required:
+                            - domain
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kubernetes external service for the component.
+                              Valid options are `loadBalancer`, `nodePort`, and `route`.
+                            enum:
+                            - loadBalancer
+                            - nodePort
+                            - route
+                            minLength: 1
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      listeners:
+                        description: listeners specify the listeners configurations
+                          for embedded REST API server.
+                        properties:
+                          external:
+                            description: external specifies the Confluent component
+                              external listener.
+                            properties:
+                              externalAccess:
+                                description: externalAccess defines the external access
+                                  configuration for the Confluent component.
+                                properties:
+                                  loadBalancer:
+                                    description: loadBalancer specifies the configuration
+                                      to create a Kubernetes load balancer service.
+                                    properties:
+                                      advertisedURL:
+                                        description: |-
+                                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                          set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                          the external DNS must be resolved inside the Kubernetes cluster.
+                                          This configuration will not take effect if MDS enabled dual listener setup.
+                                        properties:
+                                          enabled:
+                                            description: |-
+                                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                              Has no effect with Zookeeper, which will always create a listener per pod.
+                                            type: boolean
+                                          prefix:
+                                            description: |-
+                                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                            minLength: 1
+                                            type: string
+                                        required:
+                                        - enabled
+                                        type: object
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: annotations is a map of string
+                                          key and value pairs. It specifies Kubernetes
+                                          annotations for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      domain:
+                                        description: domain is the domain name of
+                                          the component cluster.
+                                        minLength: 1
+                                        type: string
+                                      externalTrafficPolicy:
+                                        description: externalTrafficPolicy specifies
+                                          the external traffic policy for the service.
+                                          Valid options are `Local` and `Cluster`.
+                                        enum:
+                                        - Local
+                                        - Cluster
+                                        type: string
+                                      labels:
+                                        additionalProperties:
+                                          type: string
+                                        description: labels is a map of string key
+                                          and value pairs. It specifies Kubernetes
+                                          labels for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      loadBalancerSourceRanges:
+                                        description: loadBalancerSourceRanges specify
+                                          the source ranges.
+                                        items:
+                                          type: string
+                                        type: array
+                                      port:
+                                        description: |-
+                                          port specifies the external port for the client consumption.
+                                          If not configured, the same internal/external port is configured for the component.
+                                          Information about the port can be retrieved through the status API.
+                                        format: int32
+                                        type: integer
+                                      prefix:
+                                        description: |-
+                                          prefix specify the prefix for the given domain.
+                                          The default value is the name of the cluster.
+                                        minLength: 1
+                                        type: string
+                                      servicePorts:
+                                        description: servicePorts specify the user-provided
+                                          service port(s).
+                                        items:
+                                          description: ServicePort contains information
+                                            on service's port.
+                                          properties:
+                                            appProtocol:
+                                              description: |-
+                                                The application protocol for this port.
+                                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                                This field follows standard Kubernetes label syntax.
+                                                Valid values are either:
+
+
+                                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                                * Kubernetes-defined prefixed names:
+                                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                                * Other protocols should use implementation-defined prefixed names such as
+                                                mycompany.com/my-custom-protocol.
+                                              type: string
+                                            name:
+                                              description: |-
+                                                The name of this port within the service. This must be a DNS_LABEL.
+                                                All ports within a ServiceSpec must have unique names. When considering
+                                                the endpoints for a Service, this must match the 'name' field in the
+                                                EndpointPort.
+                                                Optional if only one ServicePort is defined on this service.
+                                              type: string
+                                            nodePort:
+                                              description: |-
+                                                The port on each node on which this service is exposed when type is
+                                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                                specified, in-range, and not in use it will be used, otherwise the
+                                                operation will fail.  If not specified, a port will be allocated if this
+                                                Service requires one.  If this field is specified when creating a
+                                                Service which does not need it, creation will fail. This field will be
+                                                wiped when updating a Service to no longer need it (e.g. changing type
+                                                from NodePort to ClusterIP).
+                                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                              format: int32
+                                              type: integer
+                                            port:
+                                              description: The port that will be exposed
+                                                by this service.
+                                              format: int32
+                                              type: integer
+                                            protocol:
+                                              default: TCP
+                                              description: |-
+                                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                                Default is TCP.
+                                              type: string
+                                            targetPort:
+                                              anyOf:
+                                              - type: integer
+                                              - type: string
+                                              description: |-
+                                                Number or name of the port to access on the pods targeted by the service.
+                                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                                If this is a string, it will be looked up as a named port in the
+                                                target Pod's container ports. If this is not specified, the value
+                                                of the 'port' field is used (an identity map).
+                                                This field is ignored for services with clusterIP=None, and should be
+                                                omitted or set equal to the 'port' field.
+                                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                              x-kubernetes-int-or-string: true
+                                          required:
+                                          - port
+                                          type: object
+                                        type: array
+                                      sessionAffinity:
+                                        description: |-
+                                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                          The default value is `None`.
+                                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                        enum:
+                                        - ClientIP
+                                        - None
+                                        type: string
+                                      sessionAffinityConfig:
+                                        description: SessionAffinityConfig contains
+                                          the configurations of the session affinity.
+                                        properties:
+                                          clientIP:
+                                            description: clientIP contains the configurations
+                                              of Client IP based session affinity.
+                                            properties:
+                                              timeoutSeconds:
+                                                description: |-
+                                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                                  Default value is 10800(for 3 hours).
+                                                format: int32
+                                                type: integer
+                                            type: object
+                                        type: object
+                                    required:
+                                    - domain
+                                    type: object
+                                  nodePort:
+                                    description: nodePort specifies the configuration
+                                      to create a Kubernetes node port service.
+                                    properties:
+                                      advertisedURL:
+                                        description: |-
+                                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                          set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                          the external DNS must be resolved inside the Kubernetes cluster.
+                                        properties:
+                                          enabled:
+                                            description: |-
+                                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                              Has no effect with Zookeeper, which will always create a listener per pod.
+                                            type: boolean
+                                          prefix:
+                                            description: |-
+                                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                            minLength: 1
+                                            type: string
+                                        required:
+                                        - enabled
+                                        type: object
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: annotations is a map of string
+                                          key and value pairs. It specifies Kubernetes
+                                          annotations for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      externalTrafficPolicy:
+                                        description: |-
+                                          externalTrafficPolicy specifies the external traffic policy for the service.
+                                          Valid options are `Local` and `Cluster`.
+                                        enum:
+                                        - Local
+                                        - Cluster
+                                        type: string
+                                      host:
+                                        description: host defines the host name of
+                                          the cluster.
+                                        minLength: 1
+                                        type: string
+                                      labels:
+                                        additionalProperties:
+                                          type: string
+                                        description: labels is a map of string key
+                                          and value pairs. It specifies Kubernetes
+                                          labels for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      nodePortOffset:
+                                        description: |-
+                                          nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                          to the replicas count.
+                                          NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                          The default Kubernetes Node Port range is `30000` - `32762`.
+                                        format: int32
+                                        minimum: 0
+                                        type: integer
+                                      servicePorts:
+                                        description: |-
+                                          servicePorts specify user-provided service port(s).
+                                          For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                        items:
+                                          description: ServicePort contains information
+                                            on service's port.
+                                          properties:
+                                            appProtocol:
+                                              description: |-
+                                                The application protocol for this port.
+                                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                                This field follows standard Kubernetes label syntax.
+                                                Valid values are either:
+
+
+                                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                                * Kubernetes-defined prefixed names:
+                                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                                * Other protocols should use implementation-defined prefixed names such as
+                                                mycompany.com/my-custom-protocol.
+                                              type: string
+                                            name:
+                                              description: |-
+                                                The name of this port within the service. This must be a DNS_LABEL.
+                                                All ports within a ServiceSpec must have unique names. When considering
+                                                the endpoints for a Service, this must match the 'name' field in the
+                                                EndpointPort.
+                                                Optional if only one ServicePort is defined on this service.
+                                              type: string
+                                            nodePort:
+                                              description: |-
+                                                The port on each node on which this service is exposed when type is
+                                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                                specified, in-range, and not in use it will be used, otherwise the
+                                                operation will fail.  If not specified, a port will be allocated if this
+                                                Service requires one.  If this field is specified when creating a
+                                                Service which does not need it, creation will fail. This field will be
+                                                wiped when updating a Service to no longer need it (e.g. changing type
+                                                from NodePort to ClusterIP).
+                                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                              format: int32
+                                              type: integer
+                                            port:
+                                              description: The port that will be exposed
+                                                by this service.
+                                              format: int32
+                                              type: integer
+                                            protocol:
+                                              default: TCP
+                                              description: |-
+                                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                                Default is TCP.
+                                              type: string
+                                            targetPort:
+                                              anyOf:
+                                              - type: integer
+                                              - type: string
+                                              description: |-
+                                                Number or name of the port to access on the pods targeted by the service.
+                                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                                If this is a string, it will be looked up as a named port in the
+                                                target Pod's container ports. If this is not specified, the value
+                                                of the 'port' field is used (an identity map).
+                                                This field is ignored for services with clusterIP=None, and should be
+                                                omitted or set equal to the 'port' field.
+                                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                              x-kubernetes-int-or-string: true
+                                          required:
+                                          - port
+                                          type: object
+                                        type: array
+                                      sessionAffinity:
+                                        description: |-
+                                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                          The default value is `None`.
+                                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                        enum:
+                                        - ClientIP
+                                        - None
+                                        type: string
+                                      sessionAffinityConfig:
+                                        description: SessionAffinityConfig contains
+                                          the configurations of the session affinity.
+                                        properties:
+                                          clientIP:
+                                            description: clientIP contains the configurations
+                                              of Client IP based session affinity.
+                                            properties:
+                                              timeoutSeconds:
+                                                description: |-
+                                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                                  Default value is 10800(for 3 hours).
+                                                format: int32
+                                                type: integer
+                                            type: object
+                                        type: object
+                                    required:
+                                    - host
+                                    - nodePortOffset
+                                    type: object
+                                  route:
+                                    description: route specifies the configuration
+                                      to create a route service in OpenShift.
+                                    properties:
+                                      advertisedURL:
+                                        description: |-
+                                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                          set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                          the external DNS must be resolved inside the Kubernetes cluster.
+                                          This configuration will not take effect if MDS enabled dual listener setup.
+                                        properties:
+                                          enabled:
+                                            description: |-
+                                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                              Has no effect with Zookeeper, which will always create a listener per pod.
+                                            type: boolean
+                                          prefix:
+                                            description: |-
+                                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                            minLength: 1
+                                            type: string
+                                        required:
+                                        - enabled
+                                        type: object
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: annotations is a map of string
+                                          key and value pairs. It specifies Kubernetes
+                                          annotations for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      domain:
+                                        description: domain specifies the domain name
+                                          of the Confluent component cluster.
+                                        minLength: 1
+                                        type: string
+                                      labels:
+                                        additionalProperties:
+                                          type: string
+                                        description: labels is a map of string key
+                                          and value pairs. It specifies Kubernetes
+                                          labels for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      prefix:
+                                        description: |-
+                                          prefix specifies the component prefix when configured for the domain.
+                                          The default value is the name of the cluster.
+                                        minLength: 1
+                                        type: string
+                                      wildcardPolicy:
+                                        description: |-
+                                          wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                          The default value is `None`.
+                                        enum:
+                                        - Subdomain
+                                        - None
+                                        type: string
+                                    required:
+                                    - domain
+                                    type: object
+                                  type:
+                                    description: |-
+                                      type specifies the Kubernetes external service for the component.
+                                      Valid options are `loadBalancer`, `nodePort`, and `route`.
+                                    enum:
+                                    - loadBalancer
+                                    - nodePort
+                                    - route
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - type
+                                type: object
+                              tls:
+                                description: tls specifies the TLS configuration for
+                                  the listener.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where
+                                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                    minLength: 1
+                                    type: string
+                                  enabled:
+                                    description: enabled specifies to enable the TLS
+                                      configuration for the Confluent component.
+                                    type: boolean
+                                  ignoreTrustStoreConfig:
+                                    description: |-
+                                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                      for the Confluent component.
+                                    type: boolean
+                                  jksPassword:
+                                    description: jksPassword references the secret
+                                      containing the JKS password.
+                                    properties:
+                                      secretRef:
+                                        description: |-
+                                          secretRef references the name of the secret containing the JKS password.
+                                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                        maxLength: 30
+                                        minLength: 1
+                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                        type: string
+                                    required:
+                                    - secretRef
+                                    type: object
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the certificates.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                            type: object
+                          internal:
+                            description: |-
+                              internal specifies the Confluent component's internal listener.
+                              This internal listener is for intra-communication between the pods.
+                            properties:
+                              port:
+                                description: |-
+                                  port binds the given port to the internal listener. If not configured,
+                                  it will be defaulted to the component-specific internal port.
+                                  Port numbers lower than `9093` are reserved by CFK.
+                                format: int32
+                                minimum: 9093
+                                type: integer
+                              tls:
+                                description: tls specifies the TLS configuration for
+                                  the listener.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where
+                                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                    minLength: 1
+                                    type: string
+                                  enabled:
+                                    description: enabled specifies to enable the TLS
+                                      configuration for the Confluent component.
+                                    type: boolean
+                                  ignoreTrustStoreConfig:
+                                    description: |-
+                                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                      for the Confluent component.
+                                    type: boolean
+                                  jksPassword:
+                                    description: jksPassword references the secret
+                                      containing the JKS password.
+                                    properties:
+                                      secretRef:
+                                        description: |-
+                                          secretRef references the name of the secret containing the JKS password.
+                                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                        maxLength: 30
+                                        minLength: 1
+                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                        type: string
+                                    required:
+                                    - secretRef
+                                    type: object
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the certificates.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                            type: object
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for embedded
+                          REST API server.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  mds:
+                    description: mds specifies the MDS server configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the MDS server authentication
+                          configuration.
+                        properties:
+                          type:
+                            description: type defines the MDS authentication type.
+                              The valid option is `bearer`.
+                            enum:
+                            - bearer
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      externalAccess:
+                        description: externalAccess specifies the external access
+                          configuration.
+                        properties:
+                          loadBalancer:
+                            description: loadBalancer specifies the configuration
+                              to create a Kubernetes load balancer service.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                  This configuration will not take effect if MDS enabled dual listener setup.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              domain:
+                                description: domain is the domain name of the component
+                                  cluster.
+                                minLength: 1
+                                type: string
+                              externalTrafficPolicy:
+                                description: externalTrafficPolicy specifies the external
+                                  traffic policy for the service. Valid options are
+                                  `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              loadBalancerSourceRanges:
+                                description: loadBalancerSourceRanges specify the
+                                  source ranges.
+                                items:
+                                  type: string
+                                type: array
+                              port:
+                                description: |-
+                                  port specifies the external port for the client consumption.
+                                  If not configured, the same internal/external port is configured for the component.
+                                  Information about the port can be retrieved through the status API.
+                                format: int32
+                                type: integer
+                              prefix:
+                                description: |-
+                                  prefix specify the prefix for the given domain.
+                                  The default value is the name of the cluster.
+                                minLength: 1
+                                type: string
+                              servicePorts:
+                                description: servicePorts specify the user-provided
+                                  service port(s).
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - domain
+                            type: object
+                          nodePort:
+                            description: nodePort specifies the configuration to create
+                              a Kubernetes node port service.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              externalTrafficPolicy:
+                                description: |-
+                                  externalTrafficPolicy specifies the external traffic policy for the service.
+                                  Valid options are `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              host:
+                                description: host defines the host name of the cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              nodePortOffset:
+                                description: |-
+                                  nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                  to the replicas count.
+                                  NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                  The default Kubernetes Node Port range is `30000` - `32762`.
+                                format: int32
+                                minimum: 0
+                                type: integer
+                              servicePorts:
+                                description: |-
+                                  servicePorts specify user-provided service port(s).
+                                  For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - host
+                            - nodePortOffset
+                            type: object
+                          route:
+                            description: route specifies the configuration to create
+                              a route service in OpenShift.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                  This configuration will not take effect if MDS enabled dual listener setup.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              domain:
+                                description: domain specifies the domain name of the
+                                  Confluent component cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              prefix:
+                                description: |-
+                                  prefix specifies the component prefix when configured for the domain.
+                                  The default value is the name of the cluster.
+                                minLength: 1
+                                type: string
+                              wildcardPolicy:
+                                description: |-
+                                  wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                  The default value is `None`.
+                                enum:
+                                - Subdomain
+                                - None
+                                type: string
+                            required:
+                            - domain
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kubernetes external service for the component.
+                              Valid options are `loadBalancer`, `nodePort`, and `route`.
+                            enum:
+                            - loadBalancer
+                            - nodePort
+                            - route
+                            minLength: 1
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      listeners:
+                        description: listeners specify the listeners configurations
+                          for MDS server.
+                        properties:
+                          external:
+                            description: external specifies the Confluent component
+                              external listener.
+                            properties:
+                              externalAccess:
+                                description: externalAccess defines the external access
+                                  configuration for the Confluent component.
+                                properties:
+                                  loadBalancer:
+                                    description: loadBalancer specifies the configuration
+                                      to create a Kubernetes load balancer service.
+                                    properties:
+                                      advertisedURL:
+                                        description: |-
+                                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                          set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                          the external DNS must be resolved inside the Kubernetes cluster.
+                                          This configuration will not take effect if MDS enabled dual listener setup.
+                                        properties:
+                                          enabled:
+                                            description: |-
+                                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                              Has no effect with Zookeeper, which will always create a listener per pod.
+                                            type: boolean
+                                          prefix:
+                                            description: |-
+                                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                            minLength: 1
+                                            type: string
+                                        required:
+                                        - enabled
+                                        type: object
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: annotations is a map of string
+                                          key and value pairs. It specifies Kubernetes
+                                          annotations for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      domain:
+                                        description: domain is the domain name of
+                                          the component cluster.
+                                        minLength: 1
+                                        type: string
+                                      externalTrafficPolicy:
+                                        description: externalTrafficPolicy specifies
+                                          the external traffic policy for the service.
+                                          Valid options are `Local` and `Cluster`.
+                                        enum:
+                                        - Local
+                                        - Cluster
+                                        type: string
+                                      labels:
+                                        additionalProperties:
+                                          type: string
+                                        description: labels is a map of string key
+                                          and value pairs. It specifies Kubernetes
+                                          labels for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      loadBalancerSourceRanges:
+                                        description: loadBalancerSourceRanges specify
+                                          the source ranges.
+                                        items:
+                                          type: string
+                                        type: array
+                                      port:
+                                        description: |-
+                                          port specifies the external port for the client consumption.
+                                          If not configured, the same internal/external port is configured for the component.
+                                          Information about the port can be retrieved through the status API.
+                                        format: int32
+                                        type: integer
+                                      prefix:
+                                        description: |-
+                                          prefix specify the prefix for the given domain.
+                                          The default value is the name of the cluster.
+                                        minLength: 1
+                                        type: string
+                                      servicePorts:
+                                        description: servicePorts specify the user-provided
+                                          service port(s).
+                                        items:
+                                          description: ServicePort contains information
+                                            on service's port.
+                                          properties:
+                                            appProtocol:
+                                              description: |-
+                                                The application protocol for this port.
+                                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                                This field follows standard Kubernetes label syntax.
+                                                Valid values are either:
+
+
+                                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                                * Kubernetes-defined prefixed names:
+                                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                                * Other protocols should use implementation-defined prefixed names such as
+                                                mycompany.com/my-custom-protocol.
+                                              type: string
+                                            name:
+                                              description: |-
+                                                The name of this port within the service. This must be a DNS_LABEL.
+                                                All ports within a ServiceSpec must have unique names. When considering
+                                                the endpoints for a Service, this must match the 'name' field in the
+                                                EndpointPort.
+                                                Optional if only one ServicePort is defined on this service.
+                                              type: string
+                                            nodePort:
+                                              description: |-
+                                                The port on each node on which this service is exposed when type is
+                                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                                specified, in-range, and not in use it will be used, otherwise the
+                                                operation will fail.  If not specified, a port will be allocated if this
+                                                Service requires one.  If this field is specified when creating a
+                                                Service which does not need it, creation will fail. This field will be
+                                                wiped when updating a Service to no longer need it (e.g. changing type
+                                                from NodePort to ClusterIP).
+                                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                              format: int32
+                                              type: integer
+                                            port:
+                                              description: The port that will be exposed
+                                                by this service.
+                                              format: int32
+                                              type: integer
+                                            protocol:
+                                              default: TCP
+                                              description: |-
+                                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                                Default is TCP.
+                                              type: string
+                                            targetPort:
+                                              anyOf:
+                                              - type: integer
+                                              - type: string
+                                              description: |-
+                                                Number or name of the port to access on the pods targeted by the service.
+                                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                                If this is a string, it will be looked up as a named port in the
+                                                target Pod's container ports. If this is not specified, the value
+                                                of the 'port' field is used (an identity map).
+                                                This field is ignored for services with clusterIP=None, and should be
+                                                omitted or set equal to the 'port' field.
+                                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                              x-kubernetes-int-or-string: true
+                                          required:
+                                          - port
+                                          type: object
+                                        type: array
+                                      sessionAffinity:
+                                        description: |-
+                                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                          The default value is `None`.
+                                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                        enum:
+                                        - ClientIP
+                                        - None
+                                        type: string
+                                      sessionAffinityConfig:
+                                        description: SessionAffinityConfig contains
+                                          the configurations of the session affinity.
+                                        properties:
+                                          clientIP:
+                                            description: clientIP contains the configurations
+                                              of Client IP based session affinity.
+                                            properties:
+                                              timeoutSeconds:
+                                                description: |-
+                                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                                  Default value is 10800(for 3 hours).
+                                                format: int32
+                                                type: integer
+                                            type: object
+                                        type: object
+                                    required:
+                                    - domain
+                                    type: object
+                                  nodePort:
+                                    description: nodePort specifies the configuration
+                                      to create a Kubernetes node port service.
+                                    properties:
+                                      advertisedURL:
+                                        description: |-
+                                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                          set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                          the external DNS must be resolved inside the Kubernetes cluster.
+                                        properties:
+                                          enabled:
+                                            description: |-
+                                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                              Has no effect with Zookeeper, which will always create a listener per pod.
+                                            type: boolean
+                                          prefix:
+                                            description: |-
+                                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                            minLength: 1
+                                            type: string
+                                        required:
+                                        - enabled
+                                        type: object
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: annotations is a map of string
+                                          key and value pairs. It specifies Kubernetes
+                                          annotations for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      externalTrafficPolicy:
+                                        description: |-
+                                          externalTrafficPolicy specifies the external traffic policy for the service.
+                                          Valid options are `Local` and `Cluster`.
+                                        enum:
+                                        - Local
+                                        - Cluster
+                                        type: string
+                                      host:
+                                        description: host defines the host name of
+                                          the cluster.
+                                        minLength: 1
+                                        type: string
+                                      labels:
+                                        additionalProperties:
+                                          type: string
+                                        description: labels is a map of string key
+                                          and value pairs. It specifies Kubernetes
+                                          labels for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      nodePortOffset:
+                                        description: |-
+                                          nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                          to the replicas count.
+                                          NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                          The default Kubernetes Node Port range is `30000` - `32762`.
+                                        format: int32
+                                        minimum: 0
+                                        type: integer
+                                      servicePorts:
+                                        description: |-
+                                          servicePorts specify user-provided service port(s).
+                                          For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                        items:
+                                          description: ServicePort contains information
+                                            on service's port.
+                                          properties:
+                                            appProtocol:
+                                              description: |-
+                                                The application protocol for this port.
+                                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                                This field follows standard Kubernetes label syntax.
+                                                Valid values are either:
+
+
+                                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                                * Kubernetes-defined prefixed names:
+                                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                                * Other protocols should use implementation-defined prefixed names such as
+                                                mycompany.com/my-custom-protocol.
+                                              type: string
+                                            name:
+                                              description: |-
+                                                The name of this port within the service. This must be a DNS_LABEL.
+                                                All ports within a ServiceSpec must have unique names. When considering
+                                                the endpoints for a Service, this must match the 'name' field in the
+                                                EndpointPort.
+                                                Optional if only one ServicePort is defined on this service.
+                                              type: string
+                                            nodePort:
+                                              description: |-
+                                                The port on each node on which this service is exposed when type is
+                                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                                specified, in-range, and not in use it will be used, otherwise the
+                                                operation will fail.  If not specified, a port will be allocated if this
+                                                Service requires one.  If this field is specified when creating a
+                                                Service which does not need it, creation will fail. This field will be
+                                                wiped when updating a Service to no longer need it (e.g. changing type
+                                                from NodePort to ClusterIP).
+                                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                              format: int32
+                                              type: integer
+                                            port:
+                                              description: The port that will be exposed
+                                                by this service.
+                                              format: int32
+                                              type: integer
+                                            protocol:
+                                              default: TCP
+                                              description: |-
+                                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                                Default is TCP.
+                                              type: string
+                                            targetPort:
+                                              anyOf:
+                                              - type: integer
+                                              - type: string
+                                              description: |-
+                                                Number or name of the port to access on the pods targeted by the service.
+                                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                                If this is a string, it will be looked up as a named port in the
+                                                target Pod's container ports. If this is not specified, the value
+                                                of the 'port' field is used (an identity map).
+                                                This field is ignored for services with clusterIP=None, and should be
+                                                omitted or set equal to the 'port' field.
+                                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                              x-kubernetes-int-or-string: true
+                                          required:
+                                          - port
+                                          type: object
+                                        type: array
+                                      sessionAffinity:
+                                        description: |-
+                                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                          The default value is `None`.
+                                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                        enum:
+                                        - ClientIP
+                                        - None
+                                        type: string
+                                      sessionAffinityConfig:
+                                        description: SessionAffinityConfig contains
+                                          the configurations of the session affinity.
+                                        properties:
+                                          clientIP:
+                                            description: clientIP contains the configurations
+                                              of Client IP based session affinity.
+                                            properties:
+                                              timeoutSeconds:
+                                                description: |-
+                                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                                  Default value is 10800(for 3 hours).
+                                                format: int32
+                                                type: integer
+                                            type: object
+                                        type: object
+                                    required:
+                                    - host
+                                    - nodePortOffset
+                                    type: object
+                                  route:
+                                    description: route specifies the configuration
+                                      to create a route service in OpenShift.
+                                    properties:
+                                      advertisedURL:
+                                        description: |-
+                                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                          set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                          the external DNS must be resolved inside the Kubernetes cluster.
+                                          This configuration will not take effect if MDS enabled dual listener setup.
+                                        properties:
+                                          enabled:
+                                            description: |-
+                                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                              Has no effect with Zookeeper, which will always create a listener per pod.
+                                            type: boolean
+                                          prefix:
+                                            description: |-
+                                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                            minLength: 1
+                                            type: string
+                                        required:
+                                        - enabled
+                                        type: object
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: annotations is a map of string
+                                          key and value pairs. It specifies Kubernetes
+                                          annotations for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      domain:
+                                        description: domain specifies the domain name
+                                          of the Confluent component cluster.
+                                        minLength: 1
+                                        type: string
+                                      labels:
+                                        additionalProperties:
+                                          type: string
+                                        description: labels is a map of string key
+                                          and value pairs. It specifies Kubernetes
+                                          labels for this service.
+                                        type: object
+                                        x-kubernetes-map-type: granular
+                                      prefix:
+                                        description: |-
+                                          prefix specifies the component prefix when configured for the domain.
+                                          The default value is the name of the cluster.
+                                        minLength: 1
+                                        type: string
+                                      wildcardPolicy:
+                                        description: |-
+                                          wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                          The default value is `None`.
+                                        enum:
+                                        - Subdomain
+                                        - None
+                                        type: string
+                                    required:
+                                    - domain
+                                    type: object
+                                  type:
+                                    description: |-
+                                      type specifies the Kubernetes external service for the component.
+                                      Valid options are `loadBalancer`, `nodePort`, and `route`.
+                                    enum:
+                                    - loadBalancer
+                                    - nodePort
+                                    - route
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - type
+                                type: object
+                              tls:
+                                description: tls specifies the TLS configuration for
+                                  the listener.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where
+                                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                    minLength: 1
+                                    type: string
+                                  enabled:
+                                    description: enabled specifies to enable the TLS
+                                      configuration for the Confluent component.
+                                    type: boolean
+                                  ignoreTrustStoreConfig:
+                                    description: |-
+                                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                      for the Confluent component.
+                                    type: boolean
+                                  jksPassword:
+                                    description: jksPassword references the secret
+                                      containing the JKS password.
+                                    properties:
+                                      secretRef:
+                                        description: |-
+                                          secretRef references the name of the secret containing the JKS password.
+                                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                        maxLength: 30
+                                        minLength: 1
+                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                        type: string
+                                    required:
+                                    - secretRef
+                                    type: object
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the certificates.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                            type: object
+                          internal:
+                            description: |-
+                              internal specifies the Confluent component's internal listener.
+                              This internal listener is for intra-communication between the pods.
+                            properties:
+                              port:
+                                description: |-
+                                  port binds the given port to the internal listener. If not configured,
+                                  it will be defaulted to the component-specific internal port.
+                                  Port numbers lower than `9093` are reserved by CFK.
+                                format: int32
+                                minimum: 9093
+                                type: integer
+                              tls:
+                                description: tls specifies the TLS configuration for
+                                  the listener.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where
+                                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                    minLength: 1
+                                    type: string
+                                  enabled:
+                                    description: enabled specifies to enable the TLS
+                                      configuration for the Confluent component.
+                                    type: boolean
+                                  ignoreTrustStoreConfig:
+                                    description: |-
+                                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                      for the Confluent component.
+                                    type: boolean
+                                  jksPassword:
+                                    description: jksPassword references the secret
+                                      containing the JKS password.
+                                    properties:
+                                      secretRef:
+                                        description: |-
+                                          secretRef references the name of the secret containing the JKS password.
+                                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                        maxLength: 30
+                                        minLength: 1
+                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                        type: string
+                                    required:
+                                    - secretRef
+                                    type: object
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the certificates.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                            type: object
+                        type: object
+                      provider:
+                        description: provider specifies the identity provider configuration.
+                        properties:
+                          ldap:
+                            description: ldap defines the LDAP service configuration.
+                            properties:
+                              address:
+                                description: address defines the LDAP server address.
+                                type: string
+                              authentication:
+                                description: LdapAuthentication specifies the LDAP
+                                  authentication configuration.
+                                properties:
+                                  simple:
+                                    description: simple specifies simple authentication
+                                      configuration for the LDAP.
+                                    properties:
+                                      directoryPathInContainer:
+                                        description: |-
+                                          directoryPathInContainer defines the directory path in the container
+                                          where the credentials are mounted.
+                                        minLength: 1
+                                        type: string
+                                      secretRef:
+                                        description: secretRef references the name
+                                          of the secret that contains the credentials.
+                                        maxLength: 30
+                                        minLength: 1
+                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                        type: string
+                                    type: object
+                                  type:
+                                    description: type defines the authentication method
+                                      for LDAP. Valid options are `simple` and `mtls`.
+                                    enum:
+                                    - simple
+                                    - mtls
+                                    type: string
+                                required:
+                                - type
+                                type: object
+                              configurations:
+                                description: configurations defines the LDAP configurations
+                                  for Confluent RBAC.
+                                properties:
+                                  groupMemberAttribute:
+                                    description: groupMemberAttribute specifies the
+                                      LDAP group member attribute.
+                                    minLength: 1
+                                    type: string
+                                  groupMemberAttributePattern:
+                                    description: groupMemberAttributePattern specifies
+                                      the regular expression pattern for the LDAP
+                                      group member attribute.
+                                    minLength: 1
+                                    type: string
+                                  groupNameAttribute:
+                                    description: groupNameAttribute specifies the
+                                      LDAP group name attribute.
+                                    minLength: 1
+                                    type: string
+                                  groupObjectClass:
+                                    description: groupObjectClass specifies the LDAP
+                                      group object class.
+                                    minLength: 1
+                                    type: string
+                                  groupSearchBase:
+                                    description: groupSearchBase specifies the LDAP
+                                      search base for the group-based search.
+                                    minLength: 1
+                                    type: string
+                                  groupSearchFilter:
+                                    description: groupSearchFilter specifies the LDAP
+                                      search filter for the group-based search.
+                                    minLength: 1
+                                    type: string
+                                  groupSearchScope:
+                                    description: groupSearchScope specifies the LDAP
+                                      search scope for the group-based search.
+                                    format: int32
+                                    type: integer
+                                  userMemberOfAttributePattern:
+                                    description: userMemberOfAttributePattern specifies
+                                      the regular expression pattern for the LDAP
+                                      user member attribute.
+                                    minLength: 1
+                                    type: string
+                                  userNameAttribute:
+                                    description: userNameAttribute specifies the LDAP
+                                      username attribute.
+                                    minLength: 1
+                                    type: string
+                                  userObjectClass:
+                                    description: userObjectClass specifies the LDAP
+                                      user object class.
+                                    minLength: 1
+                                    type: string
+                                  userSearchBase:
+                                    description: userSearchBase specifies the LDAP
+                                      search base for the user-based search.
+                                    minLength: 1
+                                    type: string
+                                  userSearchFilter:
+                                    description: userSearchFilter specifies the LDAP
+                                      search filter for the user-based search.
+                                    minLength: 1
+                                    type: string
+                                  userSearchScope:
+                                    description: userSearchScope specifies the LDAP
+                                      search scope for the user-based search.
+                                    format: int32
+                                    type: integer
+                                type: object
+                              tls:
+                                description: tls specifies the TLS configuration for
+                                  the LDAP.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where
+                                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                    minLength: 1
+                                    type: string
+                                  enabled:
+                                    description: enabled specifies to enable the TLS
+                                      configuration for the Confluent component.
+                                    type: boolean
+                                  ignoreTrustStoreConfig:
+                                    description: |-
+                                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                      for the Confluent component.
+                                    type: boolean
+                                  jksPassword:
+                                    description: jksPassword references the secret
+                                      containing the JKS password.
+                                    properties:
+                                      secretRef:
+                                        description: |-
+                                          secretRef references the name of the secret containing the JKS password.
+                                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                        maxLength: 30
+                                        minLength: 1
+                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                        type: string
+                                    required:
+                                    - secretRef
+                                    type: object
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the certificates.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                            required:
+                            - address
+                            - authentication
+                            - configurations
+                            type: object
+                          oauth:
+                            description: oauth defines the OAuth service configuration.
+                            properties:
+                              configurations:
+                                description: configurations defines the OAuth configurations.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              tls:
+                                description: tls specifies the TLS configuration for
+                                  the OAuth IDP.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where
+                                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                    minLength: 1
+                                    type: string
+                                  enabled:
+                                    description: enabled specifies to enable the TLS
+                                      configuration for the Confluent component.
+                                    type: boolean
+                                  ignoreTrustStoreConfig:
+                                    description: |-
+                                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                      for the Confluent component.
+                                    type: boolean
+                                  jksPassword:
+                                    description: jksPassword references the secret
+                                      containing the JKS password.
+                                    properties:
+                                      secretRef:
+                                        description: |-
+                                          secretRef references the name of the secret containing the JKS password.
+                                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                        maxLength: 30
+                                        minLength: 1
+                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                        type: string
+                                    required:
+                                    - secretRef
+                                    type: object
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the certificates.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                            required:
+                            - configurations
+                            type: object
+                          oidc:
+                            description: |-
+                              this field has been superseded with sso field
+                              oidc defines the OIDC service configuration.
+                            properties:
+                              clientCredentials:
+                                description: clientCredentials define the IDP clientID
+                                  and clientSecret.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer defines the directory path in the container
+                                      where the credentials are mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: secretRef references the name of
+                                      the secret that contains the credentials.
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              configurations:
+                                description: configurations defines the OIDC configurations.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  authorizeBaseEndpointUri:
+                                    description: authorizeBaseEndpointUri specifies
+                                      the base uri for authorize endpoint.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimScope:
+                                    description: |-
+                                      groupsClaimScope specifies additional scope needed for the token to contain groups claim (field).
+                                      Leave this field empty (or null) if id token always contains the claims identified as groups.
+                                    minLength: 1
+                                    type: string
+                                  issuer:
+                                    description: |-
+                                      issuer specifies the authorization server's URL.
+                                      This value should match the issuer claim ("iss") in id tokens issued by Authorization Server?
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  refreshToken:
+                                    description: refreshToken specifies whether offline_access
+                                      scope should be requested in the authorization
+                                      URI.
+                                    type: boolean
+                                  sessionMaxTimeout:
+                                    description: sessionMaxTimeout specifies the maximum
+                                      expiration time for a user's session.
+                                    format: int32
+                                    type: integer
+                                  sessionTokenExpiry:
+                                    description: sessionTokenExpiry specifies the
+                                      validity of cookie issued by Confluent.
+                                    format: int32
+                                    type: integer
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenBaseEndpointUri:
+                                    description: tokenBaseEndpointUri specifies the
+                                      base uri for token endpoint.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - authorizeBaseEndpointUri
+                                - issuer
+                                - jwksEndpointUri
+                                - refreshToken
+                                - tokenBaseEndpointUri
+                                type: object
+                              enabled:
+                                default: true
+                                description: |-
+                                  enabled specifies whether the SSO is enabled.
+                                  default is true.
+                                type: boolean
+                            required:
+                            - clientCredentials
+                            - configurations
+                            type: object
+                          sso:
+                            description: sso defines the SSO service configuration.
+                            properties:
+                              clientCredentials:
+                                description: clientCredentials define the IDP clientID
+                                  and clientSecret.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer defines the directory path in the container
+                                      where the credentials are mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: secretRef references the name of
+                                      the secret that contains the credentials.
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              configurations:
+                                description: configurations defines the OIDC configurations.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  authorizeBaseEndpointUri:
+                                    description: authorizeBaseEndpointUri specifies
+                                      the base uri for authorize endpoint.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimScope:
+                                    description: |-
+                                      groupsClaimScope specifies additional scope needed for the token to contain groups claim (field).
+                                      Leave this field empty (or null) if id token always contains the claims identified as groups.
+                                    minLength: 1
+                                    type: string
+                                  issuer:
+                                    description: |-
+                                      issuer specifies the authorization server's URL.
+                                      This value should match the issuer claim ("iss") in id tokens issued by Authorization Server?
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  refreshToken:
+                                    description: refreshToken specifies whether offline_access
+                                      scope should be requested in the authorization
+                                      URI.
+                                    type: boolean
+                                  sessionMaxTimeout:
+                                    description: sessionMaxTimeout specifies the maximum
+                                      expiration time for a user's session.
+                                    format: int32
+                                    type: integer
+                                  sessionTokenExpiry:
+                                    description: sessionTokenExpiry specifies the
+                                      validity of cookie issued by Confluent.
+                                    format: int32
+                                    type: integer
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenBaseEndpointUri:
+                                    description: tokenBaseEndpointUri specifies the
+                                      base uri for token endpoint.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - authorizeBaseEndpointUri
+                                - issuer
+                                - jwksEndpointUri
+                                - refreshToken
+                                - tokenBaseEndpointUri
+                                type: object
+                              enabled:
+                                default: true
+                                description: |-
+                                  enabled specifies whether the SSO is enabled.
+                                  default is true.
+                                type: boolean
+                            required:
+                            - clientCredentials
+                            - configurations
+                            type: object
+                          type:
+                            description: This field has been deprecated and its value
+                              will be ignored if set.
+                            type: string
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for MDS server.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      tokenKeyPair:
+                        description: tokenKeyPair specifies the token key pair for
+                          the MDS.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the MDS token key pair are mounted.
+                            minLength: 1
+                            type: string
+                          encryptedTokenKey:
+                            description: |-
+                              EncryptedTokenKey boolean value indicating whether the tokenKeypair(private used for signing) is encrypted using a passphrase. If true, cfk
+                              operator will look for a file named mdsTokenKeyPassphrase.txt containing key value pair
+                              mdsTokenKeyPassphrase=<passphrase>. Relevant only for mds server. Ignored if set for a client configuration.
+                            type: boolean
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the MDS token key pair.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    required:
+                    - provider
+                    - tokenKeyPair
+                    type: object
+                type: object
+              storageClass:
+                description: |-
+                  storageClass specifies the user-provided storage class. If not
+                  configured, it will use the default storage class.
+                properties:
+                  name:
+                    description: name is the storage class name.
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - name
+                type: object
+              telemetry:
+                description: telemetry specifies the Confluent telemetry reporter
+                  configuration.
+                properties:
+                  global:
+                    description: |-
+                      global allows disabling telemetry configuration.
+                      If CFK is deployed with telemetry, this field is only
+                      used to disable telemetry. The default value is `true` if
+                      telemetry is enabled at the global level.
+                    type: boolean
+                type: object
+              tls:
+                description: |-
+                  tls specifies the global-level TLS configuration which can be used by
+                  listeners and services.
+                properties:
+                  autoGeneratedCerts:
+                    description: |-
+                      autoGeneratedCerts specifies that the certificates are auto-generated based on
+                      the CA key pair provided.
+                    type: boolean
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                    minLength: 1
+                    type: string
+                  fips:
+                    description: |-
+                      fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
+                      TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                    properties:
+                      enabled:
+                        description: enabled specifies whether to enable the FIPS
+                          configuration for cp components.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                  ignoreTrustStoreConfig:
+                    description: |-
+                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                      for the Confluent component.
+                    type: boolean
+                  jksPassword:
+                    description: jksPassword references the secret containing the
+                      JKS password.
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the name of the secret containing the JKS password.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  secretRef:
+                    description: |-
+                      secretRef references the secret containing the certificates.
+                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+            required:
+            - dataVolumeCapacity
+            - image
+            type: object
+          status:
+            description: status defines the observed state of the Kafka cluster.
+            properties:
+              arbitraryData:
+                description: arbitraryData is the map for any arbitrary data associated
+                  with this Confluent component.
+                x-kubernetes-preserve-unknown-fields: true
+              authorizationType:
+                description: authorizationType is the authorization type for this
+                  Confluent component.
+                type: string
+              brokerIdOffset:
+                description: brokerIdOffset is the broker id offset of the Kafka cluster.
+                format: int32
+                type: integer
+              clusterID:
+                description: clusterID is the ID of the Kafka cluster.
+                type: string
+              clusterName:
+                description: clusterName is the name of the Confluent Platform component
+                  cluster.
+                type: string
+              clusterNamespace:
+                description: clusterNamespace is the namespace where the Confluent
+                  Platform component cluster is running.
+                type: string
+              conditions:
+                description: conditions specify the latest available observations
+                  of the current state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              currentClusterVersion:
+                description: currentClusterVersion is the current CP Server version
+                type: string
+              currentReplicas:
+                description: currentReplicas is the number of currently running replicas.
+                format: int32
+                type: integer
+              internalSecrets:
+                description: |-
+                  internalSecrets are internal secrets created
+                  by CFK for this Confluent component.
+                items:
+                  type: string
+                type: array
+              internalTopicNames:
+                description: internalTopicNames are the topics used by the component
+                  for internal use.
+                items:
+                  type: string
+                type: array
+              listeners:
+                additionalProperties:
+                  properties:
+                    advertisedExternalEndpoints:
+                      description: advertisedExternalEndpoints specifies other advertised
+                        endpoints used, especially for Kafka.
+                      items:
+                        type: string
+                      type: array
+                    authenticationType:
+                      description: authenticationType shows the authentication type
+                        configured by the listener.
+                      type: string
+                    client:
+                      type: string
+                    externalAccessType:
+                      description: externalAccessType shows the external access type
+                        used for the listener.
+                      type: string
+                    externalEndpoint:
+                      description: externalEndpoint specifies the external endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    internalEndpoint:
+                      description: internalEndpoint specifies the internal endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    tls:
+                      description: tls shows whether TLS is configured for the listener.
+                      type: boolean
+                  type: object
+                description: listeners is a map for the status of Kafka Listeners.
+                type: object
+                x-kubernetes-map-type: granular
+              minISR:
+                description: minISR is the minimum number of in sync replicas in the
+                  Kafka cluster.
+                format: int32
+                type: integer
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              operatorVersion:
+                description: operatorVersion is the internal version of CFK.
+                type: string
+              phase:
+                description: |-
+                  phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
+                  or 'RUNNING'
+                  'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
+                  'RUNNING' means the Confluent Platform component has been successfully deployed.
+                type: string
+              previousClusterVersion:
+                description: previousClusterVersion is the previous CP Server version
+                  of the kafka cluster.
+                type: string
+              readyReplicas:
+                description: readyReplicas is the number of currently ready replicas.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the number of replicas.
+                format: int32
+                type: integer
+              replicationFactor:
+                description: replicationFactor is the replication factor of the topics
+                  in the Kafka cluster.
+                format: int32
+                type: integer
+              selector:
+                description: |-
+                  selector gets the label selector of the child pod.
+                  The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
+                type: string
+              services:
+                additionalProperties:
+                  description: ListenerStatus describes general information about
+                    the listeners.
+                  properties:
+                    advertisedExternalEndpoints:
+                      description: advertisedExternalEndpoints specifies other advertised
+                        endpoints used, especially for Kafka.
+                      items:
+                        type: string
+                      type: array
+                    authenticationType:
+                      description: authenticationType shows the authentication type
+                        configured by the listener.
+                      type: string
+                    externalAccessType:
+                      description: externalAccessType shows the external access type
+                        used for the listener.
+                      type: string
+                    externalEndpoint:
+                      description: externalEndpoint specifies the external endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    internalEndpoint:
+                      description: internalEndpoint specifies the internal endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    tls:
+                      description: tls shows whether TLS is configured for the listener.
+                      type: boolean
+                  type: object
+                description: services is a map for the Kafka services.
+                type: object
+                x-kubernetes-map-type: granular
+              zookeeperConnect:
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkatopics.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkatopics.yaml
new file mode 100644
index 000000000..0a71576b2
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kafkatopics.yaml
@@ -0,0 +1,410 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: kafkatopics.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: KafkaTopic
+    listKind: KafkaTopicList
+    plural: kafkatopics
+    shortNames:
+    - kt
+    - topic
+    singular: kafkatopic
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.partitionCount
+      name: Partition
+      type: string
+    - jsonPath: .status.state
+      name: Status
+      type: string
+    - jsonPath: .status.kafkaClusterID
+      name: ClusterID
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.kafkaCluster
+      name: KafkaCluster
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KafkaTopic is the schema for the Kafka Topic API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the KafkaTopic.
+            properties:
+              configs:
+                additionalProperties:
+                  type: string
+                description: |-
+                  configs is a map of string key and value pairs that are used to pass the configuration settings for the topic.
+                  More info: https://docs.confluent.io/current/installation/configuration/topic-configs.html.
+                type: object
+                x-kubernetes-map-type: granular
+              kafkaClusterRef:
+                description: kafkaClusterRef specifies the name of the Kafka cluster.
+                properties:
+                  name:
+                    description: name specifies the name of the Confluent Platform
+                      component cluster.
+                    type: string
+                  namespace:
+                    description: namespace specifies the namespace where the Confluent
+                      Platform component cluster is running.
+                    type: string
+                required:
+                - name
+                type: object
+              kafkaRest:
+                description: kafkaRest specifies the Kafka REST API configuration.
+                properties:
+                  authentication:
+                    description: authentication specifies the REST API authentication
+                      mechanism.
+                    properties:
+                      basic:
+                        description: basic specifies the basic authentication settings
+                          for the REST API client.
+                        properties:
+                          debug:
+                            description: debug enables the basic authentication debug
+                              logs for JaaS configuration.
+                            type: boolean
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            minLength: 1
+                            type: string
+                          restrictedRoles:
+                            description: |-
+                              restrictedRoles specify the restricted roles on the server side only.
+                              Changes will be only reflected in Control Center.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            minItems: 1
+                            type: array
+                          roles:
+                            description: |-
+                              roles specify the roles on the server side only.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            type: array
+                          secretRef:
+                            description: |-
+                              secretRef defines secret reference to pass the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      bearer:
+                        description: bearer specifies the bearer authentication settings
+                          for the REST API client.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauth:
+                        description: oauth specifies the OAuth authentication settings
+                          for the REST API client.
+                        properties:
+                          configuration:
+                            description: configuration specifies the OAuth server
+                              settings.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          directoryPathInContainer:
+                            description: directoryPathInContainer allows to pass the
+                              basic credential through a directory path in the container.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef defines secret reference to pass
+                              the required credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - configuration
+                        type: object
+                      type:
+                        description: type specifies the REST API authentication type.
+                          Valid options are `basic`, `bearer`, `mtls` and `oauth`.
+                        enum:
+                        - basic
+                        - bearer
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  endpoint:
+                    description: endpoint specifies where Confluent REST API is running.
+                    minLength: 1
+                    pattern: ^https?://.*
+                    type: string
+                  kafkaClusterID:
+                    description: |-
+                      kafkaClusterID specifies the id of Kafka cluster.
+                      It takes precedence over using the Kafka REST API to get the cluster id.
+                    minLength: 1
+                    type: string
+                  tls:
+                    description: "tls specifies the custom TLS structure for the application
+                      resources,\n\t// e.g. connector, topic, schema, of the Confluent
+                      Platform components.\n\t// +optional"
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer contains the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, `jksPassword.txt` keys are mounted.
+                        minLength: 1
+                        type: string
+                      jksPassword:
+                        description: jksPassword specifies the secret name that contains
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef specifies the secret name that contains the certificates.
+                          More info about certificates key/value format: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                type: object
+              kafkaRestClassRef:
+                description: kafkaRestClassRef references the KafkaRestClass which
+                  defines Kafka REST API connection information.
+                properties:
+                  name:
+                    description: name specifies the name of the KafkaRestClass application
+                      resource.
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: namespace specifies the namespace of the KafkaRestClass.
+                    type: string
+                required:
+                - name
+                type: object
+              name:
+                description: |-
+                  name specifies the topic name. If not configured, the KafkaTopic CR name is used
+                  as the topic name.
+                maxLength: 255
+                minLength: 1
+                pattern: ^[a-zA-Z0-9\._\-]*$
+                type: string
+              partitionCount:
+                description: |-
+                  partitionCount specifies the number of partitions for the topic.
+                  If not configured, it will be defaulted to the partition count that Kafka REST V3 API supports.
+                format: int32
+                type: integer
+              replicas:
+                description: |-
+                  replicas specifies the replication factor for the topic.
+                  If not configured, it will be defaulted to the replication factor that Kafka REST V3 API supports.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: status defines the observed state of the KafkaTopic.
+            properties:
+              appState:
+                default: Unknown
+                description: appState is the current state of the topic application.
+                enum:
+                - Unknown
+                - Created
+                - Failed
+                - Deleted
+                type: string
+              conditions:
+                description: conditions are the latest available observed states of
+                  the topic.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              kafkaCluster:
+                type: string
+              kafkaClusterID:
+                description: kafkaClusterID is the id of the Kafka cluster.
+                type: string
+              kafkaRestEndpoint:
+                description: kafkaRestEndpoint is the endpoint of the Kafka REST API.
+                type: string
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              partitionCount:
+                description: partitionCount is the partition count of the topic.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the replication factor of the topic.
+                format: int32
+                type: integer
+              state:
+                description: state is the state of the topic.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kraftcontrollers.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kraftcontrollers.yaml
new file mode 100644
index 000000000..dc6bd45ba
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kraftcontrollers.yaml
@@ -0,0 +1,5752 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: kraftcontrollers.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: KRaftController
+    listKind: KRaftControllerList
+    plural: kraftcontrollers
+    shortNames:
+    - kraftcontroller
+    - kraft
+    singular: kraftcontroller
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.readyReplicas
+      name: Ready
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.controllerQuorumVoters
+      name: ControllerQuorumVoters
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KRaftController is the schema for the KRaft Controller API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the KRaft Controller cluster.
+            properties:
+              authorization:
+                description: authorization specifies the authorization configuration.
+                properties:
+                  superUsers:
+                    description: |-
+                      superUsers specify the super users to give the admin privilege on the Kafka Cluster.
+                      This list takes the format as `User:<user-name>`
+                    items:
+                      type: string
+                    type: array
+                  type:
+                    description: type specifies the authorization type. The valid
+                      options are `rbac` and `simple`.
+                    enum:
+                    - rbac
+                    - simple
+                    type: string
+                required:
+                - type
+                type: object
+              clusterID:
+                description: |-
+                  clusterID specifies the ID of the KRaft Controller cluster. It must contain only alphanumeric characters and the
+                  hyphen character and be of length 22. If omitted, a clusterID will be autogenerated.
+                  In the case of attaching to existing Persistent Volumes, you must match the old clusterID.
+                maxLength: 22
+                minLength: 22
+                pattern: ^[a-zA-Z0-9\-\_]*$
+                type: string
+              configOverrides:
+                description: configOverrides specifies the configs to override the
+                  server, JVM, Log4j properties for the KRaft Controller cluster.
+                properties:
+                  jvm:
+                    description: |-
+                      jvm is a list of JVM configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  log4j:
+                    description: |-
+                      log4j is a list of Log4J configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  server:
+                    description: |-
+                      server is a list of server configuration supported by the Confluent Platform component.
+                      This will either add or update existing configuration.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              controllerQuorumVoters:
+                description: |-
+                  QuorumVoters specify a list of kraft controllers. This is only required when deploying stretch
+                  kafka clusters for MRC deployments in multiple DCs (or K8s clusters) and should include all the kraft controllers in other DCs that form the ensemble.
+                items:
+                  description: ControllerQuorumVoter defines the KRaft controller
+                    quorum voter.
+                  properties:
+                    brokerEndpoint:
+                      description: brokerEndpoint is the endpoint of the KRaft Controller.
+                      type: string
+                    nodeId:
+                      description: nodeId is the nodeId of the KRaft Controller.
+                      format: int32
+                      type: integer
+                  required:
+                  - brokerEndpoint
+                  - nodeId
+                  type: object
+                type: array
+              dataVolumeCapacity:
+                anyOf:
+                - type: integer
+                - type: string
+                description: dataVolumeCapacity specifies the persistent volume capacity
+                  for the KRaft Controller cluster.
+                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                x-kubernetes-int-or-string: true
+              dependencies:
+                description: de
+                properties:
+                  mdsKafkaCluster:
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                type: object
+              fips:
+                description: |-
+                  fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the KRaft Controller
+                  cluster's TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                properties:
+                  enabled:
+                    description: enabled specifies whether to enable the FIPS configuration
+                      for cp components.
+                    type: boolean
+                required:
+                - enabled
+                type: object
+              headlessService:
+                description: headlessService specifies the configuration of the Kubernetes
+                  headless service.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs.
+                      It specifies the annotations to be added to the CFK-created headless service.
+                      These annotations are merged with the injectAnnotations and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs.
+                      It specifies the labels to be added to the CFK-created headless service.
+                      These labels are merged with the injectLabels and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  publishNotReadyAddresses:
+                    description: |-
+                      publishNotReadyAddresses specifies the publishNotReadyAddresses field.
+                      For Kafka, this value must be true. The default value is true.
+                    type: boolean
+                type: object
+              identityProvider:
+                description: |-
+                  identityProvider specifies the identity provider configuration.
+                  It is only required for the Kafka authentication type `ldap`.
+                properties:
+                  ldap:
+                    description: ldap defines the LDAP service configuration.
+                    properties:
+                      address:
+                        description: address defines the LDAP server address.
+                        type: string
+                      authentication:
+                        description: LdapAuthentication specifies the LDAP authentication
+                          configuration.
+                        properties:
+                          simple:
+                            description: simple specifies simple authentication configuration
+                              for the LDAP.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer defines the directory path in the container
+                                  where the credentials are mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef references the name of the
+                                  secret that contains the credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: type defines the authentication method for
+                              LDAP. Valid options are `simple` and `mtls`.
+                            enum:
+                            - simple
+                            - mtls
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      configurations:
+                        description: configurations defines the LDAP configurations
+                          for Confluent RBAC.
+                        properties:
+                          groupMemberAttribute:
+                            description: groupMemberAttribute specifies the LDAP group
+                              member attribute.
+                            minLength: 1
+                            type: string
+                          groupMemberAttributePattern:
+                            description: groupMemberAttributePattern specifies the
+                              regular expression pattern for the LDAP group member
+                              attribute.
+                            minLength: 1
+                            type: string
+                          groupNameAttribute:
+                            description: groupNameAttribute specifies the LDAP group
+                              name attribute.
+                            minLength: 1
+                            type: string
+                          groupObjectClass:
+                            description: groupObjectClass specifies the LDAP group
+                              object class.
+                            minLength: 1
+                            type: string
+                          groupSearchBase:
+                            description: groupSearchBase specifies the LDAP search
+                              base for the group-based search.
+                            minLength: 1
+                            type: string
+                          groupSearchFilter:
+                            description: groupSearchFilter specifies the LDAP search
+                              filter for the group-based search.
+                            minLength: 1
+                            type: string
+                          groupSearchScope:
+                            description: groupSearchScope specifies the LDAP search
+                              scope for the group-based search.
+                            format: int32
+                            type: integer
+                          userMemberOfAttributePattern:
+                            description: userMemberOfAttributePattern specifies the
+                              regular expression pattern for the LDAP user member
+                              attribute.
+                            minLength: 1
+                            type: string
+                          userNameAttribute:
+                            description: userNameAttribute specifies the LDAP username
+                              attribute.
+                            minLength: 1
+                            type: string
+                          userObjectClass:
+                            description: userObjectClass specifies the LDAP user object
+                              class.
+                            minLength: 1
+                            type: string
+                          userSearchBase:
+                            description: userSearchBase specifies the LDAP search
+                              base for the user-based search.
+                            minLength: 1
+                            type: string
+                          userSearchFilter:
+                            description: userSearchFilter specifies the LDAP search
+                              filter for the user-based search.
+                            minLength: 1
+                            type: string
+                          userSearchScope:
+                            description: userSearchScope specifies the LDAP search
+                              scope for the user-based search.
+                            format: int32
+                            type: integer
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the LDAP.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    required:
+                    - address
+                    - authentication
+                    - configurations
+                    type: object
+                  oauth:
+                    description: oauth defines the OAuth service configuration.
+                    properties:
+                      configurations:
+                        description: configurations defines the OAuth configurations.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the OAuth
+                          IDP.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    required:
+                    - configurations
+                    type: object
+                  oidc:
+                    description: |-
+                      this field has been superseded with sso field
+                      oidc defines the OIDC service configuration.
+                    properties:
+                      clientCredentials:
+                        description: clientCredentials define the IDP clientID and
+                          clientSecret.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the credentials are mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      configurations:
+                        description: configurations defines the OIDC configurations.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          authorizeBaseEndpointUri:
+                            description: authorizeBaseEndpointUri specifies the base
+                              uri for authorize endpoint.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimScope:
+                            description: |-
+                              groupsClaimScope specifies additional scope needed for the token to contain groups claim (field).
+                              Leave this field empty (or null) if id token always contains the claims identified as groups.
+                            minLength: 1
+                            type: string
+                          issuer:
+                            description: |-
+                              issuer specifies the authorization server's URL.
+                              This value should match the issuer claim ("iss") in id tokens issued by Authorization Server?
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          refreshToken:
+                            description: refreshToken specifies whether offline_access
+                              scope should be requested in the authorization URI.
+                            type: boolean
+                          sessionMaxTimeout:
+                            description: sessionMaxTimeout specifies the maximum expiration
+                              time for a user's session.
+                            format: int32
+                            type: integer
+                          sessionTokenExpiry:
+                            description: sessionTokenExpiry specifies the validity
+                              of cookie issued by Confluent.
+                            format: int32
+                            type: integer
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenBaseEndpointUri:
+                            description: tokenBaseEndpointUri specifies the base uri
+                              for token endpoint.
+                            minLength: 1
+                            type: string
+                        required:
+                        - authorizeBaseEndpointUri
+                        - issuer
+                        - jwksEndpointUri
+                        - refreshToken
+                        - tokenBaseEndpointUri
+                        type: object
+                      enabled:
+                        default: true
+                        description: |-
+                          enabled specifies whether the SSO is enabled.
+                          default is true.
+                        type: boolean
+                    required:
+                    - clientCredentials
+                    - configurations
+                    type: object
+                  sso:
+                    description: sso defines the SSO service configuration.
+                    properties:
+                      clientCredentials:
+                        description: clientCredentials define the IDP clientID and
+                          clientSecret.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the credentials are mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      configurations:
+                        description: configurations defines the OIDC configurations.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          authorizeBaseEndpointUri:
+                            description: authorizeBaseEndpointUri specifies the base
+                              uri for authorize endpoint.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimScope:
+                            description: |-
+                              groupsClaimScope specifies additional scope needed for the token to contain groups claim (field).
+                              Leave this field empty (or null) if id token always contains the claims identified as groups.
+                            minLength: 1
+                            type: string
+                          issuer:
+                            description: |-
+                              issuer specifies the authorization server's URL.
+                              This value should match the issuer claim ("iss") in id tokens issued by Authorization Server?
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          refreshToken:
+                            description: refreshToken specifies whether offline_access
+                              scope should be requested in the authorization URI.
+                            type: boolean
+                          sessionMaxTimeout:
+                            description: sessionMaxTimeout specifies the maximum expiration
+                              time for a user's session.
+                            format: int32
+                            type: integer
+                          sessionTokenExpiry:
+                            description: sessionTokenExpiry specifies the validity
+                              of cookie issued by Confluent.
+                            format: int32
+                            type: integer
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenBaseEndpointUri:
+                            description: tokenBaseEndpointUri specifies the base uri
+                              for token endpoint.
+                            minLength: 1
+                            type: string
+                        required:
+                        - authorizeBaseEndpointUri
+                        - issuer
+                        - jwksEndpointUri
+                        - refreshToken
+                        - tokenBaseEndpointUri
+                        type: object
+                      enabled:
+                        default: true
+                        description: |-
+                          enabled specifies whether the SSO is enabled.
+                          default is true.
+                        type: boolean
+                    required:
+                    - clientCredentials
+                    - configurations
+                    type: object
+                  type:
+                    description: This field has been deprecated and its value will
+                      be ignored if set.
+                    type: string
+                type: object
+              image:
+                description: |-
+                  image specifies the application and the init docker image configurations.
+                  A change to this setting will roll the cluster.
+                properties:
+                  application:
+                    description: |-
+                      application is the Docker image name of the application. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  init:
+                    description: |-
+                      init is the init-container name. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  pullPolicy:
+                    description: |-
+                      pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
+                      The default value is `IfNotPresent`.
+                    enum:
+                    - Always
+                    - Never
+                    - IfNotPresent
+                    type: string
+                  pullSecretRef:
+                    description: |-
+                      pullSecretRef references the secrets in the same namespace to be used for pulling images.
+                      Image pull secrets are distinct from secrets because secrets
+                      can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
+                      More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+                    items:
+                      type: string
+                    type: array
+                required:
+                - application
+                - init
+                type: object
+              injectAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectAnnotations are the annotations injected to the internal resources that CFK created.
+                  The internal annotations are preserved and cannot be overridden.
+                  For pod annotations, use `podTemplate.annotations`.
+                type: object
+                x-kubernetes-map-type: granular
+              injectLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectLabels are the labels injected to the internal resources that CFK created.
+                  The internal labels are preserved and cannot be overridden.
+                  For pod labels, use `podTemplate.labels`.
+                type: object
+                x-kubernetes-map-type: granular
+              k8sClusterDomain:
+                description: |-
+                  k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
+                  The default is the `cluster.local` domain.
+                type: string
+              license:
+                description: license specifies the license configuration for the Confluent
+                  Platform component.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      the license key is mounted. More info:
+                      https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    minLength: 1
+                    type: string
+                  globalLicense:
+                    description: globalLicense specifies whether the Confluent Platform
+                      component shares the common global license.
+                    type: boolean
+                  secretRef:
+                    description: |-
+                      secretRef references the secret that provides the license for the Confluent Platform component.
+                      More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              listeners:
+                description: listeners specify the listeners configurations.
+                properties:
+                  controller:
+                    description: controller specifies the controller listener.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication configuration
+                          for the listener.
+                        properties:
+                          jaasConfig:
+                            description: |-
+                              jaasConfig specifies the JaaS configuration.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: |-
+                              jaasConfigPassThrough specifies another way to provide JaaS configuration.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          principalMappingRules:
+                            items:
+                              type: string
+                            type: array
+                          type:
+                            description: |-
+                              type specifies the Kafka or Zookeeper authentication type.
+                              Valid options are `plain`, `digest`, `mtls`, `ldap` & `oauth`.
+                            enum:
+                            - plain
+                            - digest
+                            - mtls
+                            - ldap
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      externalAccess:
+                        description: externalAccess defines the external access configuration
+                          for the Kafka cluster.
+                        properties:
+                          loadBalancer:
+                            description: loadBalancer specifies the configuration
+                              to create Kubernetes load balancer services.
+                            properties:
+                              advertisedPort:
+                                description: |-
+                                  advertisedPort specifies the advertised port for Kafka external access.
+                                  If not configured, it will be the same as the listener port.
+                                  Information about the advertised port can be retrieved through the status API.
+                                format: int32
+                                type: integer
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              bootstrapPrefix:
+                                description: |-
+                                  bootstrapPrefix specifies the prefix for the Kafka bootstrap advertised endpoint and will be added as `bootstrapPrefix.domain`.
+                                  The default value is the Kafka cluster name.
+                                minLength: 1
+                                type: string
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the Kafka broker advertised endpoint and will be added as `brokerPrefix.domain`.
+                                  The default value is `b`, such as `b#.domain` where `#` starts from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain is the domain name of the component
+                                  cluster.
+                                minLength: 1
+                                type: string
+                              externalTrafficPolicy:
+                                description: externalTrafficPolicy specifies the external
+                                  traffic policy for the service. Valid options are
+                                  `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              loadBalancerSourceRanges:
+                                description: loadBalancerSourceRanges specify the
+                                  source ranges.
+                                items:
+                                  type: string
+                                type: array
+                              servicePorts:
+                                description: servicePorts specify the user-provided
+                                  service port(s).
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - domain
+                            type: object
+                          nodePort:
+                            description: nodePort specifies the configuration to create
+                              Kubernetes node port services.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              externalTrafficPolicy:
+                                description: |-
+                                  externalTrafficPolicy specifies the external traffic policy for the service.
+                                  Valid options are `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              host:
+                                description: host defines the host name of the cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              nodePortOffset:
+                                description: |-
+                                  nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                  to the replicas count.
+                                  NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                  The default Kubernetes Node Port range is `30000` - `32762`.
+                                format: int32
+                                minimum: 0
+                                type: integer
+                              servicePorts:
+                                description: |-
+                                  servicePorts specify user-provided service port(s).
+                                  For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - host
+                            - nodePortOffset
+                            type: object
+                          route:
+                            description: route specifies the configuration to create
+                              route services in OpenShift.
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              bootstrapPrefix:
+                                description: |-
+                                  bootstrapPrefix specifies the prefix for the Kafka bootstrap advertised endpoint and will be added as `bootstrapPrefix.domain`.
+                                  The default value is the Kafka cluster name.
+                                minLength: 1
+                                type: string
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the Kafka broker advertised endpoint and will be added as `brokerPrefix.domain`.
+                                  The default value is `b`, such as `b#.domain` where `#` starts from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain specifies the domain name of the
+                                  Confluent component cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              wildcardPolicy:
+                                description: |-
+                                  wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                  The default value is `None`.
+                                enum:
+                                - Subdomain
+                                - None
+                                type: string
+                            required:
+                            - domain
+                            type: object
+                          staticForHostBasedRouting:
+                            description: |-
+                              staticForHostBasedRouting enables external access by doing host based
+                              routing through the SNI capability.
+                              With this schema, CFK only configures Kafka advertised listeners, and no Kubernetes external
+                              service is created.
+                            properties:
+                              brokerPrefix:
+                                description: |-
+                                  brokerPrefix specifies the prefix for the broker advertised endpoints and are added as `brokerPrefix.domain`.
+                                  If not configured, it will add `b` as a prefix, such as `b#.domain` where `#` will start from `0` to the replicas count.
+                                minLength: 1
+                                type: string
+                              domain:
+                                description: domain specifies the domain name for
+                                  the Kafka cluster.
+                                minLength: 1
+                                type: string
+                              port:
+                                description: port specifies the port to be used in
+                                  the advertised listener for a broker.
+                                format: int32
+                                type: integer
+                            required:
+                            - domain
+                            - port
+                            type: object
+                          staticForPortBasedRouting:
+                            description: |-
+                              staticForPortBasedRouting enables external access by port routing.
+                              With this schema, CFK only configures Kafka advertised listeners, and no Kubernetes external
+                              service is created.
+                            properties:
+                              host:
+                                description: host defines the host name to be used
+                                  in the advertised listener for a broker.
+                                minLength: 1
+                                type: string
+                              portOffset:
+                                description: |-
+                                  portOffset specifies the starting port number. The port numbers go in ascending order with
+                                  respect to the replicas count.
+                                format: int32
+                                type: integer
+                            required:
+                            - host
+                            - portOffset
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kubernetes service for external access.
+                              Valid options are `loadBalancer`, `nodePort`, `route`, `staticForPortBasedRouting`, and `staticForHostBasedRouting`.
+                            enum:
+                            - loadBalancer
+                            - nodePort
+                            - route
+                            - staticForPortBasedRouting
+                            - staticForHostBasedRouting
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the listener.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                type: object
+              metricReporter:
+                description: |-
+                  metricsReporter specifies the configuration of the metric reporter. The metric reporter is enabled by default.
+                  If authentication and TLS are not set, the metrics reporter uses internal listener's authentication and TLS .
+                properties:
+                  authentication:
+                    description: authentication specifies the Kafka client-side authentication
+                      configuration.
+                    properties:
+                      jaasConfig:
+                        description: jaasConfig specifies the Kafka client-side JaaS
+                          configuration.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      jaasConfigPassThrough:
+                        description: jaasConfigPassThrough specifies another way to
+                          provide the Kafka client-side JaaS configuration.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the required credentials for authentication.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauthSettings:
+                        description: |-
+                          oauthSettings specifies the OAuth settings.
+                          This needs to passed with the authentication type `oauth`.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      oauthbearer:
+                        description: |-
+                          oauthbearer is the authentication mechanism to provider principals.
+                          Only supported in RBAC deployment.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      type:
+                        description: |-
+                          type specifies the Kafka client authentication type.
+                          Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                        enum:
+                        - plain
+                        - oauthbearer
+                        - digest
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  bootstrapEndpoint:
+                    description: bootstrapEndpoint specifies the Kafka bootstrap endpoint.
+                    type: string
+                  enabled:
+                    description: enabled specifies whether to enable or disable the
+                      metric reporter.
+                    type: boolean
+                  replicationFactor:
+                    description: replicationFactor specifies the number of replicas
+                      in the metric topic.
+                    format: int32
+                    type: integer
+                  tls:
+                    description: tls specifies the Kafka client-side TLS configuration.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                required:
+                - enabled
+                type: object
+              metrics:
+                description: metrics specify the security settings for the metric
+                  services.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication configuration
+                      for the metrics.
+                    properties:
+                      type:
+                        description: type specifies the metrics authentication method.
+                          The valid option is `mtls`.
+                        enum:
+                        - mtls
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  prometheus:
+                    description: prometheus specifies the configuration overrides
+                      for the JMX-Prometheus exporter.
+                    properties:
+                      blacklist:
+                        items:
+                          type: string
+                        type: array
+                      rules:
+                        items:
+                          description: Rule defines the Prometheus Exporter rule override.
+                          properties:
+                            attrNameSnakeCase:
+                              type: boolean
+                            cache:
+                              type: boolean
+                            help:
+                              minLength: 1
+                              type: string
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                              x-kubernetes-map-type: granular
+                            name:
+                              minLength: 1
+                              type: string
+                            pattern:
+                              minLength: 1
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                            value:
+                              minLength: 1
+                              type: string
+                            valueFactor:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              default: 1
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        type: array
+                      whitelist:
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: tls specifies the TLS configuration for the metrics.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              mountedSecrets:
+                description: |-
+                  mountedSecrets list the secrets injected to
+                  the underlying statefulset configuration. The secret reference is mounted
+                  in the default path `/mnt/secrets/<secret-name>`. The underlying resources
+                  will follow the secret as a file configuration.
+                  More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
+                  A change to this setting will roll the cluster.
+                items:
+                  description: |-
+                    MountedSecrets provides a way to inject a custom secret to the underlying
+                    statefulset.
+                  properties:
+                    keyItems:
+                      description: keyItems are key and path names.
+                      items:
+                        description: Maps a string key to a path within a volume.
+                        properties:
+                          key:
+                            description: key is the key to project.
+                            type: string
+                          mode:
+                            description: |-
+                              mode is Optional: mode bits used to set permissions on this file.
+                              Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                              YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                              If not specified, the volume defaultMode will be used.
+                              This might be in conflict with other options that affect the file
+                              mode, like fsGroup, and the result can be other mode bits set.
+                            format: int32
+                            type: integer
+                          path:
+                            description: |-
+                              path is the relative path of the file to map the key to.
+                              May not be an absolute path.
+                              May not contain the path element '..'.
+                              May not start with the string '..'.
+                            type: string
+                        required:
+                        - key
+                        - path
+                        type: object
+                      type: array
+                    secretRef:
+                      description: secretRef references the name of the secret.
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - secretRef
+                  type: object
+                type: array
+              mountedVolumes:
+                description: |-
+                  mountedVolumes list the custom volumes that need to be mounted into the
+                  underlying statefulset.
+                  A change to this setting will roll the cluster.
+                properties:
+                  volumeMounts:
+                    description: |-
+                      volumeMounts specify the list of volume mounts for the pods in the
+                      statefulset.
+                    items:
+                      description: VolumeMount describes a mounting of a Volume within
+                        a container.
+                      properties:
+                        mountPath:
+                          description: |-
+                            Path within the container at which the volume should be mounted.  Must
+                            not contain ':'.
+                          type: string
+                        mountPropagation:
+                          description: |-
+                            mountPropagation determines how mounts are propagated from the host
+                            to container and the other way around.
+                            When not set, MountPropagationNone is used.
+                            This field is beta in 1.10.
+                          type: string
+                        name:
+                          description: This must match the Name of a Volume.
+                          type: string
+                        readOnly:
+                          description: |-
+                            Mounted read-only if true, read-write otherwise (false or unspecified).
+                            Defaults to false.
+                          type: boolean
+                        subPath:
+                          description: |-
+                            Path within the volume from which the container's volume should be mounted.
+                            Defaults to "" (volume's root).
+                          type: string
+                        subPathExpr:
+                          description: |-
+                            Expanded path within the volume from which the container's volume should be mounted.
+                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                            Defaults to "" (volume's root).
+                            SubPathExpr and SubPath are mutually exclusive.
+                          type: string
+                      required:
+                      - mountPath
+                      - name
+                      type: object
+                    type: array
+                  volumes:
+                    description: |-
+                      volumes specify the list of volumes that can be mounted into the pods
+                      of statefulset.
+                    items:
+                      description: Volume represents a named volume in a pod that
+                        may be accessed by any container in the pod.
+                      properties:
+                        awsElasticBlockStore:
+                          description: |-
+                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly value true will force the readOnly setting in VolumeMounts.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: boolean
+                            volumeID:
+                              description: |-
+                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        azureDisk:
+                          description: azureDisk represents an Azure Data Disk mount
+                            on the host and bind mount to the pod.
+                          properties:
+                            cachingMode:
+                              description: 'cachingMode is the Host Caching mode:
+                                None, Read Only, Read Write.'
+                              type: string
+                            diskName:
+                              description: diskName is the Name of the data disk in
+                                the blob storage
+                              type: string
+                            diskURI:
+                              description: diskURI is the URI of data disk in the
+                                blob storage
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is Filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            kind:
+                              description: 'kind expected values are Shared: multiple
+                                blob disks per storage account  Dedicated: single
+                                blob disk per storage account  Managed: azure managed
+                                data disk (only in managed availability set). defaults
+                                to shared'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                          required:
+                          - diskName
+                          - diskURI
+                          type: object
+                        azureFile:
+                          description: azureFile represents an Azure File Service
+                            mount on the host and bind mount to the pod.
+                          properties:
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretName:
+                              description: secretName is the  name of secret that
+                                contains Azure Storage Account Name and Key
+                              type: string
+                            shareName:
+                              description: shareName is the azure share Name
+                              type: string
+                          required:
+                          - secretName
+                          - shareName
+                          type: object
+                        cephfs:
+                          description: cephFS represents a Ceph FS mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            monitors:
+                              description: |-
+                                monitors is Required: Monitors is a collection of Ceph monitors
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            path:
+                              description: 'path is Optional: Used as the mounted
+                                root, rather than the full Ceph tree, default is /'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: boolean
+                            secretFile:
+                              description: |-
+                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is optional: User is the rados user name, default is admin
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - monitors
+                          type: object
+                        cinder:
+                          description: |-
+                            cinder represents a cinder volume attached and mounted on kubelets host machine.
+                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is optional: points to a secret object containing parameters used to connect
+                                to OpenStack.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeID:
+                              description: |-
+                                volumeID used to identify the volume in cinder.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        configMap:
+                          description: configMap represents a configMap that should
+                            populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items if unspecified, each key-value pair in the Data field of the referenced
+                                ConfigMap will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the ConfigMap,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            name:
+                              description: |-
+                                Name of the referent.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              type: string
+                            optional:
+                              description: optional specify whether the ConfigMap
+                                or its keys must be defined
+                              type: boolean
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        csi:
+                          description: csi (Container Storage Interface) represents
+                            ephemeral storage that is handled by certain external
+                            CSI drivers (Beta feature).
+                          properties:
+                            driver:
+                              description: |-
+                                driver is the name of the CSI driver that handles this volume.
+                                Consult with your admin for the correct name as registered in the cluster.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                If not provided, the empty value is passed to the associated CSI driver
+                                which will determine the default filesystem to apply.
+                              type: string
+                            nodePublishSecretRef:
+                              description: |-
+                                nodePublishSecretRef is a reference to the secret object containing
+                                sensitive information to pass to the CSI driver to complete the CSI
+                                NodePublishVolume and NodeUnpublishVolume calls.
+                                This field is optional, and  may be empty if no secret is required. If the
+                                secret object contains more than one secret, all secret references are passed.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            readOnly:
+                              description: |-
+                                readOnly specifies a read-only configuration for the volume.
+                                Defaults to false (read/write).
+                              type: boolean
+                            volumeAttributes:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                volumeAttributes stores driver-specific properties that are passed to the CSI
+                                driver. Consult your driver's documentation for supported values.
+                              type: object
+                          required:
+                          - driver
+                          type: object
+                        downwardAPI:
+                          description: downwardAPI represents downward API about the
+                            pod that should populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                Optional: mode bits to use on created files by default. Must be a
+                                Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: Items is a list of downward API volume
+                                file
+                              items:
+                                description: DownwardAPIVolumeFile represents information
+                                  to create the file containing the pod field
+                                properties:
+                                  fieldRef:
+                                    description: 'Required: Selects a field of the
+                                      pod: only annotations, labels, name and namespace
+                                      are supported.'
+                                    properties:
+                                      apiVersion:
+                                        description: Version of the schema the FieldPath
+                                          is written in terms of, defaults to "v1".
+                                        type: string
+                                      fieldPath:
+                                        description: Path of the field to select in
+                                          the specified API version.
+                                        type: string
+                                    required:
+                                    - fieldPath
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  mode:
+                                    description: |-
+                                      Optional: mode bits used to set permissions on this file, must be an octal value
+                                      between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: 'Required: Path is  the relative
+                                      path name of the file to be created. Must not
+                                      be absolute or contain the ''..'' path. Must
+                                      be utf-8 encoded. The first item of the relative
+                                      path must not start with ''..'''
+                                    type: string
+                                  resourceFieldRef:
+                                    description: |-
+                                      Selects a resource of the container: only resources limits and requests
+                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                    properties:
+                                      containerName:
+                                        description: 'Container name: required for
+                                          volumes, optional for env vars'
+                                        type: string
+                                      divisor:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: Specifies the output format of
+                                          the exposed resources, defaults to "1"
+                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                        x-kubernetes-int-or-string: true
+                                      resource:
+                                        description: 'Required: resource to select'
+                                        type: string
+                                    required:
+                                    - resource
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                required:
+                                - path
+                                type: object
+                              type: array
+                          type: object
+                        emptyDir:
+                          description: |-
+                            emptyDir represents a temporary directory that shares a pod's lifetime.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                          properties:
+                            medium:
+                              description: |-
+                                medium represents what type of storage medium should back this directory.
+                                The default is "" which means to use the node's default medium.
+                                Must be an empty string (default) or Memory.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              type: string
+                            sizeLimit:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                The size limit is also applicable for memory medium.
+                                The maximum usage on memory medium EmptyDir would be the minimum value between
+                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                The default is nil which means that the limit is undefined.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        ephemeral:
+                          description: |-
+                            ephemeral represents a volume that is handled by a cluster storage driver.
+                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                            and deleted when the pod is removed.
+
+
+                            Use this if:
+                            a) the volume is only needed while the pod runs,
+                            b) features of normal volumes like restoring from snapshot or capacity
+                               tracking are needed,
+                            c) the storage driver is specified through a storage class, and
+                            d) the storage driver supports dynamic volume provisioning through
+                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                               information on the connection between this volume type
+                               and PersistentVolumeClaim).
+
+
+                            Use PersistentVolumeClaim or one of the vendor-specific
+                            APIs for volumes that persist for longer than the lifecycle
+                            of an individual pod.
+
+
+                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                            be used that way - see the documentation of the driver for
+                            more information.
+
+
+                            A pod can use both types of ephemeral volumes and
+                            persistent volumes at the same time.
+                          properties:
+                            volumeClaimTemplate:
+                              description: |-
+                                Will be used to create a stand-alone PVC to provision the volume.
+                                The pod in which this EphemeralVolumeSource is embedded will be the
+                                owner of the PVC, i.e. the PVC will be deleted together with the
+                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                `<volume name>` is the name from the `PodSpec.Volumes` array
+                                entry. Pod validation will reject the pod if the concatenated name
+                                is not valid for a PVC (for example, too long).
+
+
+                                An existing PVC with that name that is not owned by the pod
+                                will *not* be used for the pod to avoid using an unrelated
+                                volume by mistake. Starting the pod is then blocked until
+                                the unrelated PVC is removed. If such a pre-created PVC is
+                                meant to be used by the pod, the PVC has to updated with an
+                                owner reference to the pod once the pod exists. Normally
+                                this should not be necessary, but it may be useful when
+                                manually reconstructing a broken cluster.
+
+
+                                This field is read-only and no changes will be made by Kubernetes
+                                to the PVC after it has been created.
+
+
+                                Required, must not be nil.
+                              properties:
+                                metadata:
+                                  description: |-
+                                    May contain labels and annotations that will be copied into the PVC
+                                    when creating it. No other fields are allowed and will be rejected during
+                                    validation.
+                                  type: object
+                                spec:
+                                  description: |-
+                                    The specification for the PersistentVolumeClaim. The entire content is
+                                    copied unchanged into the PVC that gets created from this
+                                    template. The same fields as in a PersistentVolumeClaim
+                                    are also valid here.
+                                  properties:
+                                    accessModes:
+                                      description: |-
+                                        accessModes contains the desired access modes the volume should have.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                      items:
+                                        type: string
+                                      type: array
+                                    dataSource:
+                                      description: |-
+                                        dataSource field can be used to specify either:
+                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                        * An existing PVC (PersistentVolumeClaim)
+                                        If the provisioner or an external controller can support the specified data source,
+                                        it will create a new volume based on the contents of the specified data source.
+                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    dataSourceRef:
+                                      description: |-
+                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                        volume is desired. This may be any object from a non-empty API group (non
+                                        core object) or a PersistentVolumeClaim object.
+                                        When this field is specified, volume binding will only succeed if the type of
+                                        the specified object matches some installed volume populator or dynamic
+                                        provisioner.
+                                        This field will replace the functionality of the dataSource field and as such
+                                        if both fields are non-empty, they must have the same value. For backwards
+                                        compatibility, when namespace isn't specified in dataSourceRef,
+                                        both fields (dataSource and dataSourceRef) will be set to the same
+                                        value automatically if one of them is empty and the other is non-empty.
+                                        When namespace is specified in dataSourceRef,
+                                        dataSource isn't set to the same value and must be empty.
+                                        There are three important differences between dataSource and dataSourceRef:
+                                        * While dataSource only allows two specific types of objects, dataSourceRef
+                                          allows any non-core object, as well as PersistentVolumeClaim objects.
+                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                          preserves all values, and generates an error if a disallowed value is
+                                          specified.
+                                        * While dataSource only allows local objects, dataSourceRef allows objects
+                                          in any namespaces.
+                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace is the namespace of resource being referenced
+                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                    resources:
+                                      description: |-
+                                        resources represents the minimum resources the volume should have.
+                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+                                        that are lower than previous value but must still be higher than capacity recorded in the
+                                        status field of the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                      properties:
+                                        limits:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Limits describes the maximum amount of compute resources allowed.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                        requests:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Requests describes the minimum amount of compute resources required.
+                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                      type: object
+                                    selector:
+                                      description: selector is a label query over
+                                        volumes to consider for binding.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    storageClassName:
+                                      description: |-
+                                        storageClassName is the name of the StorageClass required by the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                      type: string
+                                    volumeAttributesClassName:
+                                      description: |-
+                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                        If specified, the CSI driver will create or update the volume with the attributes defined
+                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+                                        will be set by the persistentvolume controller if it exists.
+                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                        exists.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+                                      type: string
+                                    volumeMode:
+                                      description: |-
+                                        volumeMode defines what type of volume is required by the claim.
+                                        Value of Filesystem is implied when not included in claim spec.
+                                      type: string
+                                    volumeName:
+                                      description: volumeName is the binding reference
+                                        to the PersistentVolume backing this claim.
+                                      type: string
+                                  type: object
+                              required:
+                              - spec
+                              type: object
+                          type: object
+                        fc:
+                          description: fc represents a Fibre Channel resource that
+                            is attached to a kubelet's host machine and then exposed
+                            to the pod.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            lun:
+                              description: 'lun is Optional: FC target lun number'
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            targetWWNs:
+                              description: 'targetWWNs is Optional: FC target worldwide
+                                names (WWNs)'
+                              items:
+                                type: string
+                              type: array
+                            wwids:
+                              description: |-
+                                wwids Optional: FC volume world wide identifiers (wwids)
+                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        flexVolume:
+                          description: |-
+                            flexVolume represents a generic volume resource that is
+                            provisioned/attached using an exec based plugin.
+                          properties:
+                            driver:
+                              description: driver is the name of the driver to use
+                                for this volume.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                              type: string
+                            options:
+                              additionalProperties:
+                                type: string
+                              description: 'options is Optional: this field holds
+                                extra command options if any.'
+                              type: object
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: secretRef is reference to the secret object containing
+                                sensitive information to pass to the plugin scripts. This may be
+                                empty if no secret object is specified. If the secret object
+                                contains more than one secret, all secrets are passed to the plugin
+                                scripts.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          required:
+                          - driver
+                          type: object
+                        flocker:
+                          description: flocker represents a Flocker volume attached
+                            to a kubelet's host machine. This depends on the Flocker
+                            control service being running
+                          properties:
+                            datasetName:
+                              description: |-
+                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                should be considered as deprecated
+                              type: string
+                            datasetUUID:
+                              description: datasetUUID is the UUID of the dataset.
+                                This is unique identifier of a Flocker dataset
+                              type: string
+                          type: object
+                        gcePersistentDisk:
+                          description: |-
+                            gcePersistentDisk represents a GCE Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              format: int32
+                              type: integer
+                            pdName:
+                              description: |-
+                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: boolean
+                          required:
+                          - pdName
+                          type: object
+                        gitRepo:
+                          description: |-
+                            gitRepo represents a git repository at a particular revision.
+                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                            into the Pod's container.
+                          properties:
+                            directory:
+                              description: |-
+                                directory is the target directory name.
+                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                the subdirectory with the given name.
+                              type: string
+                            repository:
+                              description: repository is the URL
+                              type: string
+                            revision:
+                              description: revision is the commit hash for the specified
+                                revision.
+                              type: string
+                          required:
+                          - repository
+                          type: object
+                        glusterfs:
+                          description: |-
+                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
+                          properties:
+                            endpoints:
+                              description: |-
+                                endpoints is the endpoint name that details Glusterfs topology.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            path:
+                              description: |-
+                                path is the Glusterfs volume path.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: boolean
+                          required:
+                          - endpoints
+                          - path
+                          type: object
+                        hostPath:
+                          description: |-
+                            hostPath represents a pre-existing file or directory on the host
+                            machine that is directly exposed to the container. This is generally
+                            used for system agents or other privileged things that are allowed
+                            to see the host machine. Most containers will NOT need this.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                            ---
+                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+                            mount host directories as read/write.
+                          properties:
+                            path:
+                              description: |-
+                                path of the directory on the host.
+                                If the path is a symlink, it will follow the link to the real path.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                            type:
+                              description: |-
+                                type for HostPath Volume
+                                Defaults to ""
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        iscsi:
+                          description: |-
+                            iscsi represents an ISCSI Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                          properties:
+                            chapAuthDiscovery:
+                              description: chapAuthDiscovery defines whether support
+                                iSCSI Discovery CHAP authentication
+                              type: boolean
+                            chapAuthSession:
+                              description: chapAuthSession defines whether support
+                                iSCSI Session CHAP authentication
+                              type: boolean
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            initiatorName:
+                              description: |-
+                                initiatorName is the custom iSCSI Initiator Name.
+                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                <target portal>:<volume name> will be created for the connection.
+                              type: string
+                            iqn:
+                              description: iqn is the target iSCSI Qualified Name.
+                              type: string
+                            iscsiInterface:
+                              description: |-
+                                iscsiInterface is the interface Name that uses an iSCSI transport.
+                                Defaults to 'default' (tcp).
+                              type: string
+                            lun:
+                              description: lun represents iSCSI Target Lun number.
+                              format: int32
+                              type: integer
+                            portals:
+                              description: |-
+                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              items:
+                                type: string
+                              type: array
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                              type: boolean
+                            secretRef:
+                              description: secretRef is the CHAP Secret for iSCSI
+                                target and initiator authentication
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            targetPortal:
+                              description: |-
+                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              type: string
+                          required:
+                          - iqn
+                          - lun
+                          - targetPortal
+                          type: object
+                        name:
+                          description: |-
+                            name of the volume.
+                            Must be a DNS_LABEL and unique within the pod.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                        nfs:
+                          description: |-
+                            nfs represents an NFS mount on the host that shares a pod's lifetime
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                          properties:
+                            path:
+                              description: |-
+                                path that is exported by the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the NFS export to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: boolean
+                            server:
+                              description: |-
+                                server is the hostname or IP address of the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                          required:
+                          - path
+                          - server
+                          type: object
+                        persistentVolumeClaim:
+                          description: |-
+                            persistentVolumeClaimVolumeSource represents a reference to a
+                            PersistentVolumeClaim in the same namespace.
+                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                          properties:
+                            claimName:
+                              description: |-
+                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Will force the ReadOnly setting in VolumeMounts.
+                                Default false.
+                              type: boolean
+                          required:
+                          - claimName
+                          type: object
+                        photonPersistentDisk:
+                          description: photonPersistentDisk represents a PhotonController
+                            persistent disk attached and mounted on kubelets host
+                            machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            pdID:
+                              description: pdID is the ID that identifies Photon Controller
+                                persistent disk
+                              type: string
+                          required:
+                          - pdID
+                          type: object
+                        portworxVolume:
+                          description: portworxVolume represents a portworx volume
+                            attached and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fSType represents the filesystem type to mount
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            volumeID:
+                              description: volumeID uniquely identifies a Portworx
+                                volume
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        projected:
+                          description: projected items for all in one resources secrets,
+                            configmaps, and downward API
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode are the mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            sources:
+                              description: sources is the list of volume projections
+                              items:
+                                description: Projection that may be projected along
+                                  with other supported volume types
+                                properties:
+                                  clusterTrustBundle:
+                                    description: |-
+                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                      of ClusterTrustBundle objects in an auto-updating file.
+
+
+                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+                                      ClusterTrustBundle objects can either be selected by name, or by the
+                                      combination of signer name and a label selector.
+
+
+                                      Kubelet performs aggressive normalization of the PEM contents written
+                                      into the pod filesystem.  Esoteric PEM features such as inter-block
+                                      comments and block headers are stripped.  Certificates are deduplicated.
+                                      The ordering of certificates within the file is arbitrary, and Kubelet
+                                      may change the order over time.
+                                    properties:
+                                      labelSelector:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this label selector.  Only has
+                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                          interpreted as "match nothing".  If set but empty, interpreted as "match
+                                          everything".
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      name:
+                                        description: |-
+                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                          with signerName and labelSelector.
+                                        type: string
+                                      optional:
+                                        description: |-
+                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                          aren't available.  If using name, then the named ClusterTrustBundle is
+                                          allowed not to exist.  If using signerName, then the combination of
+                                          signerName and labelSelector is allowed to match zero
+                                          ClusterTrustBundles.
+                                        type: boolean
+                                      path:
+                                        description: Relative path from the volume
+                                          root to write the bundle.
+                                        type: string
+                                      signerName:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this signer name.
+                                          Mutually-exclusive with name.  The contents of all selected
+                                          ClusterTrustBundles will be unified and deduplicated.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                  configMap:
+                                    description: configMap information about the configMap
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          ConfigMap will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the ConfigMap,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional specify whether the
+                                          ConfigMap or its keys must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  downwardAPI:
+                                    description: downwardAPI information about the
+                                      downwardAPI data to project
+                                    properties:
+                                      items:
+                                        description: Items is a list of DownwardAPIVolume
+                                          file
+                                        items:
+                                          description: DownwardAPIVolumeFile represents
+                                            information to create the file containing
+                                            the pod field
+                                          properties:
+                                            fieldRef:
+                                              description: 'Required: Selects a field
+                                                of the pod: only annotations, labels,
+                                                name and namespace are supported.'
+                                              properties:
+                                                apiVersion:
+                                                  description: Version of the schema
+                                                    the FieldPath is written in terms
+                                                    of, defaults to "v1".
+                                                  type: string
+                                                fieldPath:
+                                                  description: Path of the field to
+                                                    select in the specified API version.
+                                                  type: string
+                                              required:
+                                              - fieldPath
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            mode:
+                                              description: |-
+                                                Optional: mode bits used to set permissions on this file, must be an octal value
+                                                between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: 'Required: Path is  the
+                                                relative path name of the file to
+                                                be created. Must not be absolute or
+                                                contain the ''..'' path. Must be utf-8
+                                                encoded. The first item of the relative
+                                                path must not start with ''..'''
+                                              type: string
+                                            resourceFieldRef:
+                                              description: |-
+                                                Selects a resource of the container: only resources limits and requests
+                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                              properties:
+                                                containerName:
+                                                  description: 'Container name: required
+                                                    for volumes, optional for env
+                                                    vars'
+                                                  type: string
+                                                divisor:
+                                                  anyOf:
+                                                  - type: integer
+                                                  - type: string
+                                                  description: Specifies the output
+                                                    format of the exposed resources,
+                                                    defaults to "1"
+                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                  x-kubernetes-int-or-string: true
+                                                resource:
+                                                  description: 'Required: resource
+                                                    to select'
+                                                  type: string
+                                              required:
+                                              - resource
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                          required:
+                                          - path
+                                          type: object
+                                        type: array
+                                    type: object
+                                  secret:
+                                    description: secret information about the secret
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          Secret will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the Secret,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional field specify whether
+                                          the Secret or its key must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  serviceAccountToken:
+                                    description: serviceAccountToken is information
+                                      about the serviceAccountToken data to project
+                                    properties:
+                                      audience:
+                                        description: |-
+                                          audience is the intended audience of the token. A recipient of a token
+                                          must identify itself with an identifier specified in the audience of the
+                                          token, and otherwise should reject the token. The audience defaults to the
+                                          identifier of the apiserver.
+                                        type: string
+                                      expirationSeconds:
+                                        description: |-
+                                          expirationSeconds is the requested duration of validity of the service
+                                          account token. As the token approaches expiration, the kubelet volume
+                                          plugin will proactively rotate the service account token. The kubelet will
+                                          start trying to rotate the token if the token is older than 80 percent of
+                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                          and must be at least 10 minutes.
+                                        format: int64
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the path relative to the mount point of the file to project the
+                                          token into.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                type: object
+                              type: array
+                          type: object
+                        quobyte:
+                          description: quobyte represents a Quobyte mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            group:
+                              description: |-
+                                group to map volume access to
+                                Default is no group
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                Defaults to false.
+                              type: boolean
+                            registry:
+                              description: |-
+                                registry represents a single or multiple Quobyte Registry services
+                                specified as a string as host:port pair (multiple entries are separated with commas)
+                                which acts as the central registry for volumes
+                              type: string
+                            tenant:
+                              description: |-
+                                tenant owning the given Quobyte volume in the Backend
+                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                              type: string
+                            user:
+                              description: |-
+                                user to map volume access to
+                                Defaults to serivceaccount user
+                              type: string
+                            volume:
+                              description: volume is a string that references an already
+                                created Quobyte volume by name.
+                              type: string
+                          required:
+                          - registry
+                          - volume
+                          type: object
+                        rbd:
+                          description: |-
+                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/rbd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            image:
+                              description: |-
+                                image is the rados image name.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            keyring:
+                              description: |-
+                                keyring is the path to key ring for RBDUser.
+                                Default is /etc/ceph/keyring.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            monitors:
+                              description: |-
+                                monitors is a collection of Ceph monitors.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            pool:
+                              description: |-
+                                pool is the rados pool name.
+                                Default is rbd.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is name of the authentication secret for RBDUser. If provided
+                                overrides keyring.
+                                Default is nil.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is the rados user name.
+                                Default is admin.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - image
+                          - monitors
+                          type: object
+                        scaleIO:
+                          description: scaleIO represents a ScaleIO persistent volume
+                            attached and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs".
+                                Default is "xfs".
+                              type: string
+                            gateway:
+                              description: gateway is the host address of the ScaleIO
+                                API Gateway.
+                              type: string
+                            protectionDomain:
+                              description: protectionDomain is the name of the ScaleIO
+                                Protection Domain for the configured storage.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef references to the secret for ScaleIO user and other
+                                sensitive information. If this is not provided, Login operation will fail.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            sslEnabled:
+                              description: sslEnabled Flag enable/disable SSL communication
+                                with Gateway, default false
+                              type: boolean
+                            storageMode:
+                              description: |-
+                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                Default is ThinProvisioned.
+                              type: string
+                            storagePool:
+                              description: storagePool is the ScaleIO Storage Pool
+                                associated with the protection domain.
+                              type: string
+                            system:
+                              description: system is the name of the storage system
+                                as configured in ScaleIO.
+                              type: string
+                            volumeName:
+                              description: |-
+                                volumeName is the name of a volume already created in the ScaleIO system
+                                that is associated with this volume source.
+                              type: string
+                          required:
+                          - gateway
+                          - secretRef
+                          - system
+                          type: object
+                        secret:
+                          description: |-
+                            secret represents a secret that should populate this volume.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values
+                                for mode bits. Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items If unspecified, each key-value pair in the Data field of the referenced
+                                Secret will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the Secret,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            optional:
+                              description: optional field specify whether the Secret
+                                or its keys must be defined
+                              type: boolean
+                            secretName:
+                              description: |-
+                                secretName is the name of the secret in the pod's namespace to use.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              type: string
+                          type: object
+                        storageos:
+                          description: storageOS represents a StorageOS volume attached
+                            and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef specifies the secret to use for obtaining the StorageOS API
+                                credentials.  If not specified, default values will be attempted.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeName:
+                              description: |-
+                                volumeName is the human-readable name of the StorageOS volume.  Volume
+                                names are only unique within a namespace.
+                              type: string
+                            volumeNamespace:
+                              description: |-
+                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                namespace is specified then the Pod's namespace will be used.  This allows the
+                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                Set VolumeName to any name to override the default behaviour.
+                                Set to "default" if you are not using namespaces within StorageOS.
+                                Namespaces that do not pre-exist within StorageOS will be created.
+                              type: string
+                          type: object
+                        vsphereVolume:
+                          description: vsphereVolume represents a vSphere volume attached
+                            and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            storagePolicyID:
+                              description: storagePolicyID is the storage Policy Based
+                                Management (SPBM) profile ID associated with the StoragePolicyName.
+                              type: string
+                            storagePolicyName:
+                              description: storagePolicyName is the storage Policy
+                                Based Management (SPBM) profile name.
+                              type: string
+                            volumePath:
+                              description: volumePath is the path that identifies
+                                vSphere volume vmdk
+                              type: string
+                          required:
+                          - volumePath
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                required:
+                - volumeMounts
+                - volumes
+                type: object
+              oneReplicaPerNode:
+                description: |-
+                  oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
+                  Enabling this configuration in an existing cluster will roll the cluster.
+                type: boolean
+              pdb:
+                description: |-
+                  configures PodDisruptionBudget for the Confluent Platform component.
+                  by default PDB is configured based on pre-detemined formula.
+                properties:
+                  enabled:
+                    description: enabled specifies whether the PodDisruptionBudget
+                      is enabled
+                    type: boolean
+                  maxUnavailable:
+                    description: maxUnavailable is the maximum number of pods that
+                      can be unavailable during the disruption.
+                    format: int32
+                    type: integer
+                required:
+                - enabled
+                type: object
+              podTemplate:
+                description: podTemplate specifies the statefulset pod template configuration.
+                properties:
+                  affinity:
+                    description: |-
+                      affinity specifies a group of affinity scheduling rules.
+                      More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
+                    properties:
+                      nodeAffinity:
+                        description: Describes node affinity scheduling rules for
+                          the pod.
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node matches the corresponding matchExpressions; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: |-
+                                An empty preferred scheduling term matches all objects with implicit weight 0
+                                (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                              properties:
+                                preference:
+                                  description: A node selector term, associated with
+                                    the corresponding weight.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                weight:
+                                  description: Weight associated with matching the
+                                    corresponding nodeSelectorTerm, in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - preference
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to an update), the system
+                              may or may not try to eventually evict the pod from its node.
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      podAffinity:
+                        description: Describes pod affinity scheduling rules (e.g.
+                          co-locate this pod in the same node, zone, etc. as some
+                          other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                      podAntiAffinity:
+                        description: Describes pod anti-affinity scheduling rules
+                          (e.g. avoid putting this pod in the same node, zone, etc.
+                          as some other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the anti-affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling anti-affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the anti-affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the anti-affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs stored with the resource and
+                      may be set by external tools to store and retrieve arbitrary metadata. They
+                      are not queryable and should be preserved when modifying objects. More
+                      info: http://kubernetes.io/docs/user-guide/annotations.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  envVars:
+                    description: |-
+                      envVars contain environment variables to be injected into containers.
+                      More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
+                    items:
+                      description: EnvVar represents an environment variable present
+                        in a Container.
+                      properties:
+                        name:
+                          description: Name of the environment variable. Must be a
+                            C_IDENTIFIER.
+                          type: string
+                        value:
+                          description: |-
+                            Variable references $(VAR_NAME) are expanded
+                            using the previously defined environment variables in the container and
+                            any service environment variables. If a variable cannot be resolved,
+                            the reference in the input string will be unchanged. Double $$ are reduced
+                            to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                            "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                            Escaped references will never be expanded, regardless of whether the variable
+                            exists or not.
+                            Defaults to "".
+                          type: string
+                        valueFrom:
+                          description: Source for the environment variable's value.
+                            Cannot be used if value is not empty.
+                          properties:
+                            configMapKeyRef:
+                              description: Selects a key of a ConfigMap.
+                              properties:
+                                key:
+                                  description: The key to select.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the ConfigMap or its
+                                    key must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            fieldRef:
+                              description: |-
+                                Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                              properties:
+                                apiVersion:
+                                  description: Version of the schema the FieldPath
+                                    is written in terms of, defaults to "v1".
+                                  type: string
+                                fieldPath:
+                                  description: Path of the field to select in the
+                                    specified API version.
+                                  type: string
+                              required:
+                              - fieldPath
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            resourceFieldRef:
+                              description: |-
+                                Selects a resource of the container: only resources limits and requests
+                                (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                              properties:
+                                containerName:
+                                  description: 'Container name: required for volumes,
+                                    optional for env vars'
+                                  type: string
+                                divisor:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: Specifies the output format of the
+                                    exposed resources, defaults to "1"
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                resource:
+                                  description: 'Required: resource to select'
+                                  type: string
+                              required:
+                              - resource
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            secretKeyRef:
+                              description: Selects a key of a secret in the pod's
+                                namespace
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the Secret or its key
+                                    must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs that can be used to organize and categorize
+                      (scope and select) objects.
+                      More info: http://kubernetes.io/docs/user-guide/labels.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  podSecurityContext:
+                    description: |-
+                      PodSecurityContext holds pod-level security attributes and common container settings.
+                      Some fields are also present in container.securityContext.  Field values of
+                      container.securityContext take precedence over field values of PodSecurityContext.
+                    properties:
+                      fsGroup:
+                        description: |-
+                          A special supplemental group that applies to all containers in a pod.
+                          Some volume types allow the Kubelet to change the ownership of that volume
+                          to be owned by the pod:
+
+
+                          1. The owning GID will be the FSGroup
+                          2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+                          3. The permission bits are OR'd with rw-rw----
+
+
+                          If unset, the Kubelet will not modify the ownership and permissions of any volume.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      fsGroupChangePolicy:
+                        description: |-
+                          fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+                          before being exposed inside Pod. This field will only apply to
+                          volume types which support fsGroup based ownership(and permissions).
+                          It will have no effect on ephemeral volume types such as: secret, configmaps
+                          and emptydir.
+                          Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to all containers.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in SecurityContext.  If set in
+                          both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+                          takes precedence for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by the containers in this pod.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      supplementalGroups:
+                        description: |-
+                          A list of groups applied to the first process run in each container, in addition
+                          to the container's primary GID, the fsGroup (if specified), and group memberships
+                          defined in the container image for the uid of the container process. If unspecified,
+                          no additional groups are added to any container. Note that group memberships
+                          defined in the container image for the uid of the container process are still effective,
+                          even if they are not included in this list.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          format: int64
+                          type: integer
+                        type: array
+                      sysctls:
+                        description: |-
+                          Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+                          sysctls (by the container runtime) might fail to launch.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          description: Sysctl defines a kernel parameter to be set
+                          properties:
+                            name:
+                              description: Name of a property to set
+                              type: string
+                            value:
+                              description: Value of a property to set
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        type: array
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options within a container's SecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  priorityClassName:
+                    description: priorityClassName specifies the priority class for
+                      the pod (if any).
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  probe:
+                    description: probe contains the fields for standard Kubernetes
+                      readiness/liveness probe configuration.
+                    properties:
+                      liveness:
+                        description: |-
+                          liveness configures the Kubernetes probe settings. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                      readiness:
+                        description: |-
+                          readiness configures the Kubernetes probe setting. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  resources:
+                    description: resources describe the compute resource requirements.
+                    properties:
+                      claims:
+                        description: |-
+                          Claims lists the names of resources, defined in spec.resourceClaims,
+                          that are used by this container.
+
+
+                          This is an alpha field and requires enabling the
+                          DynamicResourceAllocation feature gate.
+
+
+                          This field is immutable. It can only be set for containers.
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: |-
+                                Name must match the name of one entry in pod.spec.resourceClaims of
+                                the Pod where this field is used. It makes that resource available
+                                inside a container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Limits describes the maximum amount of compute resources allowed.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Requests describes the minimum amount of compute resources required.
+                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                    type: object
+                  securityContext:
+                    description: |-
+                      SecurityContext holds security configuration that will be applied to a container.
+                      Some fields are present in both SecurityContext and PodSecurityContext.  When both
+                      are set, the values in SecurityContext take precedence.
+                    properties:
+                      allowPrivilegeEscalation:
+                        description: |-
+                          AllowPrivilegeEscalation controls whether a process can gain more
+                          privileges than its parent process. This bool directly controls if
+                          the no_new_privs flag will be set on the container process.
+                          AllowPrivilegeEscalation is true always when the container is:
+                          1) run as Privileged
+                          2) has CAP_SYS_ADMIN
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      capabilities:
+                        description: |-
+                          The capabilities to add/drop when running containers.
+                          Defaults to the default set of capabilities granted by the container runtime.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          add:
+                            description: Added capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                          drop:
+                            description: Removed capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                        type: object
+                      privileged:
+                        description: |-
+                          Run container in privileged mode.
+                          Processes in privileged containers are essentially equivalent to root on the host.
+                          Defaults to false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      procMount:
+                        description: |-
+                          procMount denotes the type of proc mount to use for the containers.
+                          The default is DefaultProcMount which uses the container runtime defaults for
+                          readonly paths and masked paths.
+                          This requires the ProcMountType feature flag to be enabled.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      readOnlyRootFilesystem:
+                        description: |-
+                          Whether this container has a read-only root filesystem.
+                          Default is false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to the container.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by this container. If seccomp options are
+                          provided at both the pod & container level, the container options
+                          override the pod options.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options from the PodSecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of the service account used to run this pod.
+                      More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
+                    type: string
+                  terminationGracePeriodSeconds:
+                    description: terminationGracePeriodSeconds is the grace period
+                      before the pod is deleted.
+                    format: int64
+                    type: integer
+                  tolerations:
+                    description: |-
+                      tolerations specify the pods to schedule onto the nodes with matching taints, using
+                      the triple `<key,value,effect>` and the matching operator `<operator>`.
+                    items:
+                      description: |-
+                        The pod this Toleration is attached to tolerates any taint that matches
+                        the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: |-
+                            Effect indicates the taint effect to match. Empty means match all taint effects.
+                            When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          type: string
+                        key:
+                          description: |-
+                            Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                            If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          type: string
+                        operator:
+                          description: |-
+                            Operator represents a key's relationship to the value.
+                            Valid operators are Exists and Equal. Defaults to Equal.
+                            Exists is equivalent to wildcard for value, so that a pod can
+                            tolerate all taints of a particular category.
+                          type: string
+                        tolerationSeconds:
+                          description: |-
+                            TolerationSeconds represents the period of time the toleration (which must be
+                            of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                            it is not set, which means tolerate the taint forever (do not evict). Zero and
+                            negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          type: integer
+                        value:
+                          description: |-
+                            Value is the taint value the toleration matches to.
+                            If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          type: string
+                      type: object
+                    type: array
+                  topologySpreadConstraints:
+                    description: |-
+                      topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
+                      schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
+                    items:
+                      description: TopologySpreadConstraint specifies how to spread
+                        matching pods among the given topology.
+                      properties:
+                        labelSelector:
+                          description: |-
+                            LabelSelector is used to find matching pods.
+                            Pods that match this label selector are counted to determine the number of pods
+                            in their corresponding topology domain.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        matchLabelKeys:
+                          description: |-
+                            MatchLabelKeys is a set of pod label keys to select the pods over which
+                            spreading will be calculated. The keys are used to lookup values from the
+                            incoming pod labels, those key-value labels are ANDed with labelSelector
+                            to select the group of existing pods over which spreading will be calculated
+                            for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                            MatchLabelKeys cannot be set when LabelSelector isn't set.
+                            Keys that don't exist in the incoming pod labels will
+                            be ignored. A null or empty list means only match against labelSelector.
+
+
+                            This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        maxSkew:
+                          description: |-
+                            MaxSkew describes the degree to which pods may be unevenly distributed.
+                            When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                            between the number of matching pods in the target topology and the global minimum.
+                            The global minimum is the minimum number of matching pods in an eligible domain
+                            or zero if the number of eligible domains is less than MinDomains.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 2/2/1:
+                            In this case, the global minimum is 1.
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |   P   |
+                            - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                            scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                            violate MaxSkew(1).
+                            - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                            When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                            to topologies that satisfy it.
+                            It's a required field. Default value is 1 and 0 is not allowed.
+                          format: int32
+                          type: integer
+                        minDomains:
+                          description: |-
+                            MinDomains indicates a minimum number of eligible domains.
+                            When the number of eligible domains with matching topology keys is less than minDomains,
+                            Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                            And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                            this value has no effect on scheduling.
+                            As a result, when the number of eligible domains is less than minDomains,
+                            scheduler won't schedule more than maxSkew Pods to those domains.
+                            If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                            Valid values are integers greater than 0.
+                            When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+                            For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                            labelSelector spread as 2/2/2:
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |  P P  |
+                            The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                            In this situation, new pod with the same labelSelector cannot be scheduled,
+                            because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                            it will violate MaxSkew.
+
+
+                            This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
+                          format: int32
+                          type: integer
+                        nodeAffinityPolicy:
+                          description: |-
+                            NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                            when calculating pod topology spread skew. Options are:
+                            - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                            - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+                            If this value is nil, the behavior is equivalent to the Honor policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        nodeTaintsPolicy:
+                          description: |-
+                            NodeTaintsPolicy indicates how we will treat node taints when calculating
+                            pod topology spread skew. Options are:
+                            - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                            has a toleration, are included.
+                            - Ignore: node taints are ignored. All nodes are included.
+
+
+                            If this value is nil, the behavior is equivalent to the Ignore policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        topologyKey:
+                          description: |-
+                            TopologyKey is the key of node labels. Nodes that have a label with this key
+                            and identical values are considered to be in the same topology.
+                            We consider each <key, value> as a "bucket", and try to put balanced number
+                            of pods into each bucket.
+                            We define a domain as a particular instance of a topology.
+                            Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                            nodeAffinityPolicy and nodeTaintsPolicy.
+                            e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                            And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                            It's a required field.
+                          type: string
+                        whenUnsatisfiable:
+                          description: |-
+                            WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                            the spread constraint.
+                            - DoNotSchedule (default) tells the scheduler not to schedule it.
+                            - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                              but giving higher precedence to topologies that would help reduce the
+                              skew.
+                            A constraint is considered "Unsatisfiable" for an incoming pod
+                            if and only if every possible node assignment for that pod would violate
+                            "MaxSkew" on some topology.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 3/1/1:
+                            | zone1 | zone2 | zone3 |
+                            | P P P |   P   |   P   |
+                            If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                            to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                            MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                            won't make it *more* imbalanced.
+                            It's a required field.
+                          type: string
+                      required:
+                      - maxSkew
+                      - topologyKey
+                      - whenUnsatisfiable
+                      type: object
+                    type: array
+                type: object
+              replicas:
+                description: |-
+                  replicas is the desired number of replicas.
+                  A change to this setting will roll the cluster.
+                format: int32
+                type: integer
+              storageClass:
+                description: |-
+                  storageClass specifies the user-provided storage class. If not
+                  configured, it will use the default storage class.
+                properties:
+                  name:
+                    description: name is the storage class name.
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - name
+                type: object
+              telemetry:
+                description: telemetry specifies the Confluent telemetry reporter
+                  configuration.
+                properties:
+                  global:
+                    description: |-
+                      global allows disabling telemetry configuration.
+                      If CFK is deployed with telemetry, this field is only
+                      used to disable telemetry. The default value is `true` if
+                      telemetry is enabled at the global level.
+                    type: boolean
+                type: object
+              tls:
+                description: |-
+                  tls specifies the global-level TLS configuration which can be used by
+                  listeners and services.
+                properties:
+                  autoGeneratedCerts:
+                    description: |-
+                      autoGeneratedCerts specifies that the certificates are auto-generated based on
+                      the CA key pair provided.
+                    type: boolean
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                    minLength: 1
+                    type: string
+                  fips:
+                    description: |-
+                      fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
+                      TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                    properties:
+                      enabled:
+                        description: enabled specifies whether to enable the FIPS
+                          configuration for cp components.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                  ignoreTrustStoreConfig:
+                    description: |-
+                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                      for the Confluent component.
+                    type: boolean
+                  jksPassword:
+                    description: jksPassword references the secret containing the
+                      JKS password.
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the name of the secret containing the JKS password.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  secretRef:
+                    description: |-
+                      secretRef references the secret containing the certificates.
+                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+            required:
+            - dataVolumeCapacity
+            - image
+            type: object
+          status:
+            description: status defines the observed state of the KRaft Controller
+              cluster.
+            properties:
+              arbitraryData:
+                description: arbitraryData is the map for any arbitrary data associated
+                  with this Confluent component.
+                x-kubernetes-preserve-unknown-fields: true
+              authorizationType:
+                description: authorizationType is the authorization type for this
+                  Confluent component.
+                type: string
+              brokerIdOffset:
+                description: brokerIdOffset is the broker id offset of the KRaft Controller
+                  cluster.
+                format: int32
+                type: integer
+              clusterID:
+                description: clusterID is the ID of the KRaft Controller cluster.
+                type: string
+              clusterName:
+                description: clusterName is the name of the Confluent Platform component
+                  cluster.
+                type: string
+              clusterNamespace:
+                description: clusterNamespace is the namespace where the Confluent
+                  Platform component cluster is running.
+                type: string
+              conditions:
+                description: conditions specify the latest available observations
+                  of the current state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              controllerQuorumVoters:
+                description: controllerQuorumVoters is the list KRaft Controller Quorum
+                  Voters.
+                items:
+                  description: ControllerQuorumVoter defines the KRaft controller
+                    quorum voter.
+                  properties:
+                    brokerEndpoint:
+                      description: brokerEndpoint is the endpoint of the KRaft Controller.
+                      type: string
+                    nodeId:
+                      description: nodeId is the nodeId of the KRaft Controller.
+                      format: int32
+                      type: integer
+                  required:
+                  - brokerEndpoint
+                  - nodeId
+                  type: object
+                type: array
+              currentReplicas:
+                description: currentReplicas is the number of currently running replicas.
+                format: int32
+                type: integer
+              internalSecrets:
+                description: |-
+                  internalSecrets are internal secrets created
+                  by CFK for this Confluent component.
+                items:
+                  type: string
+                type: array
+              internalTopicNames:
+                description: internalTopicNames are the topics used by the component
+                  for internal use.
+                items:
+                  type: string
+                type: array
+              listeners:
+                additionalProperties:
+                  description: ListenerStatus describes general information about
+                    the listeners.
+                  properties:
+                    advertisedExternalEndpoints:
+                      description: advertisedExternalEndpoints specifies other advertised
+                        endpoints used, especially for Kafka.
+                      items:
+                        type: string
+                      type: array
+                    authenticationType:
+                      description: authenticationType shows the authentication type
+                        configured by the listener.
+                      type: string
+                    externalAccessType:
+                      description: externalAccessType shows the external access type
+                        used for the listener.
+                      type: string
+                    externalEndpoint:
+                      description: externalEndpoint specifies the external endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    internalEndpoint:
+                      description: internalEndpoint specifies the internal endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    tls:
+                      description: tls shows whether TLS is configured for the listener.
+                      type: boolean
+                  type: object
+                description: listeners is a map for the status of Kafka Listeners.
+                type: object
+                x-kubernetes-map-type: granular
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              operatorVersion:
+                description: operatorVersion is the internal version of CFK.
+                type: string
+              phase:
+                description: |-
+                  phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
+                  or 'RUNNING'
+                  'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
+                  'RUNNING' means the Confluent Platform component has been successfully deployed.
+                type: string
+              readyReplicas:
+                description: readyReplicas is the number of currently ready replicas.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the number of replicas.
+                format: int32
+                type: integer
+              selector:
+                description: |-
+                  selector gets the label selector of the child pod.
+                  The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kraftmigrationjobs.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kraftmigrationjobs.yaml
new file mode 100644
index 000000000..2e819ad8a
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_kraftmigrationjobs.yaml
@@ -0,0 +1,194 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: kraftmigrationjobs.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: KRaftMigrationJob
+    listKind: KRaftMigrationJobList
+    plural: kraftmigrationjobs
+    shortNames:
+    - kraftmigrationjob
+    - kmj
+    singular: kraftmigrationjob
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KRaftMigrationJob is the schema for the KRaftMigrationJob API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the KRaftMigrationJob.
+            properties:
+              dependencies:
+                description: dependencies specify the Kafka Broker, Zookeeper and
+                  KRaft Controllers.
+                properties:
+                  kRaftController:
+                    description: |-
+                      kRaftController specifies the dependency configuration for the KRaftController cluster.
+                      You cannot configure both zookeeper and kRaftController dependencies.
+                    properties:
+                      name:
+                        description: name specifies the name of the Confluent Platform
+                          component cluster.
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace where the Confluent
+                          Platform component cluster is running.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  kafka:
+                    description: kafka defines the Kafka dependency configurations.
+                    properties:
+                      name:
+                        description: name specifies the name of the Confluent Platform
+                          component cluster.
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace where the Confluent
+                          Platform component cluster is running.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  zookeeper:
+                    description: zookeeper specifies the dependency configuration
+                      for Zookeeper.
+                    properties:
+                      name:
+                        description: name specifies the name of the Confluent Platform
+                          component cluster.
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace where the Confluent
+                          Platform component cluster is running.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                required:
+                - kRaftController
+                - kafka
+                - zookeeper
+                type: object
+            required:
+            - dependencies
+            type: object
+          status:
+            description: status defines the observed state of the KRaftMigrationJob.
+            properties:
+              conditions:
+                description: conditions represents the latest available observations
+                  of the kraft migration job.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              kafkaClusterId:
+                description: clusterId is the clusterId for migrating cluster
+                type: string
+              kafkaGeneration:
+                description: |-
+                  kafkaGeneration is the last generation at which
+                  kafka cluster was updated during migration workflow
+                format: int64
+                type: integer
+              kraftControllerGeneration:
+                description: |-
+                  kraftControllerGeneration is the last generation at which
+                  kraftController cluster was updated during migration workflow
+                format: int64
+                type: integer
+              phase:
+                description: phase is the state of the kraft migration job.
+                type: string
+              subPhase:
+                description: subPhase is the state of the kraft migration job.
+                type: string
+              zkEndpointWithNode:
+                description: |-
+                  zkEndpointWithNode is the zkEndpoint with node fetched from kafka
+                  <host:port>/<zkNodeID>
+                type: string
+            required:
+            - kafkaClusterId
+            - kafkaGeneration
+            - kraftControllerGeneration
+            - phase
+            - subPhase
+            - zkEndpointWithNode
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_ksqldbs.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_ksqldbs.yaml
new file mode 100644
index 000000000..c2a2e60fa
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_ksqldbs.yaml
@@ -0,0 +1,6646 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: ksqldbs.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: KsqlDB
+    listKind: KsqlDBList
+    plural: ksqldbs
+    shortNames:
+    - ksqldb
+    - ksql
+    singular: ksqldb
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.readyReplicas
+      name: Ready
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.kafka.bootstrapEndpoint
+      name: Kafka
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KsqlDB is the schema for the ksqlDB API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the ksqlDB cluster.
+            properties:
+              authentication:
+                description: authentication specifies whether authentication is needed
+                  when accessing the ksqlDB cluster.
+                properties:
+                  basic:
+                    description: basic specifies the configuration for basic authentication.
+                    properties:
+                      debug:
+                        description: debug enables the basic authentication debug
+                          logs for JaaS configuration.
+                        type: boolean
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        minLength: 1
+                        type: string
+                      restrictedRoles:
+                        description: |-
+                          restrictedRoles specify the restricted roles on the server side only.
+                          Changes will be only reflected in Control Center.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
+                      roles:
+                        description: |-
+                          roles specify the roles on the server side only.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        type: array
+                      secretRef:
+                        description: |-
+                          secretRef defines secret reference to pass the required credentials.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                  oauth:
+                    description: oauth specifies the configuration for OAuth authentication.
+                    properties:
+                      configuration:
+                        description: configuration specifies the OAuth server settings.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      directoryPathInContainer:
+                        description: directoryPathInContainer allows to pass the basic
+                          credential through a directory path in the container.
+                        minLength: 1
+                        type: string
+                      secretRef:
+                        description: secretRef defines secret reference to pass the
+                          required credentials.
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - configuration
+                    type: object
+                  type:
+                    description: type specifies the authentication scheme for the
+                      REST API server. Valid options are `basic`, `oauth` and `mtls`.
+                    enum:
+                    - basic
+                    - mtls
+                    - oauth
+                    type: string
+                required:
+                - type
+                type: object
+              authorization:
+                description: authorization specifies the RBAC configuration for the
+                  ksqlDB cluster.
+                properties:
+                  kafkaRestClassRef:
+                    description: |-
+                      kafkaRestClassRef references the KafkaRestClass
+                      which specifies the Kafka REST API connection configuration.
+                    properties:
+                      name:
+                        description: name specifies the name of the KafkaRestClass
+                          application resource.
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace of the KafkaRestClass.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  type:
+                    description: type specifies the client-side authorization type.
+                      The valid option is `rbac`.
+                    enum:
+                    - rbac
+                    type: string
+                required:
+                - type
+                type: object
+              configOverrides:
+                description: |-
+                  configOverrides specifies the configs to override the server, JVM, Log4j properties for the ksqlDB cluster.
+                  A change will roll the cluster.
+                properties:
+                  jvm:
+                    description: |-
+                      jvm is a list of JVM configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  log4j:
+                    description: |-
+                      log4j is a list of Log4J configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  server:
+                    description: |-
+                      server is a list of server configuration supported by the Confluent Platform component.
+                      This will either add or update existing configuration.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              dataVolumeCapacity:
+                anyOf:
+                - type: integer
+                - type: string
+                description: dataVolumeCapacity specifies the data volume for the
+                  ksqlDB cluster.
+                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                x-kubernetes-int-or-string: true
+              dependencies:
+                description: dependencies specifies the dependency configurations
+                  for Kafka, Interceptor, Schema Registry, the MDS, and Connect.
+                properties:
+                  connect:
+                    description: connect specifies the Connect dependency configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication configuration
+                          for the Connect cluster.
+                        properties:
+                          basic:
+                            description: basic specifies the configuration for basic
+                              authentication.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the configuration for OAuth
+                              authentication.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication scheme
+                              for the REST API client. Valid options are `basic`,
+                              `oauth` and `mtls`.
+                            enum:
+                            - basic
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls specifies the client-side TLS setting for
+                          the Connect cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      url:
+                        description: url specifies the URL endpoint of the Connect
+                          cluster.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                    required:
+                    - url
+                    type: object
+                  interceptor:
+                    description: interceptor specifies the interceptor dependency
+                      configuration.
+                    properties:
+                      configs:
+                        description: |-
+                          configs describe the configurations for the Confluent Platform interceptor.
+                          The config override feature can be used to pass the configuration settings.
+                        items:
+                          type: string
+                        type: array
+                      consumer:
+                        description: |-
+                          consumer specifies the consumer configuration for the interceptor. If not
+                          configured, it uses the Kafka dependency configuration.
+                        properties:
+                          authentication:
+                            description: authentication defines the authentication
+                              for the Kafka cluster.
+                            properties:
+                              jaasConfig:
+                                description: jaasConfig specifies the Kafka client-side
+                                  JaaS configuration.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: jaasConfigPassThrough specifies another
+                                  way to provide the Kafka client-side JaaS configuration.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              oauthbearer:
+                                description: |-
+                                  oauthbearer is the authentication mechanism to provider principals.
+                                  Only supported in RBAC deployment.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container
+                                      where the credential is mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef specifies the name of the secret that contains the credential.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              type:
+                                description: |-
+                                  type specifies the Kafka client authentication type.
+                                  Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                                enum:
+                                - plain
+                                - oauthbearer
+                                - digest
+                                - mtls
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          bootstrapEndpoint:
+                            description: bootstrapEndpoint specifies the Kafka bootstrap
+                              endpoint.
+                            minLength: 1
+                            pattern: .+:[0-9]+
+                            type: string
+                          discovery:
+                            description: discovery specifies the capability to discover
+                              the Kafka cluster.
+                            properties:
+                              name:
+                                description: name is the name of the Confluent Platform
+                                  component cluster.
+                                type: string
+                              namespace:
+                                description: |-
+                                  namespace is where the Confluent Platform component is running.
+                                  The default value is the namespace where CFK is running.
+                                type: string
+                              secretRef:
+                                description: secretRef is the name of the secret used
+                                  to discover the Confluent Platform component.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          tls:
+                            description: tls defines the client-side TLS setting for
+                              the Kafka cluster.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                      enabled:
+                        description: enabled indicates whether the Confluent Platform
+                          interceptor is enabled or disabled.
+                        type: boolean
+                      producer:
+                        description: |-
+                          producer specifies the producer configuration for the interceptor. If not
+                          configured, it uses the Kafka dependency configuration.
+                        properties:
+                          authentication:
+                            description: authentication defines the authentication
+                              for the Kafka cluster.
+                            properties:
+                              jaasConfig:
+                                description: jaasConfig specifies the Kafka client-side
+                                  JaaS configuration.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              jaasConfigPassThrough:
+                                description: jaasConfigPassThrough specifies another
+                                  way to provide the Kafka client-side JaaS configuration.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the secret containing the required credentials for authentication.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              oauthSettings:
+                                description: |-
+                                  oauthSettings specifies the OAuth settings.
+                                  This needs to passed with the authentication type `oauth`.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              oauthbearer:
+                                description: |-
+                                  oauthbearer is the authentication mechanism to provider principals.
+                                  Only supported in RBAC deployment.
+                                properties:
+                                  directoryPathInContainer:
+                                    description: |-
+                                      directoryPathInContainer specifies the directory path in the container
+                                      where the credential is mounted.
+                                    minLength: 1
+                                    type: string
+                                  secretRef:
+                                    description: |-
+                                      secretRef specifies the name of the secret that contains the credential.
+                                      More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                type: object
+                              type:
+                                description: |-
+                                  type specifies the Kafka client authentication type.
+                                  Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                                enum:
+                                - plain
+                                - oauthbearer
+                                - digest
+                                - mtls
+                                - oauth
+                                type: string
+                            required:
+                            - type
+                            type: object
+                          bootstrapEndpoint:
+                            description: bootstrapEndpoint specifies the Kafka bootstrap
+                              endpoint.
+                            minLength: 1
+                            pattern: .+:[0-9]+
+                            type: string
+                          discovery:
+                            description: discovery specifies the capability to discover
+                              the Kafka cluster.
+                            properties:
+                              name:
+                                description: name is the name of the Confluent Platform
+                                  component cluster.
+                                type: string
+                              namespace:
+                                description: |-
+                                  namespace is where the Confluent Platform component is running.
+                                  The default value is the namespace where CFK is running.
+                                type: string
+                              secretRef:
+                                description: secretRef is the name of the secret used
+                                  to discover the Confluent Platform component.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          tls:
+                            description: tls defines the client-side TLS setting for
+                              the Kafka cluster.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where
+                                  `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                                  `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                                minLength: 1
+                                type: string
+                              enabled:
+                                description: enabled specifies to enable the TLS configuration
+                                  for the Confluent component.
+                                type: boolean
+                              ignoreTrustStoreConfig:
+                                description: |-
+                                  ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                                  for the Confluent component.
+                                type: boolean
+                              jksPassword:
+                                description: jksPassword references the secret containing
+                                  the JKS password.
+                                properties:
+                                  secretRef:
+                                    description: |-
+                                      secretRef references the name of the secret containing the JKS password.
+                                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                    maxLength: 30
+                                    minLength: 1
+                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                    type: string
+                                required:
+                                - secretRef
+                                type: object
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the certificates.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - enabled
+                            type: object
+                        type: object
+                      publishMs:
+                        type: integer
+                    required:
+                    - enabled
+                    type: object
+                  kafka:
+                    description: kafka specifies the Kafka dependency configuration.
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Kafka cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  mds:
+                    description: mds specifies the MDS dependencies configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the client side authentication
+                          configuration for the MDS.
+                        properties:
+                          bearer:
+                            description: bearer specifies the bearer authentication
+                              settings.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the OAuth authentication
+                              settings.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication method
+                              for the MDS. The valid option is `bearer`, `oauth`.
+                            enum:
+                            - bearer
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      endpoint:
+                        description: endpoint specifies the MDS endpoint.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      ssoProtocol:
+                        description: sso protocol, valid options are ldap and oidc.
+                        enum:
+                        - ldap
+                        - oidc
+                        type: string
+                      tls:
+                        description: ClientTLSConfig specifies the TLS configuration
+                          for the Confluent component (dependencies, listeners).
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      tokenKeyPair:
+                        description: tokenKeyPair specifies the token keypair to configure
+                          the MDS.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the MDS token key pair are mounted.
+                            minLength: 1
+                            type: string
+                          encryptedTokenKey:
+                            description: |-
+                              EncryptedTokenKey boolean value indicating whether the tokenKeypair(private used for signing) is encrypted using a passphrase. If true, cfk
+                              operator will look for a file named mdsTokenKeyPassphrase.txt containing key value pair
+                              mdsTokenKeyPassphrase=<passphrase>. Relevant only for mds server. Ignored if set for a client configuration.
+                            type: boolean
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the MDS token key pair.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    required:
+                    - authentication
+                    - endpoint
+                    - tokenKeyPair
+                    type: object
+                  schemaRegistry:
+                    description: schemaRegistry specifies the Schema Registry dependency
+                      configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the authentication for
+                          the Schema Registry cluster.
+                        properties:
+                          basic:
+                            description: basic specifies the configuration for basic
+                              authentication.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the configuration for OAuth
+                              authentication.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication scheme
+                              for the REST API client. Valid options are `basic`,
+                              `oauth` and `mtls`.
+                            enum:
+                            - basic
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Schema Registry cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      url:
+                        description: url specifies the URL endpoint of the Schema
+                          Registry cluster.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                    required:
+                    - url
+                    type: object
+                type: object
+              externalAccess:
+                description: |-
+                  externalAccess specifies the configurations for the endpoints and services to make the ksqlDB
+                  accessible from outside the cluster.
+                  When `spec.listeners` is configured, configuring `spec.externalAccess` is not allowed.
+                  Please configure `spec.listeners.external.externalAccess` instead".
+                properties:
+                  loadBalancer:
+                    description: loadBalancer specifies the configuration to create
+                      a Kubernetes load balancer service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain is the domain name of the component cluster.
+                        minLength: 1
+                        type: string
+                      externalTrafficPolicy:
+                        description: externalTrafficPolicy specifies the external
+                          traffic policy for the service. Valid options are `Local`
+                          and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      loadBalancerSourceRanges:
+                        description: loadBalancerSourceRanges specify the source ranges.
+                        items:
+                          type: string
+                        type: array
+                      port:
+                        description: |-
+                          port specifies the external port for the client consumption.
+                          If not configured, the same internal/external port is configured for the component.
+                          Information about the port can be retrieved through the status API.
+                        format: int32
+                        type: integer
+                      prefix:
+                        description: |-
+                          prefix specify the prefix for the given domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      servicePorts:
+                        description: servicePorts specify the user-provided service
+                          port(s).
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - domain
+                    type: object
+                  nodePort:
+                    description: nodePort specifies the configuration to create a
+                      Kubernetes node port service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      externalTrafficPolicy:
+                        description: |-
+                          externalTrafficPolicy specifies the external traffic policy for the service.
+                          Valid options are `Local` and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      host:
+                        description: host defines the host name of the cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      nodePortOffset:
+                        description: |-
+                          nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                          to the replicas count.
+                          NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                          The default Kubernetes Node Port range is `30000` - `32762`.
+                        format: int32
+                        minimum: 0
+                        type: integer
+                      servicePorts:
+                        description: |-
+                          servicePorts specify user-provided service port(s).
+                          For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - host
+                    - nodePortOffset
+                    type: object
+                  route:
+                    description: route specifies the configuration to create a route
+                      service in OpenShift.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain specifies the domain name of the Confluent
+                          component cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      prefix:
+                        description: |-
+                          prefix specifies the component prefix when configured for the domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      wildcardPolicy:
+                        description: |-
+                          wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                          The default value is `None`.
+                        enum:
+                        - Subdomain
+                        - None
+                        type: string
+                    required:
+                    - domain
+                    type: object
+                  type:
+                    description: |-
+                      type specifies the Kubernetes external service for the component.
+                      Valid options are `loadBalancer`, `nodePort`, and `route`.
+                    enum:
+                    - loadBalancer
+                    - nodePort
+                    - route
+                    minLength: 1
+                    type: string
+                required:
+                - type
+                type: object
+              headlessService:
+                description: headlessService specifies the configuration of the Kubernetes
+                  headless service.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs.
+                      It specifies the annotations to be added to the CFK-created headless service.
+                      These annotations are merged with the injectAnnotations and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs.
+                      It specifies the labels to be added to the CFK-created headless service.
+                      These labels are merged with the injectLabels and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  publishNotReadyAddresses:
+                    description: |-
+                      publishNotReadyAddresses specifies the publishNotReadyAddresses field.
+                      For Kafka, this value must be true. The default value is true.
+                    type: boolean
+                type: object
+              image:
+                description: |-
+                  image specifies the application and the init docker image configurations.
+                  A change to this setting will roll the cluster.
+                properties:
+                  application:
+                    description: |-
+                      application is the Docker image name of the application. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  init:
+                    description: |-
+                      init is the init-container name. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  pullPolicy:
+                    description: |-
+                      pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
+                      The default value is `IfNotPresent`.
+                    enum:
+                    - Always
+                    - Never
+                    - IfNotPresent
+                    type: string
+                  pullSecretRef:
+                    description: |-
+                      pullSecretRef references the secrets in the same namespace to be used for pulling images.
+                      Image pull secrets are distinct from secrets because secrets
+                      can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
+                      More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+                    items:
+                      type: string
+                    type: array
+                required:
+                - application
+                - init
+                type: object
+              injectAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectAnnotations are the annotations injected to the internal resources that CFK created.
+                  The internal annotations are preserved and cannot be overridden.
+                  For pod annotations, use `podTemplate.annotations`.
+                type: object
+                x-kubernetes-map-type: granular
+              injectLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectLabels are the labels injected to the internal resources that CFK created.
+                  The internal labels are preserved and cannot be overridden.
+                  For pod labels, use `podTemplate.labels`.
+                type: object
+                x-kubernetes-map-type: granular
+              internalTopicReplicationFactor:
+                description: internalTopicReplicationFactor specifies the replication
+                  factor for internal topics.
+                format: int32
+                type: integer
+              k8sClusterDomain:
+                description: |-
+                  k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
+                  The default is the `cluster.local` domain.
+                type: string
+              license:
+                description: license specifies the license configuration for the Confluent
+                  Platform component.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      the license key is mounted. More info:
+                      https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    minLength: 1
+                    type: string
+                  globalLicense:
+                    description: globalLicense specifies whether the Confluent Platform
+                      component shares the common global license.
+                    type: boolean
+                  secretRef:
+                    description: |-
+                      secretRef references the secret that provides the license for the Confluent Platform component.
+                      More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              listeners:
+                description: listeners specify the listeners configurations.
+                properties:
+                  external:
+                    description: external specifies the Confluent component external
+                      listener.
+                    properties:
+                      externalAccess:
+                        description: externalAccess defines the external access configuration
+                          for the Confluent component.
+                        properties:
+                          loadBalancer:
+                            description: loadBalancer specifies the configuration
+                              to create a Kubernetes load balancer service.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                  This configuration will not take effect if MDS enabled dual listener setup.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              domain:
+                                description: domain is the domain name of the component
+                                  cluster.
+                                minLength: 1
+                                type: string
+                              externalTrafficPolicy:
+                                description: externalTrafficPolicy specifies the external
+                                  traffic policy for the service. Valid options are
+                                  `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              loadBalancerSourceRanges:
+                                description: loadBalancerSourceRanges specify the
+                                  source ranges.
+                                items:
+                                  type: string
+                                type: array
+                              port:
+                                description: |-
+                                  port specifies the external port for the client consumption.
+                                  If not configured, the same internal/external port is configured for the component.
+                                  Information about the port can be retrieved through the status API.
+                                format: int32
+                                type: integer
+                              prefix:
+                                description: |-
+                                  prefix specify the prefix for the given domain.
+                                  The default value is the name of the cluster.
+                                minLength: 1
+                                type: string
+                              servicePorts:
+                                description: servicePorts specify the user-provided
+                                  service port(s).
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - domain
+                            type: object
+                          nodePort:
+                            description: nodePort specifies the configuration to create
+                              a Kubernetes node port service.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              externalTrafficPolicy:
+                                description: |-
+                                  externalTrafficPolicy specifies the external traffic policy for the service.
+                                  Valid options are `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              host:
+                                description: host defines the host name of the cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              nodePortOffset:
+                                description: |-
+                                  nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                  to the replicas count.
+                                  NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                  The default Kubernetes Node Port range is `30000` - `32762`.
+                                format: int32
+                                minimum: 0
+                                type: integer
+                              servicePorts:
+                                description: |-
+                                  servicePorts specify user-provided service port(s).
+                                  For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - host
+                            - nodePortOffset
+                            type: object
+                          route:
+                            description: route specifies the configuration to create
+                              a route service in OpenShift.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                  This configuration will not take effect if MDS enabled dual listener setup.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              domain:
+                                description: domain specifies the domain name of the
+                                  Confluent component cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              prefix:
+                                description: |-
+                                  prefix specifies the component prefix when configured for the domain.
+                                  The default value is the name of the cluster.
+                                minLength: 1
+                                type: string
+                              wildcardPolicy:
+                                description: |-
+                                  wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                  The default value is `None`.
+                                enum:
+                                - Subdomain
+                                - None
+                                type: string
+                            required:
+                            - domain
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kubernetes external service for the component.
+                              Valid options are `loadBalancer`, `nodePort`, and `route`.
+                            enum:
+                            - loadBalancer
+                            - nodePort
+                            - route
+                            minLength: 1
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the listener.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  internal:
+                    description: |-
+                      internal specifies the Confluent component's internal listener.
+                      This internal listener is for intra-communication between the pods.
+                    properties:
+                      port:
+                        description: |-
+                          port binds the given port to the internal listener. If not configured,
+                          it will be defaulted to the component-specific internal port.
+                          Port numbers lower than `9093` are reserved by CFK.
+                        format: int32
+                        minimum: 9093
+                        type: integer
+                      tls:
+                        description: tls specifies the TLS configuration for the listener.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                type: object
+              metrics:
+                description: metrics specify the security settings for the metric
+                  services.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication configuration
+                      for the metrics.
+                    properties:
+                      type:
+                        description: type specifies the metrics authentication method.
+                          The valid option is `mtls`.
+                        enum:
+                        - mtls
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  prometheus:
+                    description: prometheus specifies the configuration overrides
+                      for the JMX-Prometheus exporter.
+                    properties:
+                      blacklist:
+                        items:
+                          type: string
+                        type: array
+                      rules:
+                        items:
+                          description: Rule defines the Prometheus Exporter rule override.
+                          properties:
+                            attrNameSnakeCase:
+                              type: boolean
+                            cache:
+                              type: boolean
+                            help:
+                              minLength: 1
+                              type: string
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                              x-kubernetes-map-type: granular
+                            name:
+                              minLength: 1
+                              type: string
+                            pattern:
+                              minLength: 1
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                            value:
+                              minLength: 1
+                              type: string
+                            valueFactor:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              default: 1
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        type: array
+                      whitelist:
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: tls specifies the TLS configuration for the metrics.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              mountedSecrets:
+                description: |-
+                  mountedSecrets list the secrets injected to
+                  the underlying statefulset configuration. The secret reference is mounted
+                  in the default path `/mnt/secrets/<secret-name>`. The underlying resources
+                  will follow the secret as a file configuration.
+                  More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
+                  A change to this setting will roll the cluster.
+                items:
+                  description: |-
+                    MountedSecrets provides a way to inject a custom secret to the underlying
+                    statefulset.
+                  properties:
+                    keyItems:
+                      description: keyItems are key and path names.
+                      items:
+                        description: Maps a string key to a path within a volume.
+                        properties:
+                          key:
+                            description: key is the key to project.
+                            type: string
+                          mode:
+                            description: |-
+                              mode is Optional: mode bits used to set permissions on this file.
+                              Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                              YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                              If not specified, the volume defaultMode will be used.
+                              This might be in conflict with other options that affect the file
+                              mode, like fsGroup, and the result can be other mode bits set.
+                            format: int32
+                            type: integer
+                          path:
+                            description: |-
+                              path is the relative path of the file to map the key to.
+                              May not be an absolute path.
+                              May not contain the path element '..'.
+                              May not start with the string '..'.
+                            type: string
+                        required:
+                        - key
+                        - path
+                        type: object
+                      type: array
+                    secretRef:
+                      description: secretRef references the name of the secret.
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - secretRef
+                  type: object
+                type: array
+              mountedVolumes:
+                description: |-
+                  mountedVolumes list the custom volumes that need to be mounted into the
+                  underlying statefulset.
+                  A change to this setting will roll the cluster.
+                properties:
+                  volumeMounts:
+                    description: |-
+                      volumeMounts specify the list of volume mounts for the pods in the
+                      statefulset.
+                    items:
+                      description: VolumeMount describes a mounting of a Volume within
+                        a container.
+                      properties:
+                        mountPath:
+                          description: |-
+                            Path within the container at which the volume should be mounted.  Must
+                            not contain ':'.
+                          type: string
+                        mountPropagation:
+                          description: |-
+                            mountPropagation determines how mounts are propagated from the host
+                            to container and the other way around.
+                            When not set, MountPropagationNone is used.
+                            This field is beta in 1.10.
+                          type: string
+                        name:
+                          description: This must match the Name of a Volume.
+                          type: string
+                        readOnly:
+                          description: |-
+                            Mounted read-only if true, read-write otherwise (false or unspecified).
+                            Defaults to false.
+                          type: boolean
+                        subPath:
+                          description: |-
+                            Path within the volume from which the container's volume should be mounted.
+                            Defaults to "" (volume's root).
+                          type: string
+                        subPathExpr:
+                          description: |-
+                            Expanded path within the volume from which the container's volume should be mounted.
+                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                            Defaults to "" (volume's root).
+                            SubPathExpr and SubPath are mutually exclusive.
+                          type: string
+                      required:
+                      - mountPath
+                      - name
+                      type: object
+                    type: array
+                  volumes:
+                    description: |-
+                      volumes specify the list of volumes that can be mounted into the pods
+                      of statefulset.
+                    items:
+                      description: Volume represents a named volume in a pod that
+                        may be accessed by any container in the pod.
+                      properties:
+                        awsElasticBlockStore:
+                          description: |-
+                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly value true will force the readOnly setting in VolumeMounts.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: boolean
+                            volumeID:
+                              description: |-
+                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        azureDisk:
+                          description: azureDisk represents an Azure Data Disk mount
+                            on the host and bind mount to the pod.
+                          properties:
+                            cachingMode:
+                              description: 'cachingMode is the Host Caching mode:
+                                None, Read Only, Read Write.'
+                              type: string
+                            diskName:
+                              description: diskName is the Name of the data disk in
+                                the blob storage
+                              type: string
+                            diskURI:
+                              description: diskURI is the URI of data disk in the
+                                blob storage
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is Filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            kind:
+                              description: 'kind expected values are Shared: multiple
+                                blob disks per storage account  Dedicated: single
+                                blob disk per storage account  Managed: azure managed
+                                data disk (only in managed availability set). defaults
+                                to shared'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                          required:
+                          - diskName
+                          - diskURI
+                          type: object
+                        azureFile:
+                          description: azureFile represents an Azure File Service
+                            mount on the host and bind mount to the pod.
+                          properties:
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretName:
+                              description: secretName is the  name of secret that
+                                contains Azure Storage Account Name and Key
+                              type: string
+                            shareName:
+                              description: shareName is the azure share Name
+                              type: string
+                          required:
+                          - secretName
+                          - shareName
+                          type: object
+                        cephfs:
+                          description: cephFS represents a Ceph FS mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            monitors:
+                              description: |-
+                                monitors is Required: Monitors is a collection of Ceph monitors
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            path:
+                              description: 'path is Optional: Used as the mounted
+                                root, rather than the full Ceph tree, default is /'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: boolean
+                            secretFile:
+                              description: |-
+                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is optional: User is the rados user name, default is admin
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - monitors
+                          type: object
+                        cinder:
+                          description: |-
+                            cinder represents a cinder volume attached and mounted on kubelets host machine.
+                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is optional: points to a secret object containing parameters used to connect
+                                to OpenStack.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeID:
+                              description: |-
+                                volumeID used to identify the volume in cinder.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        configMap:
+                          description: configMap represents a configMap that should
+                            populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items if unspecified, each key-value pair in the Data field of the referenced
+                                ConfigMap will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the ConfigMap,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            name:
+                              description: |-
+                                Name of the referent.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              type: string
+                            optional:
+                              description: optional specify whether the ConfigMap
+                                or its keys must be defined
+                              type: boolean
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        csi:
+                          description: csi (Container Storage Interface) represents
+                            ephemeral storage that is handled by certain external
+                            CSI drivers (Beta feature).
+                          properties:
+                            driver:
+                              description: |-
+                                driver is the name of the CSI driver that handles this volume.
+                                Consult with your admin for the correct name as registered in the cluster.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                If not provided, the empty value is passed to the associated CSI driver
+                                which will determine the default filesystem to apply.
+                              type: string
+                            nodePublishSecretRef:
+                              description: |-
+                                nodePublishSecretRef is a reference to the secret object containing
+                                sensitive information to pass to the CSI driver to complete the CSI
+                                NodePublishVolume and NodeUnpublishVolume calls.
+                                This field is optional, and  may be empty if no secret is required. If the
+                                secret object contains more than one secret, all secret references are passed.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            readOnly:
+                              description: |-
+                                readOnly specifies a read-only configuration for the volume.
+                                Defaults to false (read/write).
+                              type: boolean
+                            volumeAttributes:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                volumeAttributes stores driver-specific properties that are passed to the CSI
+                                driver. Consult your driver's documentation for supported values.
+                              type: object
+                          required:
+                          - driver
+                          type: object
+                        downwardAPI:
+                          description: downwardAPI represents downward API about the
+                            pod that should populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                Optional: mode bits to use on created files by default. Must be a
+                                Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: Items is a list of downward API volume
+                                file
+                              items:
+                                description: DownwardAPIVolumeFile represents information
+                                  to create the file containing the pod field
+                                properties:
+                                  fieldRef:
+                                    description: 'Required: Selects a field of the
+                                      pod: only annotations, labels, name and namespace
+                                      are supported.'
+                                    properties:
+                                      apiVersion:
+                                        description: Version of the schema the FieldPath
+                                          is written in terms of, defaults to "v1".
+                                        type: string
+                                      fieldPath:
+                                        description: Path of the field to select in
+                                          the specified API version.
+                                        type: string
+                                    required:
+                                    - fieldPath
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  mode:
+                                    description: |-
+                                      Optional: mode bits used to set permissions on this file, must be an octal value
+                                      between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: 'Required: Path is  the relative
+                                      path name of the file to be created. Must not
+                                      be absolute or contain the ''..'' path. Must
+                                      be utf-8 encoded. The first item of the relative
+                                      path must not start with ''..'''
+                                    type: string
+                                  resourceFieldRef:
+                                    description: |-
+                                      Selects a resource of the container: only resources limits and requests
+                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                    properties:
+                                      containerName:
+                                        description: 'Container name: required for
+                                          volumes, optional for env vars'
+                                        type: string
+                                      divisor:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: Specifies the output format of
+                                          the exposed resources, defaults to "1"
+                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                        x-kubernetes-int-or-string: true
+                                      resource:
+                                        description: 'Required: resource to select'
+                                        type: string
+                                    required:
+                                    - resource
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                required:
+                                - path
+                                type: object
+                              type: array
+                          type: object
+                        emptyDir:
+                          description: |-
+                            emptyDir represents a temporary directory that shares a pod's lifetime.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                          properties:
+                            medium:
+                              description: |-
+                                medium represents what type of storage medium should back this directory.
+                                The default is "" which means to use the node's default medium.
+                                Must be an empty string (default) or Memory.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              type: string
+                            sizeLimit:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                The size limit is also applicable for memory medium.
+                                The maximum usage on memory medium EmptyDir would be the minimum value between
+                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                The default is nil which means that the limit is undefined.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        ephemeral:
+                          description: |-
+                            ephemeral represents a volume that is handled by a cluster storage driver.
+                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                            and deleted when the pod is removed.
+
+
+                            Use this if:
+                            a) the volume is only needed while the pod runs,
+                            b) features of normal volumes like restoring from snapshot or capacity
+                               tracking are needed,
+                            c) the storage driver is specified through a storage class, and
+                            d) the storage driver supports dynamic volume provisioning through
+                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                               information on the connection between this volume type
+                               and PersistentVolumeClaim).
+
+
+                            Use PersistentVolumeClaim or one of the vendor-specific
+                            APIs for volumes that persist for longer than the lifecycle
+                            of an individual pod.
+
+
+                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                            be used that way - see the documentation of the driver for
+                            more information.
+
+
+                            A pod can use both types of ephemeral volumes and
+                            persistent volumes at the same time.
+                          properties:
+                            volumeClaimTemplate:
+                              description: |-
+                                Will be used to create a stand-alone PVC to provision the volume.
+                                The pod in which this EphemeralVolumeSource is embedded will be the
+                                owner of the PVC, i.e. the PVC will be deleted together with the
+                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                `<volume name>` is the name from the `PodSpec.Volumes` array
+                                entry. Pod validation will reject the pod if the concatenated name
+                                is not valid for a PVC (for example, too long).
+
+
+                                An existing PVC with that name that is not owned by the pod
+                                will *not* be used for the pod to avoid using an unrelated
+                                volume by mistake. Starting the pod is then blocked until
+                                the unrelated PVC is removed. If such a pre-created PVC is
+                                meant to be used by the pod, the PVC has to updated with an
+                                owner reference to the pod once the pod exists. Normally
+                                this should not be necessary, but it may be useful when
+                                manually reconstructing a broken cluster.
+
+
+                                This field is read-only and no changes will be made by Kubernetes
+                                to the PVC after it has been created.
+
+
+                                Required, must not be nil.
+                              properties:
+                                metadata:
+                                  description: |-
+                                    May contain labels and annotations that will be copied into the PVC
+                                    when creating it. No other fields are allowed and will be rejected during
+                                    validation.
+                                  type: object
+                                spec:
+                                  description: |-
+                                    The specification for the PersistentVolumeClaim. The entire content is
+                                    copied unchanged into the PVC that gets created from this
+                                    template. The same fields as in a PersistentVolumeClaim
+                                    are also valid here.
+                                  properties:
+                                    accessModes:
+                                      description: |-
+                                        accessModes contains the desired access modes the volume should have.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                      items:
+                                        type: string
+                                      type: array
+                                    dataSource:
+                                      description: |-
+                                        dataSource field can be used to specify either:
+                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                        * An existing PVC (PersistentVolumeClaim)
+                                        If the provisioner or an external controller can support the specified data source,
+                                        it will create a new volume based on the contents of the specified data source.
+                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    dataSourceRef:
+                                      description: |-
+                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                        volume is desired. This may be any object from a non-empty API group (non
+                                        core object) or a PersistentVolumeClaim object.
+                                        When this field is specified, volume binding will only succeed if the type of
+                                        the specified object matches some installed volume populator or dynamic
+                                        provisioner.
+                                        This field will replace the functionality of the dataSource field and as such
+                                        if both fields are non-empty, they must have the same value. For backwards
+                                        compatibility, when namespace isn't specified in dataSourceRef,
+                                        both fields (dataSource and dataSourceRef) will be set to the same
+                                        value automatically if one of them is empty and the other is non-empty.
+                                        When namespace is specified in dataSourceRef,
+                                        dataSource isn't set to the same value and must be empty.
+                                        There are three important differences between dataSource and dataSourceRef:
+                                        * While dataSource only allows two specific types of objects, dataSourceRef
+                                          allows any non-core object, as well as PersistentVolumeClaim objects.
+                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                          preserves all values, and generates an error if a disallowed value is
+                                          specified.
+                                        * While dataSource only allows local objects, dataSourceRef allows objects
+                                          in any namespaces.
+                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace is the namespace of resource being referenced
+                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                    resources:
+                                      description: |-
+                                        resources represents the minimum resources the volume should have.
+                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+                                        that are lower than previous value but must still be higher than capacity recorded in the
+                                        status field of the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                      properties:
+                                        limits:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Limits describes the maximum amount of compute resources allowed.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                        requests:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Requests describes the minimum amount of compute resources required.
+                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                      type: object
+                                    selector:
+                                      description: selector is a label query over
+                                        volumes to consider for binding.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    storageClassName:
+                                      description: |-
+                                        storageClassName is the name of the StorageClass required by the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                      type: string
+                                    volumeAttributesClassName:
+                                      description: |-
+                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                        If specified, the CSI driver will create or update the volume with the attributes defined
+                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+                                        will be set by the persistentvolume controller if it exists.
+                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                        exists.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+                                      type: string
+                                    volumeMode:
+                                      description: |-
+                                        volumeMode defines what type of volume is required by the claim.
+                                        Value of Filesystem is implied when not included in claim spec.
+                                      type: string
+                                    volumeName:
+                                      description: volumeName is the binding reference
+                                        to the PersistentVolume backing this claim.
+                                      type: string
+                                  type: object
+                              required:
+                              - spec
+                              type: object
+                          type: object
+                        fc:
+                          description: fc represents a Fibre Channel resource that
+                            is attached to a kubelet's host machine and then exposed
+                            to the pod.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            lun:
+                              description: 'lun is Optional: FC target lun number'
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            targetWWNs:
+                              description: 'targetWWNs is Optional: FC target worldwide
+                                names (WWNs)'
+                              items:
+                                type: string
+                              type: array
+                            wwids:
+                              description: |-
+                                wwids Optional: FC volume world wide identifiers (wwids)
+                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        flexVolume:
+                          description: |-
+                            flexVolume represents a generic volume resource that is
+                            provisioned/attached using an exec based plugin.
+                          properties:
+                            driver:
+                              description: driver is the name of the driver to use
+                                for this volume.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                              type: string
+                            options:
+                              additionalProperties:
+                                type: string
+                              description: 'options is Optional: this field holds
+                                extra command options if any.'
+                              type: object
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: secretRef is reference to the secret object containing
+                                sensitive information to pass to the plugin scripts. This may be
+                                empty if no secret object is specified. If the secret object
+                                contains more than one secret, all secrets are passed to the plugin
+                                scripts.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          required:
+                          - driver
+                          type: object
+                        flocker:
+                          description: flocker represents a Flocker volume attached
+                            to a kubelet's host machine. This depends on the Flocker
+                            control service being running
+                          properties:
+                            datasetName:
+                              description: |-
+                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                should be considered as deprecated
+                              type: string
+                            datasetUUID:
+                              description: datasetUUID is the UUID of the dataset.
+                                This is unique identifier of a Flocker dataset
+                              type: string
+                          type: object
+                        gcePersistentDisk:
+                          description: |-
+                            gcePersistentDisk represents a GCE Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              format: int32
+                              type: integer
+                            pdName:
+                              description: |-
+                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: boolean
+                          required:
+                          - pdName
+                          type: object
+                        gitRepo:
+                          description: |-
+                            gitRepo represents a git repository at a particular revision.
+                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                            into the Pod's container.
+                          properties:
+                            directory:
+                              description: |-
+                                directory is the target directory name.
+                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                the subdirectory with the given name.
+                              type: string
+                            repository:
+                              description: repository is the URL
+                              type: string
+                            revision:
+                              description: revision is the commit hash for the specified
+                                revision.
+                              type: string
+                          required:
+                          - repository
+                          type: object
+                        glusterfs:
+                          description: |-
+                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
+                          properties:
+                            endpoints:
+                              description: |-
+                                endpoints is the endpoint name that details Glusterfs topology.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            path:
+                              description: |-
+                                path is the Glusterfs volume path.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: boolean
+                          required:
+                          - endpoints
+                          - path
+                          type: object
+                        hostPath:
+                          description: |-
+                            hostPath represents a pre-existing file or directory on the host
+                            machine that is directly exposed to the container. This is generally
+                            used for system agents or other privileged things that are allowed
+                            to see the host machine. Most containers will NOT need this.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                            ---
+                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+                            mount host directories as read/write.
+                          properties:
+                            path:
+                              description: |-
+                                path of the directory on the host.
+                                If the path is a symlink, it will follow the link to the real path.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                            type:
+                              description: |-
+                                type for HostPath Volume
+                                Defaults to ""
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        iscsi:
+                          description: |-
+                            iscsi represents an ISCSI Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                          properties:
+                            chapAuthDiscovery:
+                              description: chapAuthDiscovery defines whether support
+                                iSCSI Discovery CHAP authentication
+                              type: boolean
+                            chapAuthSession:
+                              description: chapAuthSession defines whether support
+                                iSCSI Session CHAP authentication
+                              type: boolean
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            initiatorName:
+                              description: |-
+                                initiatorName is the custom iSCSI Initiator Name.
+                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                <target portal>:<volume name> will be created for the connection.
+                              type: string
+                            iqn:
+                              description: iqn is the target iSCSI Qualified Name.
+                              type: string
+                            iscsiInterface:
+                              description: |-
+                                iscsiInterface is the interface Name that uses an iSCSI transport.
+                                Defaults to 'default' (tcp).
+                              type: string
+                            lun:
+                              description: lun represents iSCSI Target Lun number.
+                              format: int32
+                              type: integer
+                            portals:
+                              description: |-
+                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              items:
+                                type: string
+                              type: array
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                              type: boolean
+                            secretRef:
+                              description: secretRef is the CHAP Secret for iSCSI
+                                target and initiator authentication
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            targetPortal:
+                              description: |-
+                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              type: string
+                          required:
+                          - iqn
+                          - lun
+                          - targetPortal
+                          type: object
+                        name:
+                          description: |-
+                            name of the volume.
+                            Must be a DNS_LABEL and unique within the pod.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                        nfs:
+                          description: |-
+                            nfs represents an NFS mount on the host that shares a pod's lifetime
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                          properties:
+                            path:
+                              description: |-
+                                path that is exported by the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the NFS export to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: boolean
+                            server:
+                              description: |-
+                                server is the hostname or IP address of the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                          required:
+                          - path
+                          - server
+                          type: object
+                        persistentVolumeClaim:
+                          description: |-
+                            persistentVolumeClaimVolumeSource represents a reference to a
+                            PersistentVolumeClaim in the same namespace.
+                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                          properties:
+                            claimName:
+                              description: |-
+                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Will force the ReadOnly setting in VolumeMounts.
+                                Default false.
+                              type: boolean
+                          required:
+                          - claimName
+                          type: object
+                        photonPersistentDisk:
+                          description: photonPersistentDisk represents a PhotonController
+                            persistent disk attached and mounted on kubelets host
+                            machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            pdID:
+                              description: pdID is the ID that identifies Photon Controller
+                                persistent disk
+                              type: string
+                          required:
+                          - pdID
+                          type: object
+                        portworxVolume:
+                          description: portworxVolume represents a portworx volume
+                            attached and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fSType represents the filesystem type to mount
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            volumeID:
+                              description: volumeID uniquely identifies a Portworx
+                                volume
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        projected:
+                          description: projected items for all in one resources secrets,
+                            configmaps, and downward API
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode are the mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            sources:
+                              description: sources is the list of volume projections
+                              items:
+                                description: Projection that may be projected along
+                                  with other supported volume types
+                                properties:
+                                  clusterTrustBundle:
+                                    description: |-
+                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                      of ClusterTrustBundle objects in an auto-updating file.
+
+
+                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+                                      ClusterTrustBundle objects can either be selected by name, or by the
+                                      combination of signer name and a label selector.
+
+
+                                      Kubelet performs aggressive normalization of the PEM contents written
+                                      into the pod filesystem.  Esoteric PEM features such as inter-block
+                                      comments and block headers are stripped.  Certificates are deduplicated.
+                                      The ordering of certificates within the file is arbitrary, and Kubelet
+                                      may change the order over time.
+                                    properties:
+                                      labelSelector:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this label selector.  Only has
+                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                          interpreted as "match nothing".  If set but empty, interpreted as "match
+                                          everything".
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      name:
+                                        description: |-
+                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                          with signerName and labelSelector.
+                                        type: string
+                                      optional:
+                                        description: |-
+                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                          aren't available.  If using name, then the named ClusterTrustBundle is
+                                          allowed not to exist.  If using signerName, then the combination of
+                                          signerName and labelSelector is allowed to match zero
+                                          ClusterTrustBundles.
+                                        type: boolean
+                                      path:
+                                        description: Relative path from the volume
+                                          root to write the bundle.
+                                        type: string
+                                      signerName:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this signer name.
+                                          Mutually-exclusive with name.  The contents of all selected
+                                          ClusterTrustBundles will be unified and deduplicated.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                  configMap:
+                                    description: configMap information about the configMap
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          ConfigMap will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the ConfigMap,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional specify whether the
+                                          ConfigMap or its keys must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  downwardAPI:
+                                    description: downwardAPI information about the
+                                      downwardAPI data to project
+                                    properties:
+                                      items:
+                                        description: Items is a list of DownwardAPIVolume
+                                          file
+                                        items:
+                                          description: DownwardAPIVolumeFile represents
+                                            information to create the file containing
+                                            the pod field
+                                          properties:
+                                            fieldRef:
+                                              description: 'Required: Selects a field
+                                                of the pod: only annotations, labels,
+                                                name and namespace are supported.'
+                                              properties:
+                                                apiVersion:
+                                                  description: Version of the schema
+                                                    the FieldPath is written in terms
+                                                    of, defaults to "v1".
+                                                  type: string
+                                                fieldPath:
+                                                  description: Path of the field to
+                                                    select in the specified API version.
+                                                  type: string
+                                              required:
+                                              - fieldPath
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            mode:
+                                              description: |-
+                                                Optional: mode bits used to set permissions on this file, must be an octal value
+                                                between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: 'Required: Path is  the
+                                                relative path name of the file to
+                                                be created. Must not be absolute or
+                                                contain the ''..'' path. Must be utf-8
+                                                encoded. The first item of the relative
+                                                path must not start with ''..'''
+                                              type: string
+                                            resourceFieldRef:
+                                              description: |-
+                                                Selects a resource of the container: only resources limits and requests
+                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                              properties:
+                                                containerName:
+                                                  description: 'Container name: required
+                                                    for volumes, optional for env
+                                                    vars'
+                                                  type: string
+                                                divisor:
+                                                  anyOf:
+                                                  - type: integer
+                                                  - type: string
+                                                  description: Specifies the output
+                                                    format of the exposed resources,
+                                                    defaults to "1"
+                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                  x-kubernetes-int-or-string: true
+                                                resource:
+                                                  description: 'Required: resource
+                                                    to select'
+                                                  type: string
+                                              required:
+                                              - resource
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                          required:
+                                          - path
+                                          type: object
+                                        type: array
+                                    type: object
+                                  secret:
+                                    description: secret information about the secret
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          Secret will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the Secret,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional field specify whether
+                                          the Secret or its key must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  serviceAccountToken:
+                                    description: serviceAccountToken is information
+                                      about the serviceAccountToken data to project
+                                    properties:
+                                      audience:
+                                        description: |-
+                                          audience is the intended audience of the token. A recipient of a token
+                                          must identify itself with an identifier specified in the audience of the
+                                          token, and otherwise should reject the token. The audience defaults to the
+                                          identifier of the apiserver.
+                                        type: string
+                                      expirationSeconds:
+                                        description: |-
+                                          expirationSeconds is the requested duration of validity of the service
+                                          account token. As the token approaches expiration, the kubelet volume
+                                          plugin will proactively rotate the service account token. The kubelet will
+                                          start trying to rotate the token if the token is older than 80 percent of
+                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                          and must be at least 10 minutes.
+                                        format: int64
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the path relative to the mount point of the file to project the
+                                          token into.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                type: object
+                              type: array
+                          type: object
+                        quobyte:
+                          description: quobyte represents a Quobyte mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            group:
+                              description: |-
+                                group to map volume access to
+                                Default is no group
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                Defaults to false.
+                              type: boolean
+                            registry:
+                              description: |-
+                                registry represents a single or multiple Quobyte Registry services
+                                specified as a string as host:port pair (multiple entries are separated with commas)
+                                which acts as the central registry for volumes
+                              type: string
+                            tenant:
+                              description: |-
+                                tenant owning the given Quobyte volume in the Backend
+                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                              type: string
+                            user:
+                              description: |-
+                                user to map volume access to
+                                Defaults to serivceaccount user
+                              type: string
+                            volume:
+                              description: volume is a string that references an already
+                                created Quobyte volume by name.
+                              type: string
+                          required:
+                          - registry
+                          - volume
+                          type: object
+                        rbd:
+                          description: |-
+                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/rbd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            image:
+                              description: |-
+                                image is the rados image name.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            keyring:
+                              description: |-
+                                keyring is the path to key ring for RBDUser.
+                                Default is /etc/ceph/keyring.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            monitors:
+                              description: |-
+                                monitors is a collection of Ceph monitors.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            pool:
+                              description: |-
+                                pool is the rados pool name.
+                                Default is rbd.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is name of the authentication secret for RBDUser. If provided
+                                overrides keyring.
+                                Default is nil.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is the rados user name.
+                                Default is admin.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - image
+                          - monitors
+                          type: object
+                        scaleIO:
+                          description: scaleIO represents a ScaleIO persistent volume
+                            attached and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs".
+                                Default is "xfs".
+                              type: string
+                            gateway:
+                              description: gateway is the host address of the ScaleIO
+                                API Gateway.
+                              type: string
+                            protectionDomain:
+                              description: protectionDomain is the name of the ScaleIO
+                                Protection Domain for the configured storage.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef references to the secret for ScaleIO user and other
+                                sensitive information. If this is not provided, Login operation will fail.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            sslEnabled:
+                              description: sslEnabled Flag enable/disable SSL communication
+                                with Gateway, default false
+                              type: boolean
+                            storageMode:
+                              description: |-
+                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                Default is ThinProvisioned.
+                              type: string
+                            storagePool:
+                              description: storagePool is the ScaleIO Storage Pool
+                                associated with the protection domain.
+                              type: string
+                            system:
+                              description: system is the name of the storage system
+                                as configured in ScaleIO.
+                              type: string
+                            volumeName:
+                              description: |-
+                                volumeName is the name of a volume already created in the ScaleIO system
+                                that is associated with this volume source.
+                              type: string
+                          required:
+                          - gateway
+                          - secretRef
+                          - system
+                          type: object
+                        secret:
+                          description: |-
+                            secret represents a secret that should populate this volume.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values
+                                for mode bits. Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items If unspecified, each key-value pair in the Data field of the referenced
+                                Secret will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the Secret,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            optional:
+                              description: optional field specify whether the Secret
+                                or its keys must be defined
+                              type: boolean
+                            secretName:
+                              description: |-
+                                secretName is the name of the secret in the pod's namespace to use.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              type: string
+                          type: object
+                        storageos:
+                          description: storageOS represents a StorageOS volume attached
+                            and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef specifies the secret to use for obtaining the StorageOS API
+                                credentials.  If not specified, default values will be attempted.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeName:
+                              description: |-
+                                volumeName is the human-readable name of the StorageOS volume.  Volume
+                                names are only unique within a namespace.
+                              type: string
+                            volumeNamespace:
+                              description: |-
+                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                namespace is specified then the Pod's namespace will be used.  This allows the
+                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                Set VolumeName to any name to override the default behaviour.
+                                Set to "default" if you are not using namespaces within StorageOS.
+                                Namespaces that do not pre-exist within StorageOS will be created.
+                              type: string
+                          type: object
+                        vsphereVolume:
+                          description: vsphereVolume represents a vSphere volume attached
+                            and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            storagePolicyID:
+                              description: storagePolicyID is the storage Policy Based
+                                Management (SPBM) profile ID associated with the StoragePolicyName.
+                              type: string
+                            storagePolicyName:
+                              description: storagePolicyName is the storage Policy
+                                Based Management (SPBM) profile name.
+                              type: string
+                            volumePath:
+                              description: volumePath is the path that identifies
+                                vSphere volume vmdk
+                              type: string
+                          required:
+                          - volumePath
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                required:
+                - volumeMounts
+                - volumes
+                type: object
+              oneReplicaPerNode:
+                description: |-
+                  oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
+                  Enabling this configuration in an existing cluster will roll the cluster.
+                type: boolean
+              pdb:
+                description: |-
+                  configures PodDisruptionBudget for the Confluent Platform component.
+                  by default PDB is configured based on pre-detemined formula.
+                properties:
+                  enabled:
+                    description: enabled specifies whether the PodDisruptionBudget
+                      is enabled
+                    type: boolean
+                  maxUnavailable:
+                    description: maxUnavailable is the maximum number of pods that
+                      can be unavailable during the disruption.
+                    format: int32
+                    type: integer
+                required:
+                - enabled
+                type: object
+              podTemplate:
+                description: podTemplate specifies the statefulset pod template configuration.
+                properties:
+                  affinity:
+                    description: |-
+                      affinity specifies a group of affinity scheduling rules.
+                      More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
+                    properties:
+                      nodeAffinity:
+                        description: Describes node affinity scheduling rules for
+                          the pod.
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node matches the corresponding matchExpressions; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: |-
+                                An empty preferred scheduling term matches all objects with implicit weight 0
+                                (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                              properties:
+                                preference:
+                                  description: A node selector term, associated with
+                                    the corresponding weight.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                weight:
+                                  description: Weight associated with matching the
+                                    corresponding nodeSelectorTerm, in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - preference
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to an update), the system
+                              may or may not try to eventually evict the pod from its node.
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      podAffinity:
+                        description: Describes pod affinity scheduling rules (e.g.
+                          co-locate this pod in the same node, zone, etc. as some
+                          other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                      podAntiAffinity:
+                        description: Describes pod anti-affinity scheduling rules
+                          (e.g. avoid putting this pod in the same node, zone, etc.
+                          as some other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the anti-affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling anti-affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the anti-affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the anti-affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs stored with the resource and
+                      may be set by external tools to store and retrieve arbitrary metadata. They
+                      are not queryable and should be preserved when modifying objects. More
+                      info: http://kubernetes.io/docs/user-guide/annotations.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  envVars:
+                    description: |-
+                      envVars contain environment variables to be injected into containers.
+                      More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
+                    items:
+                      description: EnvVar represents an environment variable present
+                        in a Container.
+                      properties:
+                        name:
+                          description: Name of the environment variable. Must be a
+                            C_IDENTIFIER.
+                          type: string
+                        value:
+                          description: |-
+                            Variable references $(VAR_NAME) are expanded
+                            using the previously defined environment variables in the container and
+                            any service environment variables. If a variable cannot be resolved,
+                            the reference in the input string will be unchanged. Double $$ are reduced
+                            to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                            "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                            Escaped references will never be expanded, regardless of whether the variable
+                            exists or not.
+                            Defaults to "".
+                          type: string
+                        valueFrom:
+                          description: Source for the environment variable's value.
+                            Cannot be used if value is not empty.
+                          properties:
+                            configMapKeyRef:
+                              description: Selects a key of a ConfigMap.
+                              properties:
+                                key:
+                                  description: The key to select.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the ConfigMap or its
+                                    key must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            fieldRef:
+                              description: |-
+                                Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                              properties:
+                                apiVersion:
+                                  description: Version of the schema the FieldPath
+                                    is written in terms of, defaults to "v1".
+                                  type: string
+                                fieldPath:
+                                  description: Path of the field to select in the
+                                    specified API version.
+                                  type: string
+                              required:
+                              - fieldPath
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            resourceFieldRef:
+                              description: |-
+                                Selects a resource of the container: only resources limits and requests
+                                (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                              properties:
+                                containerName:
+                                  description: 'Container name: required for volumes,
+                                    optional for env vars'
+                                  type: string
+                                divisor:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: Specifies the output format of the
+                                    exposed resources, defaults to "1"
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                resource:
+                                  description: 'Required: resource to select'
+                                  type: string
+                              required:
+                              - resource
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            secretKeyRef:
+                              description: Selects a key of a secret in the pod's
+                                namespace
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the Secret or its key
+                                    must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs that can be used to organize and categorize
+                      (scope and select) objects.
+                      More info: http://kubernetes.io/docs/user-guide/labels.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  podSecurityContext:
+                    description: |-
+                      PodSecurityContext holds pod-level security attributes and common container settings.
+                      Some fields are also present in container.securityContext.  Field values of
+                      container.securityContext take precedence over field values of PodSecurityContext.
+                    properties:
+                      fsGroup:
+                        description: |-
+                          A special supplemental group that applies to all containers in a pod.
+                          Some volume types allow the Kubelet to change the ownership of that volume
+                          to be owned by the pod:
+
+
+                          1. The owning GID will be the FSGroup
+                          2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+                          3. The permission bits are OR'd with rw-rw----
+
+
+                          If unset, the Kubelet will not modify the ownership and permissions of any volume.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      fsGroupChangePolicy:
+                        description: |-
+                          fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+                          before being exposed inside Pod. This field will only apply to
+                          volume types which support fsGroup based ownership(and permissions).
+                          It will have no effect on ephemeral volume types such as: secret, configmaps
+                          and emptydir.
+                          Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to all containers.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in SecurityContext.  If set in
+                          both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+                          takes precedence for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by the containers in this pod.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      supplementalGroups:
+                        description: |-
+                          A list of groups applied to the first process run in each container, in addition
+                          to the container's primary GID, the fsGroup (if specified), and group memberships
+                          defined in the container image for the uid of the container process. If unspecified,
+                          no additional groups are added to any container. Note that group memberships
+                          defined in the container image for the uid of the container process are still effective,
+                          even if they are not included in this list.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          format: int64
+                          type: integer
+                        type: array
+                      sysctls:
+                        description: |-
+                          Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+                          sysctls (by the container runtime) might fail to launch.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          description: Sysctl defines a kernel parameter to be set
+                          properties:
+                            name:
+                              description: Name of a property to set
+                              type: string
+                            value:
+                              description: Value of a property to set
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        type: array
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options within a container's SecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  priorityClassName:
+                    description: priorityClassName specifies the priority class for
+                      the pod (if any).
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  probe:
+                    description: probe contains the fields for standard Kubernetes
+                      readiness/liveness probe configuration.
+                    properties:
+                      liveness:
+                        description: |-
+                          liveness configures the Kubernetes probe settings. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                      readiness:
+                        description: |-
+                          readiness configures the Kubernetes probe setting. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  resources:
+                    description: resources describe the compute resource requirements.
+                    properties:
+                      claims:
+                        description: |-
+                          Claims lists the names of resources, defined in spec.resourceClaims,
+                          that are used by this container.
+
+
+                          This is an alpha field and requires enabling the
+                          DynamicResourceAllocation feature gate.
+
+
+                          This field is immutable. It can only be set for containers.
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: |-
+                                Name must match the name of one entry in pod.spec.resourceClaims of
+                                the Pod where this field is used. It makes that resource available
+                                inside a container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Limits describes the maximum amount of compute resources allowed.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Requests describes the minimum amount of compute resources required.
+                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                    type: object
+                  securityContext:
+                    description: |-
+                      SecurityContext holds security configuration that will be applied to a container.
+                      Some fields are present in both SecurityContext and PodSecurityContext.  When both
+                      are set, the values in SecurityContext take precedence.
+                    properties:
+                      allowPrivilegeEscalation:
+                        description: |-
+                          AllowPrivilegeEscalation controls whether a process can gain more
+                          privileges than its parent process. This bool directly controls if
+                          the no_new_privs flag will be set on the container process.
+                          AllowPrivilegeEscalation is true always when the container is:
+                          1) run as Privileged
+                          2) has CAP_SYS_ADMIN
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      capabilities:
+                        description: |-
+                          The capabilities to add/drop when running containers.
+                          Defaults to the default set of capabilities granted by the container runtime.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          add:
+                            description: Added capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                          drop:
+                            description: Removed capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                        type: object
+                      privileged:
+                        description: |-
+                          Run container in privileged mode.
+                          Processes in privileged containers are essentially equivalent to root on the host.
+                          Defaults to false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      procMount:
+                        description: |-
+                          procMount denotes the type of proc mount to use for the containers.
+                          The default is DefaultProcMount which uses the container runtime defaults for
+                          readonly paths and masked paths.
+                          This requires the ProcMountType feature flag to be enabled.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      readOnlyRootFilesystem:
+                        description: |-
+                          Whether this container has a read-only root filesystem.
+                          Default is false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to the container.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by this container. If seccomp options are
+                          provided at both the pod & container level, the container options
+                          override the pod options.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options from the PodSecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of the service account used to run this pod.
+                      More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
+                    type: string
+                  terminationGracePeriodSeconds:
+                    description: terminationGracePeriodSeconds is the grace period
+                      before the pod is deleted.
+                    format: int64
+                    type: integer
+                  tolerations:
+                    description: |-
+                      tolerations specify the pods to schedule onto the nodes with matching taints, using
+                      the triple `<key,value,effect>` and the matching operator `<operator>`.
+                    items:
+                      description: |-
+                        The pod this Toleration is attached to tolerates any taint that matches
+                        the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: |-
+                            Effect indicates the taint effect to match. Empty means match all taint effects.
+                            When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          type: string
+                        key:
+                          description: |-
+                            Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                            If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          type: string
+                        operator:
+                          description: |-
+                            Operator represents a key's relationship to the value.
+                            Valid operators are Exists and Equal. Defaults to Equal.
+                            Exists is equivalent to wildcard for value, so that a pod can
+                            tolerate all taints of a particular category.
+                          type: string
+                        tolerationSeconds:
+                          description: |-
+                            TolerationSeconds represents the period of time the toleration (which must be
+                            of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                            it is not set, which means tolerate the taint forever (do not evict). Zero and
+                            negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          type: integer
+                        value:
+                          description: |-
+                            Value is the taint value the toleration matches to.
+                            If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          type: string
+                      type: object
+                    type: array
+                  topologySpreadConstraints:
+                    description: |-
+                      topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
+                      schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
+                    items:
+                      description: TopologySpreadConstraint specifies how to spread
+                        matching pods among the given topology.
+                      properties:
+                        labelSelector:
+                          description: |-
+                            LabelSelector is used to find matching pods.
+                            Pods that match this label selector are counted to determine the number of pods
+                            in their corresponding topology domain.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        matchLabelKeys:
+                          description: |-
+                            MatchLabelKeys is a set of pod label keys to select the pods over which
+                            spreading will be calculated. The keys are used to lookup values from the
+                            incoming pod labels, those key-value labels are ANDed with labelSelector
+                            to select the group of existing pods over which spreading will be calculated
+                            for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                            MatchLabelKeys cannot be set when LabelSelector isn't set.
+                            Keys that don't exist in the incoming pod labels will
+                            be ignored. A null or empty list means only match against labelSelector.
+
+
+                            This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        maxSkew:
+                          description: |-
+                            MaxSkew describes the degree to which pods may be unevenly distributed.
+                            When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                            between the number of matching pods in the target topology and the global minimum.
+                            The global minimum is the minimum number of matching pods in an eligible domain
+                            or zero if the number of eligible domains is less than MinDomains.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 2/2/1:
+                            In this case, the global minimum is 1.
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |   P   |
+                            - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                            scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                            violate MaxSkew(1).
+                            - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                            When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                            to topologies that satisfy it.
+                            It's a required field. Default value is 1 and 0 is not allowed.
+                          format: int32
+                          type: integer
+                        minDomains:
+                          description: |-
+                            MinDomains indicates a minimum number of eligible domains.
+                            When the number of eligible domains with matching topology keys is less than minDomains,
+                            Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                            And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                            this value has no effect on scheduling.
+                            As a result, when the number of eligible domains is less than minDomains,
+                            scheduler won't schedule more than maxSkew Pods to those domains.
+                            If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                            Valid values are integers greater than 0.
+                            When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+                            For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                            labelSelector spread as 2/2/2:
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |  P P  |
+                            The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                            In this situation, new pod with the same labelSelector cannot be scheduled,
+                            because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                            it will violate MaxSkew.
+
+
+                            This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
+                          format: int32
+                          type: integer
+                        nodeAffinityPolicy:
+                          description: |-
+                            NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                            when calculating pod topology spread skew. Options are:
+                            - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                            - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+                            If this value is nil, the behavior is equivalent to the Honor policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        nodeTaintsPolicy:
+                          description: |-
+                            NodeTaintsPolicy indicates how we will treat node taints when calculating
+                            pod topology spread skew. Options are:
+                            - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                            has a toleration, are included.
+                            - Ignore: node taints are ignored. All nodes are included.
+
+
+                            If this value is nil, the behavior is equivalent to the Ignore policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        topologyKey:
+                          description: |-
+                            TopologyKey is the key of node labels. Nodes that have a label with this key
+                            and identical values are considered to be in the same topology.
+                            We consider each <key, value> as a "bucket", and try to put balanced number
+                            of pods into each bucket.
+                            We define a domain as a particular instance of a topology.
+                            Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                            nodeAffinityPolicy and nodeTaintsPolicy.
+                            e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                            And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                            It's a required field.
+                          type: string
+                        whenUnsatisfiable:
+                          description: |-
+                            WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                            the spread constraint.
+                            - DoNotSchedule (default) tells the scheduler not to schedule it.
+                            - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                              but giving higher precedence to topologies that would help reduce the
+                              skew.
+                            A constraint is considered "Unsatisfiable" for an incoming pod
+                            if and only if every possible node assignment for that pod would violate
+                            "MaxSkew" on some topology.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 3/1/1:
+                            | zone1 | zone2 | zone3 |
+                            | P P P |   P   |   P   |
+                            If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                            to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                            MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                            won't make it *more* imbalanced.
+                            It's a required field.
+                          type: string
+                      required:
+                      - maxSkew
+                      - topologyKey
+                      - whenUnsatisfiable
+                      type: object
+                    type: array
+                type: object
+              replicas:
+                description: |-
+                  replicas is the desired number of replicas.
+                  A change to this setting will roll the cluster.
+                format: int32
+                type: integer
+              storageClass:
+                description: storageClass specifies the storage class used for creating
+                  the PVC for the ksqlDB cluster.
+                properties:
+                  name:
+                    description: name is the storage class name.
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - name
+                type: object
+              telemetry:
+                description: telemetry specifies the Confluent telemetry reporter
+                  configuration.
+                properties:
+                  global:
+                    description: |-
+                      global allows disabling telemetry configuration.
+                      If CFK is deployed with telemetry, this field is only
+                      used to disable telemetry. The default value is `true` if
+                      telemetry is enabled at the global level.
+                    type: boolean
+                type: object
+              tls:
+                description: tls specifies the global TLS configurations for the ksqlDB
+                  cluster.
+                properties:
+                  autoGeneratedCerts:
+                    description: |-
+                      autoGeneratedCerts specifies that the certificates are auto-generated based on
+                      the CA key pair provided.
+                    type: boolean
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                    minLength: 1
+                    type: string
+                  fips:
+                    description: |-
+                      fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
+                      TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                    properties:
+                      enabled:
+                        description: enabled specifies whether to enable the FIPS
+                          configuration for cp components.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                  ignoreTrustStoreConfig:
+                    description: |-
+                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                      for the Confluent component.
+                    type: boolean
+                  jksPassword:
+                    description: jksPassword references the secret containing the
+                      JKS password.
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the name of the secret containing the JKS password.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  secretRef:
+                    description: |-
+                      secretRef references the secret containing the certificates.
+                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+            required:
+            - dataVolumeCapacity
+            - image
+            type: object
+          status:
+            description: status defines the observed state of ksqlDB Server.
+            properties:
+              arbitraryData:
+                description: arbitraryData is the map for any arbitrary data associated
+                  with this Confluent component.
+                x-kubernetes-preserve-unknown-fields: true
+              authorizationType:
+                description: authorizationType is the authorization type for this
+                  Confluent component.
+                type: string
+              clusterName:
+                description: clusterName is the name of the Confluent Platform component
+                  cluster.
+                type: string
+              clusterNamespace:
+                description: clusterNamespace is the namespace where the Confluent
+                  Platform component cluster is running.
+                type: string
+              conditions:
+                description: conditions specify the latest available observations
+                  of the current state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              currentReplicas:
+                description: currentReplicas is the number of currently running replicas.
+                format: int32
+                type: integer
+              internalSecrets:
+                description: |-
+                  internalSecrets are internal secrets created
+                  by CFK for this Confluent component.
+                items:
+                  type: string
+                type: array
+              internalTopicNames:
+                description: internalTopicNames are the topics used by the component
+                  for internal use.
+                items:
+                  type: string
+                type: array
+              kafka:
+                description: kafka is the Kafka client side status for the ksqlDB
+                  cluster.
+                properties:
+                  authenticationType:
+                    description: authenticationType describes the authentication method
+                      for the Kafka cluster.
+                    type: string
+                  bootstrapEndpoint:
+                    description: bootstrapEndpoint specifies the Kafka bootstrap endpoint.
+                    type: string
+                  tls:
+                    description: tls indicates whether TLS is enabled for the Kafka
+                      dependency.
+                    type: boolean
+                type: object
+              listeners:
+                additionalProperties:
+                  description: ListenerStatus describes general information about
+                    the listeners.
+                  properties:
+                    advertisedExternalEndpoints:
+                      description: advertisedExternalEndpoints specifies other advertised
+                        endpoints used, especially for Kafka.
+                      items:
+                        type: string
+                      type: array
+                    authenticationType:
+                      description: authenticationType shows the authentication type
+                        configured by the listener.
+                      type: string
+                    externalAccessType:
+                      description: externalAccessType shows the external access type
+                        used for the listener.
+                      type: string
+                    externalEndpoint:
+                      description: externalEndpoint specifies the external endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    internalEndpoint:
+                      description: internalEndpoint specifies the internal endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    tls:
+                      description: tls shows whether TLS is configured for the listener.
+                      type: boolean
+                  type: object
+                description: listeners is a map of listener type and the status of
+                  KsqlDB Listeners.
+                type: object
+                x-kubernetes-map-type: granular
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              operatorVersion:
+                description: operatorVersion is the internal version of CFK.
+                type: string
+              phase:
+                description: |-
+                  phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
+                  or 'RUNNING'
+                  'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
+                  'RUNNING' means the Confluent Platform component has been successfully deployed.
+                type: string
+              rbac:
+                description: rbac contains the RBAC-related status when RBAC is enabled.
+                properties:
+                  clusterID:
+                    description: clusterID specifies the id of the cluster.
+                    type: string
+                  internalRolebindings:
+                    description: internalRolebindings specifies the internal rolebindings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              readyReplicas:
+                description: readyReplicas is the number of currently ready replicas.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the number of replicas.
+                format: int32
+                type: integer
+              restConfig:
+                description: restConfig is the REST API configuration of the ksqlDB
+                  cluster.
+                properties:
+                  advertisedExternalEndpoints:
+                    description: advertisedExternalEndpoints specifies other advertised
+                      endpoints used, especially for Kafka.
+                    items:
+                      type: string
+                    type: array
+                  authenticationType:
+                    description: authenticationType shows the authentication type
+                      configured by the listener.
+                    type: string
+                  externalAccessType:
+                    description: externalAccessType shows the external access type
+                      used for the listener.
+                    type: string
+                  externalEndpoint:
+                    description: externalEndpoint specifies the external endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  internalEndpoint:
+                    description: internalEndpoint specifies the internal endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  tls:
+                    description: tls shows whether TLS is configured for the listener.
+                    type: boolean
+                type: object
+              selector:
+                description: |-
+                  selector gets the label selector of the child pod.
+                  The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
+                type: string
+              serviceID:
+                description: serviceID is the id of the ksqlDB service.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemaexporters.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemaexporters.yaml
new file mode 100644
index 000000000..fd23b7028
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemaexporters.yaml
@@ -0,0 +1,688 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: schemaexporters.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: SchemaExporter
+    listKind: SchemaExporterList
+    plural: schemaexporters
+    shortNames:
+    - se
+    - schemaexporter
+    singular: schemaexporter
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.contextName
+      name: ContextName
+      type: string
+    - jsonPath: .status.exporterStatus
+      name: ExporterStatus
+      type: string
+    - jsonPath: .status.state
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.sourceSchemaRegistry.endpoint
+      name: SourceSchemaRegistryEndpoint
+      priority: 1
+      type: string
+    - jsonPath: .status.destinationSchemaRegistry.endpoint
+      name: DestinationSchemaRegistryEndpoint
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: SchemaExporter is the schema for the SchemaExporter API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the schema exporter.
+            properties:
+              configs:
+                additionalProperties:
+                  type: string
+                description: |-
+                  configs is a map of string key and value pairs. It specifies additional configurations for the schema exporter. More info:
+                  https://docs.confluent.io/platform/current/schema-registry/schema-linking-cp.html#create-a-configuration-file-for-the-exporter
+                type: object
+                x-kubernetes-map-type: granular
+              contextName:
+                description: |-
+                  contextName specifies the custom context name in the destination Schema Registry cluster where the
+                  schemas will be exported. If this is defined, contextType will be ignored. If this is not defined,
+                  schemas will be exported to context in destination based on contextType.
+                type: string
+              contextType:
+                description: |-
+                  contextType specifies the type of context created in the destination Schema Registry cluster of
+                  the schema exporter.
+                  Valid options are `AUTO` and `NONE`.
+                  The default value is `AUTO`.
+                enum:
+                - AUTO
+                - NONE
+                type: string
+              destinationCluster:
+                description: |-
+                  destinationCluster specifies the destination Schema Registry cluster. If this is not defined,
+                  sourceCluster is chosen as the destination and the schema exporter will be exporting
+                  schemas across contexts within the sourceCluster.
+                  Schema exporter should be enabled in Schema Registry cluster CR with `spec.enableSchemaExporter`.
+                properties:
+                  schemaRegistryClusterRef:
+                    description: schemaRegistryClusterRef references the CFK-managed
+                      Schema Registry cluster.
+                    properties:
+                      name:
+                        description: name specifies the name of the Confluent Platform
+                          component cluster.
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace where the Confluent
+                          Platform component cluster is running.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  schemaRegistryRest:
+                    description: schemaRegistryRest specifies the Schema Registry
+                      REST API configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the REST API authentication
+                          mechanism.
+                        properties:
+                          basic:
+                            description: basic specifies the basic authentication
+                              settings for the REST API client.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          bearer:
+                            description: bearer specifies the bearer authentication
+                              settings for the REST API client.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the OAuth authentication
+                              settings for the REST API client.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the REST API authentication
+                              type. Valid options are `basic`, `bearer`, `mtls` and
+                              `oauth`.
+                            enum:
+                            - basic
+                            - bearer
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      endpoint:
+                        description: endpoint specifies where Confluent REST API is
+                          running.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      kafkaClusterID:
+                        description: |-
+                          kafkaClusterID specifies the id of Kafka cluster.
+                          It takes precedence over using the Kafka REST API to get the cluster id.
+                        minLength: 1
+                        type: string
+                      tls:
+                        description: "tls specifies the custom TLS structure for the
+                          application resources,\n\t// e.g. connector, topic, schema,
+                          of the Confluent Platform components.\n\t// +optional"
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer contains the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, `jksPassword.txt` keys are mounted.
+                            minLength: 1
+                            type: string
+                          jksPassword:
+                            description: jksPassword specifies the secret name that
+                              contains the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef specifies the secret name that contains the certificates.
+                              More info about certificates key/value format: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    type: object
+                type: object
+              sourceCluster:
+                description: |-
+                  sourceCluster specifies the source Schema Registry cluster. Schema exporter will be set
+                  up in the source cluster. If this is not defined, controller will try to auto discover Schema Registry
+                  in the namespace of the schema exporter. If it cannot discover a Schema Registry cluster or more than
+                  one Schema Registry clusters are found, controller will return error.
+                  Schema exporter should be enabled in Schema Registry cluster CR with `spec.enableSchemaExporter`.
+                properties:
+                  schemaRegistryClusterRef:
+                    description: schemaRegistryClusterRef references the CFK-managed
+                      Schema Registry cluster.
+                    properties:
+                      name:
+                        description: name specifies the name of the Confluent Platform
+                          component cluster.
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace where the Confluent
+                          Platform component cluster is running.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  schemaRegistryRest:
+                    description: schemaRegistryRest specifies the Schema Registry
+                      REST API configuration.
+                    properties:
+                      authentication:
+                        description: authentication specifies the REST API authentication
+                          mechanism.
+                        properties:
+                          basic:
+                            description: basic specifies the basic authentication
+                              settings for the REST API client.
+                            properties:
+                              debug:
+                                description: debug enables the basic authentication
+                                  debug logs for JaaS configuration.
+                                type: boolean
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                minLength: 1
+                                type: string
+                              restrictedRoles:
+                                description: |-
+                                  restrictedRoles specify the restricted roles on the server side only.
+                                  Changes will be only reflected in Control Center.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                              roles:
+                                description: |-
+                                  roles specify the roles on the server side only.
+                                  This configuration is ignored on the client side configuration.
+                                items:
+                                  type: string
+                                type: array
+                              secretRef:
+                                description: |-
+                                  secretRef defines secret reference to pass the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          bearer:
+                            description: bearer specifies the bearer authentication
+                              settings for the REST API client.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the OAuth authentication
+                              settings for the REST API client.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the REST API authentication
+                              type. Valid options are `basic`, `bearer`, `mtls` and
+                              `oauth`.
+                            enum:
+                            - basic
+                            - bearer
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      endpoint:
+                        description: endpoint specifies where Confluent REST API is
+                          running.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      kafkaClusterID:
+                        description: |-
+                          kafkaClusterID specifies the id of Kafka cluster.
+                          It takes precedence over using the Kafka REST API to get the cluster id.
+                        minLength: 1
+                        type: string
+                      tls:
+                        description: "tls specifies the custom TLS structure for the
+                          application resources,\n\t// e.g. connector, topic, schema,
+                          of the Confluent Platform components.\n\t// +optional"
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer contains the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, `jksPassword.txt` keys are mounted.
+                            minLength: 1
+                            type: string
+                          jksPassword:
+                            description: jksPassword specifies the secret name that
+                              contains the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef specifies the secret name that contains the certificates.
+                              More info about certificates key/value format: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    type: object
+                type: object
+              subjectRenameFormat:
+                description: |-
+                  subjectRenameFormat specifies the rename format for the subjects exported to the destination.
+                  For example, if the value is `my-${subject}`, subjects at destination will become `my-firstSubject`
+                  where `firstSubject` is the original subject name.
+                type: string
+              subjects:
+                description: |-
+                  subjects specifies the list of subjects to be exported by schema exporter.
+                  The default value is `["*"]`. This indicates all subjects in the default context.
+                items:
+                  type: string
+                type: array
+            type: object
+          status:
+            description: status defines the observed state of the schema exporter.
+            properties:
+              appState:
+                default: Unknown
+                description: appState is the current state of the schema exporter
+                  application.
+                enum:
+                - Unknown
+                - Created
+                - Failed
+                - Deleted
+                type: string
+              conditions:
+                description: conditions are the latest available observations of the
+                  schema exporter's state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              contextName:
+                description: |-
+                  contextName shows the name of the context in the destination Schema Registry cluster
+                  where the schemas will be exported.
+                type: string
+              contextType:
+                description: contextType is the contextType of the schema exporter.
+                type: string
+              destinationSchemaRegistry:
+                description: |-
+                  destinationSchemaRegistry shows the destination Schema Registry endpoint, authentication type
+                  and if it is using TLS.
+                properties:
+                  authenticationType:
+                    description: authenticationType is the authentication method used
+                      for Schema Registry.
+                    type: string
+                  endpoint:
+                    description: endpoint is the Schema Registry REST endpoint.
+                    type: string
+                  tls:
+                    description: tls shows whether the Schema Registry is using TLS.
+                    type: boolean
+                type: object
+              exporterStatus:
+                description: exporterStatus is the status of the schema exporter.
+                type: string
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              sourceSchemaRegistry:
+                description: |-
+                  sourceSchemaRegistry shows the source Schema Registry endpoint, authentication type
+                  and if it is using TLS.
+                properties:
+                  authenticationType:
+                    description: authenticationType is the authentication method used
+                      for Schema Registry.
+                    type: string
+                  endpoint:
+                    description: endpoint is the Schema Registry REST endpoint.
+                    type: string
+                  tls:
+                    description: tls shows whether the Schema Registry is using TLS.
+                    type: boolean
+                type: object
+              state:
+                description: state is the current state of the schema exporter.
+                type: string
+              subjects:
+                description: subjects is the list of subjects exported by the schema
+                  exporter.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemaregistries.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemaregistries.yaml
new file mode 100644
index 000000000..2cc59aaf4
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemaregistries.yaml
@@ -0,0 +1,5801 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: schemaregistries.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: SchemaRegistry
+    listKind: SchemaRegistryList
+    plural: schemaregistries
+    shortNames:
+    - schemaregistry
+    - sr
+    singular: schemaregistry
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.readyReplicas
+      name: Ready
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.kafka.bootstrapEndpoint
+      name: Kafka
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: SchemaRegistry is the schema for the Schema Registry API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the Schema Registry cluster.
+            properties:
+              authentication:
+                description: authentication specifies the authentication configurations
+                  for the REST API endpoint.
+                properties:
+                  basic:
+                    description: basic specifies the configuration for basic authentication.
+                    properties:
+                      debug:
+                        description: debug enables the basic authentication debug
+                          logs for JaaS configuration.
+                        type: boolean
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        minLength: 1
+                        type: string
+                      restrictedRoles:
+                        description: |-
+                          restrictedRoles specify the restricted roles on the server side only.
+                          Changes will be only reflected in Control Center.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
+                      roles:
+                        description: |-
+                          roles specify the roles on the server side only.
+                          This configuration is ignored on the client side configuration.
+                        items:
+                          type: string
+                        type: array
+                      secretRef:
+                        description: |-
+                          secretRef defines secret reference to pass the required credentials.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                  oauth:
+                    description: oauth specifies the configuration for OAuth authentication.
+                    properties:
+                      configuration:
+                        description: configuration specifies the OAuth server settings.
+                        properties:
+                          audience:
+                            description: audience specifies the audience claim in
+                              the JWT payload.
+                            minLength: 1
+                            type: string
+                          expectedIssuer:
+                            description: expectedIssuer specifies the expected issuer
+                              in the JWT payload.
+                            minLength: 1
+                            type: string
+                          groupsClaimName:
+                            description: groupsClaimName specifies the name of claim
+                              in token for identifying the groups of subject in the
+                              JWT payload.
+                            minLength: 1
+                            type: string
+                          jwksEndpointUri:
+                            description: |-
+                              jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                              It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                            minLength: 1
+                            type: string
+                          loginConnectTimeoutMs:
+                            description: LoginConnectTimeoutMs sets connect timeout
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginReadTimeoutMs:
+                            description: LoginReadTimeoutMs sets read timeout with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMaxMs:
+                            description: LoginRetryBackoffMaxMs sets max retry backoff
+                              with IDP in ms
+                            format: int32
+                            type: integer
+                          loginRetryBackoffMs:
+                            description: LoginRetryBackoffMs sets retry backoff with
+                              IDP in ms
+                            format: int32
+                            type: integer
+                          scope:
+                            description: |-
+                              scope is optional and required only when your identity provider doesn't have
+                              a default scope or your groups claim is linked to a scope.
+                            minLength: 1
+                            type: string
+                          subClaimName:
+                            description: subClaimName specifies name of claim in JWT
+                              to use for the subject.
+                            minLength: 1
+                            type: string
+                          tokenEndpointUri:
+                            description: |-
+                              tokenBaseEndpointUri specifies the base uri for token endpoint.
+                              This is required for OAuth for inter broker communication along with
+                              clientId & clientSecret in JassConfig or JassConfigPassthrough
+                            minLength: 1
+                            type: string
+                        type: object
+                      directoryPathInContainer:
+                        description: directoryPathInContainer allows to pass the basic
+                          credential through a directory path in the container.
+                        minLength: 1
+                        type: string
+                      secretRef:
+                        description: secretRef defines secret reference to pass the
+                          required credentials.
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - configuration
+                    type: object
+                  type:
+                    description: type specifies the authentication scheme for the
+                      REST API server. Valid options are `basic`, `oauth` and `mtls`.
+                    enum:
+                    - basic
+                    - mtls
+                    - oauth
+                    type: string
+                required:
+                - type
+                type: object
+              authorization:
+                description: authorization specifies the authorization configurations.
+                properties:
+                  kafkaRestClassRef:
+                    description: |-
+                      kafkaRestClassRef references the KafkaRestClass
+                      which specifies the Kafka REST API connection configuration.
+                    properties:
+                      name:
+                        description: name specifies the name of the KafkaRestClass
+                          application resource.
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: namespace specifies the namespace of the KafkaRestClass.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  type:
+                    description: type specifies the client-side authorization type.
+                      The valid option is `rbac`.
+                    enum:
+                    - rbac
+                    type: string
+                required:
+                - type
+                type: object
+              configOverrides:
+                description: |-
+                  configOverrides specifies the configs to override the server, JVM, Log4j properties for the Schema Registry cluster.
+                  A change will roll the cluster.
+                properties:
+                  jvm:
+                    description: |-
+                      jvm is a list of JVM configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  log4j:
+                    description: |-
+                      log4j is a list of Log4J configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  server:
+                    description: |-
+                      server is a list of server configuration supported by the Confluent Platform component.
+                      This will either add or update existing configuration.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              dependencies:
+                description: dependencies specify the dependency configurations for
+                  the Schema Registry.
+                properties:
+                  kafka:
+                    description: kafka specifies the Kafka dependency configuration.
+                    properties:
+                      authentication:
+                        description: authentication defines the authentication for
+                          the Kafka cluster.
+                        properties:
+                          jaasConfig:
+                            description: jaasConfig specifies the Kafka client-side
+                              JaaS configuration.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          jaasConfigPassThrough:
+                            description: jaasConfigPassThrough specifies another way
+                              to provide the Kafka client-side JaaS configuration.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef references the secret containing the required credentials for authentication.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauthSettings:
+                            description: |-
+                              oauthSettings specifies the OAuth settings.
+                              This needs to passed with the authentication type `oauth`.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          oauthbearer:
+                            description: |-
+                              oauthbearer is the authentication mechanism to provider principals.
+                              Only supported in RBAC deployment.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kafka client authentication type.
+                              Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
+                            enum:
+                            - plain
+                            - oauthbearer
+                            - digest
+                            - mtls
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      bootstrapEndpoint:
+                        description: bootstrapEndpoint specifies the Kafka bootstrap
+                          endpoint.
+                        minLength: 1
+                        pattern: .+:[0-9]+
+                        type: string
+                      discovery:
+                        description: discovery specifies the capability to discover
+                          the Kafka cluster.
+                        properties:
+                          name:
+                            description: name is the name of the Confluent Platform
+                              component cluster.
+                            type: string
+                          namespace:
+                            description: |-
+                              namespace is where the Confluent Platform component is running.
+                              The default value is the namespace where CFK is running.
+                            type: string
+                          secretRef:
+                            description: secretRef is the name of the secret used
+                              to discover the Confluent Platform component.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      tls:
+                        description: tls defines the client-side TLS setting for the
+                          Kafka cluster.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  mds:
+                    description: mds specifies the MDS dependencies configurations.
+                    properties:
+                      authentication:
+                        description: authentication specifies the client side authentication
+                          configuration for the MDS.
+                        properties:
+                          bearer:
+                            description: bearer specifies the bearer authentication
+                              settings.
+                            properties:
+                              directoryPathInContainer:
+                                description: |-
+                                  directoryPathInContainer specifies the directory path in the container
+                                  where the credential is mounted.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: |-
+                                  secretRef specifies the name of the secret that contains the credential.
+                                  More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            type: object
+                          oauth:
+                            description: oauth specifies the OAuth authentication
+                              settings.
+                            properties:
+                              configuration:
+                                description: configuration specifies the OAuth server
+                                  settings.
+                                properties:
+                                  audience:
+                                    description: audience specifies the audience claim
+                                      in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  expectedIssuer:
+                                    description: expectedIssuer specifies the expected
+                                      issuer in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  groupsClaimName:
+                                    description: groupsClaimName specifies the name
+                                      of claim in token for identifying the groups
+                                      of subject in the JWT payload.
+                                    minLength: 1
+                                    type: string
+                                  jwksEndpointUri:
+                                    description: |-
+                                      jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                      It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                    minLength: 1
+                                    type: string
+                                  loginConnectTimeoutMs:
+                                    description: LoginConnectTimeoutMs sets connect
+                                      timeout with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginReadTimeoutMs:
+                                    description: LoginReadTimeoutMs sets read timeout
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMaxMs:
+                                    description: LoginRetryBackoffMaxMs sets max retry
+                                      backoff with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  loginRetryBackoffMs:
+                                    description: LoginRetryBackoffMs sets retry backoff
+                                      with IDP in ms
+                                    format: int32
+                                    type: integer
+                                  scope:
+                                    description: |-
+                                      scope is optional and required only when your identity provider doesn't have
+                                      a default scope or your groups claim is linked to a scope.
+                                    minLength: 1
+                                    type: string
+                                  subClaimName:
+                                    description: subClaimName specifies name of claim
+                                      in JWT to use for the subject.
+                                    minLength: 1
+                                    type: string
+                                  tokenEndpointUri:
+                                    description: |-
+                                      tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                      This is required for OAuth for inter broker communication along with
+                                      clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                    minLength: 1
+                                    type: string
+                                type: object
+                              directoryPathInContainer:
+                                description: directoryPathInContainer allows to pass
+                                  the basic credential through a directory path in
+                                  the container.
+                                minLength: 1
+                                type: string
+                              secretRef:
+                                description: secretRef defines secret reference to
+                                  pass the required credentials.
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - configuration
+                            type: object
+                          type:
+                            description: type specifies the authentication method
+                              for the MDS. The valid option is `bearer`, `oauth`.
+                            enum:
+                            - bearer
+                            - oauth
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      endpoint:
+                        description: endpoint specifies the MDS endpoint.
+                        minLength: 1
+                        pattern: ^https?://.*
+                        type: string
+                      ssoProtocol:
+                        description: sso protocol, valid options are ldap and oidc.
+                        enum:
+                        - ldap
+                        - oidc
+                        type: string
+                      tls:
+                        description: ClientTLSConfig specifies the TLS configuration
+                          for the Confluent component (dependencies, listeners).
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      tokenKeyPair:
+                        description: tokenKeyPair specifies the token keypair to configure
+                          the MDS.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer defines the directory path in the container
+                              where the MDS token key pair are mounted.
+                            minLength: 1
+                            type: string
+                          encryptedTokenKey:
+                            description: |-
+                              EncryptedTokenKey boolean value indicating whether the tokenKeypair(private used for signing) is encrypted using a passphrase. If true, cfk
+                              operator will look for a file named mdsTokenKeyPassphrase.txt containing key value pair
+                              mdsTokenKeyPassphrase=<passphrase>. Relevant only for mds server. Ignored if set for a client configuration.
+                            type: boolean
+                          secretRef:
+                            description: secretRef references the name of the secret
+                              that contains the MDS token key pair.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                    required:
+                    - authentication
+                    - endpoint
+                    - tokenKeyPair
+                    type: object
+                type: object
+              enableSchemaExporter:
+                description: enableSchemaExporter enables schema exporter in the Schema
+                  Registry.
+                type: boolean
+              externalAccess:
+                description: |-
+                  externalAccess specifies the external access configuration.
+                  When `spec.listeners` is configured, configuring `spec.externalAccess` is not allowed.
+                  Please configure `spec.listeners.external.externalAccess` instead".
+                properties:
+                  loadBalancer:
+                    description: loadBalancer specifies the configuration to create
+                      a Kubernetes load balancer service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain is the domain name of the component cluster.
+                        minLength: 1
+                        type: string
+                      externalTrafficPolicy:
+                        description: externalTrafficPolicy specifies the external
+                          traffic policy for the service. Valid options are `Local`
+                          and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      loadBalancerSourceRanges:
+                        description: loadBalancerSourceRanges specify the source ranges.
+                        items:
+                          type: string
+                        type: array
+                      port:
+                        description: |-
+                          port specifies the external port for the client consumption.
+                          If not configured, the same internal/external port is configured for the component.
+                          Information about the port can be retrieved through the status API.
+                        format: int32
+                        type: integer
+                      prefix:
+                        description: |-
+                          prefix specify the prefix for the given domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      servicePorts:
+                        description: servicePorts specify the user-provided service
+                          port(s).
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - domain
+                    type: object
+                  nodePort:
+                    description: nodePort specifies the configuration to create a
+                      Kubernetes node port service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      externalTrafficPolicy:
+                        description: |-
+                          externalTrafficPolicy specifies the external traffic policy for the service.
+                          Valid options are `Local` and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      host:
+                        description: host defines the host name of the cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      nodePortOffset:
+                        description: |-
+                          nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                          to the replicas count.
+                          NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                          The default Kubernetes Node Port range is `30000` - `32762`.
+                        format: int32
+                        minimum: 0
+                        type: integer
+                      servicePorts:
+                        description: |-
+                          servicePorts specify user-provided service port(s).
+                          For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - host
+                    - nodePortOffset
+                    type: object
+                  route:
+                    description: route specifies the configuration to create a route
+                      service in OpenShift.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain specifies the domain name of the Confluent
+                          component cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      prefix:
+                        description: |-
+                          prefix specifies the component prefix when configured for the domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      wildcardPolicy:
+                        description: |-
+                          wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                          The default value is `None`.
+                        enum:
+                        - Subdomain
+                        - None
+                        type: string
+                    required:
+                    - domain
+                    type: object
+                  type:
+                    description: |-
+                      type specifies the Kubernetes external service for the component.
+                      Valid options are `loadBalancer`, `nodePort`, and `route`.
+                    enum:
+                    - loadBalancer
+                    - nodePort
+                    - route
+                    minLength: 1
+                    type: string
+                required:
+                - type
+                type: object
+              headlessService:
+                description: headlessService specifies the configuration of the Kubernetes
+                  headless service.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs.
+                      It specifies the annotations to be added to the CFK-created headless service.
+                      These annotations are merged with the injectAnnotations and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs.
+                      It specifies the labels to be added to the CFK-created headless service.
+                      These labels are merged with the injectLabels and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  publishNotReadyAddresses:
+                    description: |-
+                      publishNotReadyAddresses specifies the publishNotReadyAddresses field.
+                      For Kafka, this value must be true. The default value is true.
+                    type: boolean
+                type: object
+              image:
+                description: |-
+                  image specifies the application and the init docker image configurations.
+                  A change to this setting will roll the cluster.
+                properties:
+                  application:
+                    description: |-
+                      application is the Docker image name of the application. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  init:
+                    description: |-
+                      init is the init-container name. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  pullPolicy:
+                    description: |-
+                      pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
+                      The default value is `IfNotPresent`.
+                    enum:
+                    - Always
+                    - Never
+                    - IfNotPresent
+                    type: string
+                  pullSecretRef:
+                    description: |-
+                      pullSecretRef references the secrets in the same namespace to be used for pulling images.
+                      Image pull secrets are distinct from secrets because secrets
+                      can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
+                      More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+                    items:
+                      type: string
+                    type: array
+                required:
+                - application
+                - init
+                type: object
+              injectAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectAnnotations are the annotations injected to the internal resources that CFK created.
+                  The internal annotations are preserved and cannot be overridden.
+                  For pod annotations, use `podTemplate.annotations`.
+                type: object
+                x-kubernetes-map-type: granular
+              injectLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectLabels are the labels injected to the internal resources that CFK created.
+                  The internal labels are preserved and cannot be overridden.
+                  For pod labels, use `podTemplate.labels`.
+                type: object
+                x-kubernetes-map-type: granular
+              internalTopicReplicatorFactor:
+                description: internalTopicReplicatorFactor specifies the replication
+                  factor for internal topics.
+                format: int32
+                minimum: 1
+                type: integer
+              k8sClusterDomain:
+                description: |-
+                  k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
+                  The default is the `cluster.local` domain.
+                type: string
+              license:
+                description: license specifies the license configuration for the Confluent
+                  Platform component.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      the license key is mounted. More info:
+                      https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    minLength: 1
+                    type: string
+                  globalLicense:
+                    description: globalLicense specifies whether the Confluent Platform
+                      component shares the common global license.
+                    type: boolean
+                  secretRef:
+                    description: |-
+                      secretRef references the secret that provides the license for the Confluent Platform component.
+                      More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              listeners:
+                description: listeners specify the listeners configurations.
+                properties:
+                  external:
+                    description: external specifies the Confluent component external
+                      listener.
+                    properties:
+                      externalAccess:
+                        description: externalAccess defines the external access configuration
+                          for the Confluent component.
+                        properties:
+                          loadBalancer:
+                            description: loadBalancer specifies the configuration
+                              to create a Kubernetes load balancer service.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                  This configuration will not take effect if MDS enabled dual listener setup.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              domain:
+                                description: domain is the domain name of the component
+                                  cluster.
+                                minLength: 1
+                                type: string
+                              externalTrafficPolicy:
+                                description: externalTrafficPolicy specifies the external
+                                  traffic policy for the service. Valid options are
+                                  `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              loadBalancerSourceRanges:
+                                description: loadBalancerSourceRanges specify the
+                                  source ranges.
+                                items:
+                                  type: string
+                                type: array
+                              port:
+                                description: |-
+                                  port specifies the external port for the client consumption.
+                                  If not configured, the same internal/external port is configured for the component.
+                                  Information about the port can be retrieved through the status API.
+                                format: int32
+                                type: integer
+                              prefix:
+                                description: |-
+                                  prefix specify the prefix for the given domain.
+                                  The default value is the name of the cluster.
+                                minLength: 1
+                                type: string
+                              servicePorts:
+                                description: servicePorts specify the user-provided
+                                  service port(s).
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - domain
+                            type: object
+                          nodePort:
+                            description: nodePort specifies the configuration to create
+                              a Kubernetes node port service.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              externalTrafficPolicy:
+                                description: |-
+                                  externalTrafficPolicy specifies the external traffic policy for the service.
+                                  Valid options are `Local` and `Cluster`.
+                                enum:
+                                - Local
+                                - Cluster
+                                type: string
+                              host:
+                                description: host defines the host name of the cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              nodePortOffset:
+                                description: |-
+                                  nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                                  to the replicas count.
+                                  NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                                  The default Kubernetes Node Port range is `30000` - `32762`.
+                                format: int32
+                                minimum: 0
+                                type: integer
+                              servicePorts:
+                                description: |-
+                                  servicePorts specify user-provided service port(s).
+                                  For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                                items:
+                                  description: ServicePort contains information on
+                                    service's port.
+                                  properties:
+                                    appProtocol:
+                                      description: |-
+                                        The application protocol for this port.
+                                        This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                        This field follows standard Kubernetes label syntax.
+                                        Valid values are either:
+
+
+                                        * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                        RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                        * Kubernetes-defined prefixed names:
+                                          * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                          * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                          * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                        * Other protocols should use implementation-defined prefixed names such as
+                                        mycompany.com/my-custom-protocol.
+                                      type: string
+                                    name:
+                                      description: |-
+                                        The name of this port within the service. This must be a DNS_LABEL.
+                                        All ports within a ServiceSpec must have unique names. When considering
+                                        the endpoints for a Service, this must match the 'name' field in the
+                                        EndpointPort.
+                                        Optional if only one ServicePort is defined on this service.
+                                      type: string
+                                    nodePort:
+                                      description: |-
+                                        The port on each node on which this service is exposed when type is
+                                        NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                        specified, in-range, and not in use it will be used, otherwise the
+                                        operation will fail.  If not specified, a port will be allocated if this
+                                        Service requires one.  If this field is specified when creating a
+                                        Service which does not need it, creation will fail. This field will be
+                                        wiped when updating a Service to no longer need it (e.g. changing type
+                                        from NodePort to ClusterIP).
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                                      format: int32
+                                      type: integer
+                                    port:
+                                      description: The port that will be exposed by
+                                        this service.
+                                      format: int32
+                                      type: integer
+                                    protocol:
+                                      default: TCP
+                                      description: |-
+                                        The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                        Default is TCP.
+                                      type: string
+                                    targetPort:
+                                      anyOf:
+                                      - type: integer
+                                      - type: string
+                                      description: |-
+                                        Number or name of the port to access on the pods targeted by the service.
+                                        Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                        If this is a string, it will be looked up as a named port in the
+                                        target Pod's container ports. If this is not specified, the value
+                                        of the 'port' field is used (an identity map).
+                                        This field is ignored for services with clusterIP=None, and should be
+                                        omitted or set equal to the 'port' field.
+                                        More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                                      x-kubernetes-int-or-string: true
+                                  required:
+                                  - port
+                                  type: object
+                                type: array
+                              sessionAffinity:
+                                description: |-
+                                  sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                                  The default value is `None`.
+                                  More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                                enum:
+                                - ClientIP
+                                - None
+                                type: string
+                              sessionAffinityConfig:
+                                description: SessionAffinityConfig contains the configurations
+                                  of the session affinity.
+                                properties:
+                                  clientIP:
+                                    description: clientIP contains the configurations
+                                      of Client IP based session affinity.
+                                    properties:
+                                      timeoutSeconds:
+                                        description: |-
+                                          timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                          The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                          Default value is 10800(for 3 hours).
+                                        format: int32
+                                        type: integer
+                                    type: object
+                                type: object
+                            required:
+                            - host
+                            - nodePortOffset
+                            type: object
+                          route:
+                            description: route specifies the configuration to create
+                              a route service in OpenShift.
+                            properties:
+                              advertisedURL:
+                                description: |-
+                                  advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                                  If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                                  set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                                  This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                                  the external DNS must be resolved inside the Kubernetes cluster.
+                                  This configuration will not take effect if MDS enabled dual listener setup.
+                                properties:
+                                  enabled:
+                                    description: |-
+                                      enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                                      Has no effect with Zookeeper, which will always create a listener per pod.
+                                    type: boolean
+                                  prefix:
+                                    description: |-
+                                      prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                                      If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                                      It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - enabled
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: annotations is a map of string key and
+                                  value pairs. It specifies Kubernetes annotations
+                                  for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              domain:
+                                description: domain specifies the domain name of the
+                                  Confluent component cluster.
+                                minLength: 1
+                                type: string
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: labels is a map of string key and value
+                                  pairs. It specifies Kubernetes labels for this service.
+                                type: object
+                                x-kubernetes-map-type: granular
+                              prefix:
+                                description: |-
+                                  prefix specifies the component prefix when configured for the domain.
+                                  The default value is the name of the cluster.
+                                minLength: 1
+                                type: string
+                              wildcardPolicy:
+                                description: |-
+                                  wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                                  The default value is `None`.
+                                enum:
+                                - Subdomain
+                                - None
+                                type: string
+                            required:
+                            - domain
+                            type: object
+                          type:
+                            description: |-
+                              type specifies the Kubernetes external service for the component.
+                              Valid options are `loadBalancer`, `nodePort`, and `route`.
+                            enum:
+                            - loadBalancer
+                            - nodePort
+                            - route
+                            minLength: 1
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      tls:
+                        description: tls specifies the TLS configuration for the listener.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                  internal:
+                    description: |-
+                      internal specifies the Confluent component's internal listener.
+                      This internal listener is for intra-communication between the pods.
+                    properties:
+                      port:
+                        description: |-
+                          port binds the given port to the internal listener. If not configured,
+                          it will be defaulted to the component-specific internal port.
+                          Port numbers lower than `9093` are reserved by CFK.
+                        format: int32
+                        minimum: 9093
+                        type: integer
+                      tls:
+                        description: tls specifies the TLS configuration for the listener.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container where
+                              `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                              `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                            minLength: 1
+                            type: string
+                          enabled:
+                            description: enabled specifies to enable the TLS configuration
+                              for the Confluent component.
+                            type: boolean
+                          ignoreTrustStoreConfig:
+                            description: |-
+                              ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                              for the Confluent component.
+                            type: boolean
+                          jksPassword:
+                            description: jksPassword references the secret containing
+                              the JKS password.
+                            properties:
+                              secretRef:
+                                description: |-
+                                  secretRef references the name of the secret containing the JKS password.
+                                  More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                                maxLength: 30
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - secretRef
+                            type: object
+                          secretRef:
+                            description: |-
+                              secretRef references the secret containing the certificates.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                    type: object
+                type: object
+              metrics:
+                description: metrics specify the security settings for the metric
+                  services.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication configuration
+                      for the metrics.
+                    properties:
+                      type:
+                        description: type specifies the metrics authentication method.
+                          The valid option is `mtls`.
+                        enum:
+                        - mtls
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  prometheus:
+                    description: prometheus specifies the configuration overrides
+                      for the JMX-Prometheus exporter.
+                    properties:
+                      blacklist:
+                        items:
+                          type: string
+                        type: array
+                      rules:
+                        items:
+                          description: Rule defines the Prometheus Exporter rule override.
+                          properties:
+                            attrNameSnakeCase:
+                              type: boolean
+                            cache:
+                              type: boolean
+                            help:
+                              minLength: 1
+                              type: string
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                              x-kubernetes-map-type: granular
+                            name:
+                              minLength: 1
+                              type: string
+                            pattern:
+                              minLength: 1
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                            value:
+                              minLength: 1
+                              type: string
+                            valueFactor:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              default: 1
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        type: array
+                      whitelist:
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: tls specifies the TLS configuration for the metrics.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              mountedSecrets:
+                description: |-
+                  mountedSecrets list the secrets injected to
+                  the underlying statefulset configuration. The secret reference is mounted
+                  in the default path `/mnt/secrets/<secret-name>`. The underlying resources
+                  will follow the secret as a file configuration.
+                  More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
+                  A change to this setting will roll the cluster.
+                items:
+                  description: |-
+                    MountedSecrets provides a way to inject a custom secret to the underlying
+                    statefulset.
+                  properties:
+                    keyItems:
+                      description: keyItems are key and path names.
+                      items:
+                        description: Maps a string key to a path within a volume.
+                        properties:
+                          key:
+                            description: key is the key to project.
+                            type: string
+                          mode:
+                            description: |-
+                              mode is Optional: mode bits used to set permissions on this file.
+                              Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                              YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                              If not specified, the volume defaultMode will be used.
+                              This might be in conflict with other options that affect the file
+                              mode, like fsGroup, and the result can be other mode bits set.
+                            format: int32
+                            type: integer
+                          path:
+                            description: |-
+                              path is the relative path of the file to map the key to.
+                              May not be an absolute path.
+                              May not contain the path element '..'.
+                              May not start with the string '..'.
+                            type: string
+                        required:
+                        - key
+                        - path
+                        type: object
+                      type: array
+                    secretRef:
+                      description: secretRef references the name of the secret.
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - secretRef
+                  type: object
+                type: array
+              mountedVolumes:
+                description: |-
+                  mountedVolumes list the custom volumes that need to be mounted into the
+                  underlying statefulset.
+                  A change to this setting will roll the cluster.
+                properties:
+                  volumeMounts:
+                    description: |-
+                      volumeMounts specify the list of volume mounts for the pods in the
+                      statefulset.
+                    items:
+                      description: VolumeMount describes a mounting of a Volume within
+                        a container.
+                      properties:
+                        mountPath:
+                          description: |-
+                            Path within the container at which the volume should be mounted.  Must
+                            not contain ':'.
+                          type: string
+                        mountPropagation:
+                          description: |-
+                            mountPropagation determines how mounts are propagated from the host
+                            to container and the other way around.
+                            When not set, MountPropagationNone is used.
+                            This field is beta in 1.10.
+                          type: string
+                        name:
+                          description: This must match the Name of a Volume.
+                          type: string
+                        readOnly:
+                          description: |-
+                            Mounted read-only if true, read-write otherwise (false or unspecified).
+                            Defaults to false.
+                          type: boolean
+                        subPath:
+                          description: |-
+                            Path within the volume from which the container's volume should be mounted.
+                            Defaults to "" (volume's root).
+                          type: string
+                        subPathExpr:
+                          description: |-
+                            Expanded path within the volume from which the container's volume should be mounted.
+                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                            Defaults to "" (volume's root).
+                            SubPathExpr and SubPath are mutually exclusive.
+                          type: string
+                      required:
+                      - mountPath
+                      - name
+                      type: object
+                    type: array
+                  volumes:
+                    description: |-
+                      volumes specify the list of volumes that can be mounted into the pods
+                      of statefulset.
+                    items:
+                      description: Volume represents a named volume in a pod that
+                        may be accessed by any container in the pod.
+                      properties:
+                        awsElasticBlockStore:
+                          description: |-
+                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly value true will force the readOnly setting in VolumeMounts.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: boolean
+                            volumeID:
+                              description: |-
+                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        azureDisk:
+                          description: azureDisk represents an Azure Data Disk mount
+                            on the host and bind mount to the pod.
+                          properties:
+                            cachingMode:
+                              description: 'cachingMode is the Host Caching mode:
+                                None, Read Only, Read Write.'
+                              type: string
+                            diskName:
+                              description: diskName is the Name of the data disk in
+                                the blob storage
+                              type: string
+                            diskURI:
+                              description: diskURI is the URI of data disk in the
+                                blob storage
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is Filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            kind:
+                              description: 'kind expected values are Shared: multiple
+                                blob disks per storage account  Dedicated: single
+                                blob disk per storage account  Managed: azure managed
+                                data disk (only in managed availability set). defaults
+                                to shared'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                          required:
+                          - diskName
+                          - diskURI
+                          type: object
+                        azureFile:
+                          description: azureFile represents an Azure File Service
+                            mount on the host and bind mount to the pod.
+                          properties:
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretName:
+                              description: secretName is the  name of secret that
+                                contains Azure Storage Account Name and Key
+                              type: string
+                            shareName:
+                              description: shareName is the azure share Name
+                              type: string
+                          required:
+                          - secretName
+                          - shareName
+                          type: object
+                        cephfs:
+                          description: cephFS represents a Ceph FS mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            monitors:
+                              description: |-
+                                monitors is Required: Monitors is a collection of Ceph monitors
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            path:
+                              description: 'path is Optional: Used as the mounted
+                                root, rather than the full Ceph tree, default is /'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: boolean
+                            secretFile:
+                              description: |-
+                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is optional: User is the rados user name, default is admin
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - monitors
+                          type: object
+                        cinder:
+                          description: |-
+                            cinder represents a cinder volume attached and mounted on kubelets host machine.
+                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is optional: points to a secret object containing parameters used to connect
+                                to OpenStack.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeID:
+                              description: |-
+                                volumeID used to identify the volume in cinder.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        configMap:
+                          description: configMap represents a configMap that should
+                            populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items if unspecified, each key-value pair in the Data field of the referenced
+                                ConfigMap will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the ConfigMap,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            name:
+                              description: |-
+                                Name of the referent.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              type: string
+                            optional:
+                              description: optional specify whether the ConfigMap
+                                or its keys must be defined
+                              type: boolean
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        csi:
+                          description: csi (Container Storage Interface) represents
+                            ephemeral storage that is handled by certain external
+                            CSI drivers (Beta feature).
+                          properties:
+                            driver:
+                              description: |-
+                                driver is the name of the CSI driver that handles this volume.
+                                Consult with your admin for the correct name as registered in the cluster.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                If not provided, the empty value is passed to the associated CSI driver
+                                which will determine the default filesystem to apply.
+                              type: string
+                            nodePublishSecretRef:
+                              description: |-
+                                nodePublishSecretRef is a reference to the secret object containing
+                                sensitive information to pass to the CSI driver to complete the CSI
+                                NodePublishVolume and NodeUnpublishVolume calls.
+                                This field is optional, and  may be empty if no secret is required. If the
+                                secret object contains more than one secret, all secret references are passed.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            readOnly:
+                              description: |-
+                                readOnly specifies a read-only configuration for the volume.
+                                Defaults to false (read/write).
+                              type: boolean
+                            volumeAttributes:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                volumeAttributes stores driver-specific properties that are passed to the CSI
+                                driver. Consult your driver's documentation for supported values.
+                              type: object
+                          required:
+                          - driver
+                          type: object
+                        downwardAPI:
+                          description: downwardAPI represents downward API about the
+                            pod that should populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                Optional: mode bits to use on created files by default. Must be a
+                                Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: Items is a list of downward API volume
+                                file
+                              items:
+                                description: DownwardAPIVolumeFile represents information
+                                  to create the file containing the pod field
+                                properties:
+                                  fieldRef:
+                                    description: 'Required: Selects a field of the
+                                      pod: only annotations, labels, name and namespace
+                                      are supported.'
+                                    properties:
+                                      apiVersion:
+                                        description: Version of the schema the FieldPath
+                                          is written in terms of, defaults to "v1".
+                                        type: string
+                                      fieldPath:
+                                        description: Path of the field to select in
+                                          the specified API version.
+                                        type: string
+                                    required:
+                                    - fieldPath
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  mode:
+                                    description: |-
+                                      Optional: mode bits used to set permissions on this file, must be an octal value
+                                      between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: 'Required: Path is  the relative
+                                      path name of the file to be created. Must not
+                                      be absolute or contain the ''..'' path. Must
+                                      be utf-8 encoded. The first item of the relative
+                                      path must not start with ''..'''
+                                    type: string
+                                  resourceFieldRef:
+                                    description: |-
+                                      Selects a resource of the container: only resources limits and requests
+                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                    properties:
+                                      containerName:
+                                        description: 'Container name: required for
+                                          volumes, optional for env vars'
+                                        type: string
+                                      divisor:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: Specifies the output format of
+                                          the exposed resources, defaults to "1"
+                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                        x-kubernetes-int-or-string: true
+                                      resource:
+                                        description: 'Required: resource to select'
+                                        type: string
+                                    required:
+                                    - resource
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                required:
+                                - path
+                                type: object
+                              type: array
+                          type: object
+                        emptyDir:
+                          description: |-
+                            emptyDir represents a temporary directory that shares a pod's lifetime.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                          properties:
+                            medium:
+                              description: |-
+                                medium represents what type of storage medium should back this directory.
+                                The default is "" which means to use the node's default medium.
+                                Must be an empty string (default) or Memory.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              type: string
+                            sizeLimit:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                The size limit is also applicable for memory medium.
+                                The maximum usage on memory medium EmptyDir would be the minimum value between
+                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                The default is nil which means that the limit is undefined.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        ephemeral:
+                          description: |-
+                            ephemeral represents a volume that is handled by a cluster storage driver.
+                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                            and deleted when the pod is removed.
+
+
+                            Use this if:
+                            a) the volume is only needed while the pod runs,
+                            b) features of normal volumes like restoring from snapshot or capacity
+                               tracking are needed,
+                            c) the storage driver is specified through a storage class, and
+                            d) the storage driver supports dynamic volume provisioning through
+                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                               information on the connection between this volume type
+                               and PersistentVolumeClaim).
+
+
+                            Use PersistentVolumeClaim or one of the vendor-specific
+                            APIs for volumes that persist for longer than the lifecycle
+                            of an individual pod.
+
+
+                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                            be used that way - see the documentation of the driver for
+                            more information.
+
+
+                            A pod can use both types of ephemeral volumes and
+                            persistent volumes at the same time.
+                          properties:
+                            volumeClaimTemplate:
+                              description: |-
+                                Will be used to create a stand-alone PVC to provision the volume.
+                                The pod in which this EphemeralVolumeSource is embedded will be the
+                                owner of the PVC, i.e. the PVC will be deleted together with the
+                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                `<volume name>` is the name from the `PodSpec.Volumes` array
+                                entry. Pod validation will reject the pod if the concatenated name
+                                is not valid for a PVC (for example, too long).
+
+
+                                An existing PVC with that name that is not owned by the pod
+                                will *not* be used for the pod to avoid using an unrelated
+                                volume by mistake. Starting the pod is then blocked until
+                                the unrelated PVC is removed. If such a pre-created PVC is
+                                meant to be used by the pod, the PVC has to updated with an
+                                owner reference to the pod once the pod exists. Normally
+                                this should not be necessary, but it may be useful when
+                                manually reconstructing a broken cluster.
+
+
+                                This field is read-only and no changes will be made by Kubernetes
+                                to the PVC after it has been created.
+
+
+                                Required, must not be nil.
+                              properties:
+                                metadata:
+                                  description: |-
+                                    May contain labels and annotations that will be copied into the PVC
+                                    when creating it. No other fields are allowed and will be rejected during
+                                    validation.
+                                  type: object
+                                spec:
+                                  description: |-
+                                    The specification for the PersistentVolumeClaim. The entire content is
+                                    copied unchanged into the PVC that gets created from this
+                                    template. The same fields as in a PersistentVolumeClaim
+                                    are also valid here.
+                                  properties:
+                                    accessModes:
+                                      description: |-
+                                        accessModes contains the desired access modes the volume should have.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                      items:
+                                        type: string
+                                      type: array
+                                    dataSource:
+                                      description: |-
+                                        dataSource field can be used to specify either:
+                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                        * An existing PVC (PersistentVolumeClaim)
+                                        If the provisioner or an external controller can support the specified data source,
+                                        it will create a new volume based on the contents of the specified data source.
+                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    dataSourceRef:
+                                      description: |-
+                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                        volume is desired. This may be any object from a non-empty API group (non
+                                        core object) or a PersistentVolumeClaim object.
+                                        When this field is specified, volume binding will only succeed if the type of
+                                        the specified object matches some installed volume populator or dynamic
+                                        provisioner.
+                                        This field will replace the functionality of the dataSource field and as such
+                                        if both fields are non-empty, they must have the same value. For backwards
+                                        compatibility, when namespace isn't specified in dataSourceRef,
+                                        both fields (dataSource and dataSourceRef) will be set to the same
+                                        value automatically if one of them is empty and the other is non-empty.
+                                        When namespace is specified in dataSourceRef,
+                                        dataSource isn't set to the same value and must be empty.
+                                        There are three important differences between dataSource and dataSourceRef:
+                                        * While dataSource only allows two specific types of objects, dataSourceRef
+                                          allows any non-core object, as well as PersistentVolumeClaim objects.
+                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                          preserves all values, and generates an error if a disallowed value is
+                                          specified.
+                                        * While dataSource only allows local objects, dataSourceRef allows objects
+                                          in any namespaces.
+                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace is the namespace of resource being referenced
+                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                    resources:
+                                      description: |-
+                                        resources represents the minimum resources the volume should have.
+                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+                                        that are lower than previous value but must still be higher than capacity recorded in the
+                                        status field of the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                      properties:
+                                        limits:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Limits describes the maximum amount of compute resources allowed.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                        requests:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Requests describes the minimum amount of compute resources required.
+                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                      type: object
+                                    selector:
+                                      description: selector is a label query over
+                                        volumes to consider for binding.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    storageClassName:
+                                      description: |-
+                                        storageClassName is the name of the StorageClass required by the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                      type: string
+                                    volumeAttributesClassName:
+                                      description: |-
+                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                        If specified, the CSI driver will create or update the volume with the attributes defined
+                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+                                        will be set by the persistentvolume controller if it exists.
+                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                        exists.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+                                      type: string
+                                    volumeMode:
+                                      description: |-
+                                        volumeMode defines what type of volume is required by the claim.
+                                        Value of Filesystem is implied when not included in claim spec.
+                                      type: string
+                                    volumeName:
+                                      description: volumeName is the binding reference
+                                        to the PersistentVolume backing this claim.
+                                      type: string
+                                  type: object
+                              required:
+                              - spec
+                              type: object
+                          type: object
+                        fc:
+                          description: fc represents a Fibre Channel resource that
+                            is attached to a kubelet's host machine and then exposed
+                            to the pod.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            lun:
+                              description: 'lun is Optional: FC target lun number'
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            targetWWNs:
+                              description: 'targetWWNs is Optional: FC target worldwide
+                                names (WWNs)'
+                              items:
+                                type: string
+                              type: array
+                            wwids:
+                              description: |-
+                                wwids Optional: FC volume world wide identifiers (wwids)
+                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        flexVolume:
+                          description: |-
+                            flexVolume represents a generic volume resource that is
+                            provisioned/attached using an exec based plugin.
+                          properties:
+                            driver:
+                              description: driver is the name of the driver to use
+                                for this volume.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                              type: string
+                            options:
+                              additionalProperties:
+                                type: string
+                              description: 'options is Optional: this field holds
+                                extra command options if any.'
+                              type: object
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: secretRef is reference to the secret object containing
+                                sensitive information to pass to the plugin scripts. This may be
+                                empty if no secret object is specified. If the secret object
+                                contains more than one secret, all secrets are passed to the plugin
+                                scripts.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          required:
+                          - driver
+                          type: object
+                        flocker:
+                          description: flocker represents a Flocker volume attached
+                            to a kubelet's host machine. This depends on the Flocker
+                            control service being running
+                          properties:
+                            datasetName:
+                              description: |-
+                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                should be considered as deprecated
+                              type: string
+                            datasetUUID:
+                              description: datasetUUID is the UUID of the dataset.
+                                This is unique identifier of a Flocker dataset
+                              type: string
+                          type: object
+                        gcePersistentDisk:
+                          description: |-
+                            gcePersistentDisk represents a GCE Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              format: int32
+                              type: integer
+                            pdName:
+                              description: |-
+                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: boolean
+                          required:
+                          - pdName
+                          type: object
+                        gitRepo:
+                          description: |-
+                            gitRepo represents a git repository at a particular revision.
+                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                            into the Pod's container.
+                          properties:
+                            directory:
+                              description: |-
+                                directory is the target directory name.
+                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                the subdirectory with the given name.
+                              type: string
+                            repository:
+                              description: repository is the URL
+                              type: string
+                            revision:
+                              description: revision is the commit hash for the specified
+                                revision.
+                              type: string
+                          required:
+                          - repository
+                          type: object
+                        glusterfs:
+                          description: |-
+                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
+                          properties:
+                            endpoints:
+                              description: |-
+                                endpoints is the endpoint name that details Glusterfs topology.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            path:
+                              description: |-
+                                path is the Glusterfs volume path.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: boolean
+                          required:
+                          - endpoints
+                          - path
+                          type: object
+                        hostPath:
+                          description: |-
+                            hostPath represents a pre-existing file or directory on the host
+                            machine that is directly exposed to the container. This is generally
+                            used for system agents or other privileged things that are allowed
+                            to see the host machine. Most containers will NOT need this.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                            ---
+                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+                            mount host directories as read/write.
+                          properties:
+                            path:
+                              description: |-
+                                path of the directory on the host.
+                                If the path is a symlink, it will follow the link to the real path.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                            type:
+                              description: |-
+                                type for HostPath Volume
+                                Defaults to ""
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        iscsi:
+                          description: |-
+                            iscsi represents an ISCSI Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                          properties:
+                            chapAuthDiscovery:
+                              description: chapAuthDiscovery defines whether support
+                                iSCSI Discovery CHAP authentication
+                              type: boolean
+                            chapAuthSession:
+                              description: chapAuthSession defines whether support
+                                iSCSI Session CHAP authentication
+                              type: boolean
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            initiatorName:
+                              description: |-
+                                initiatorName is the custom iSCSI Initiator Name.
+                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                <target portal>:<volume name> will be created for the connection.
+                              type: string
+                            iqn:
+                              description: iqn is the target iSCSI Qualified Name.
+                              type: string
+                            iscsiInterface:
+                              description: |-
+                                iscsiInterface is the interface Name that uses an iSCSI transport.
+                                Defaults to 'default' (tcp).
+                              type: string
+                            lun:
+                              description: lun represents iSCSI Target Lun number.
+                              format: int32
+                              type: integer
+                            portals:
+                              description: |-
+                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              items:
+                                type: string
+                              type: array
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                              type: boolean
+                            secretRef:
+                              description: secretRef is the CHAP Secret for iSCSI
+                                target and initiator authentication
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            targetPortal:
+                              description: |-
+                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              type: string
+                          required:
+                          - iqn
+                          - lun
+                          - targetPortal
+                          type: object
+                        name:
+                          description: |-
+                            name of the volume.
+                            Must be a DNS_LABEL and unique within the pod.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                        nfs:
+                          description: |-
+                            nfs represents an NFS mount on the host that shares a pod's lifetime
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                          properties:
+                            path:
+                              description: |-
+                                path that is exported by the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the NFS export to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: boolean
+                            server:
+                              description: |-
+                                server is the hostname or IP address of the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                          required:
+                          - path
+                          - server
+                          type: object
+                        persistentVolumeClaim:
+                          description: |-
+                            persistentVolumeClaimVolumeSource represents a reference to a
+                            PersistentVolumeClaim in the same namespace.
+                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                          properties:
+                            claimName:
+                              description: |-
+                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Will force the ReadOnly setting in VolumeMounts.
+                                Default false.
+                              type: boolean
+                          required:
+                          - claimName
+                          type: object
+                        photonPersistentDisk:
+                          description: photonPersistentDisk represents a PhotonController
+                            persistent disk attached and mounted on kubelets host
+                            machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            pdID:
+                              description: pdID is the ID that identifies Photon Controller
+                                persistent disk
+                              type: string
+                          required:
+                          - pdID
+                          type: object
+                        portworxVolume:
+                          description: portworxVolume represents a portworx volume
+                            attached and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fSType represents the filesystem type to mount
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            volumeID:
+                              description: volumeID uniquely identifies a Portworx
+                                volume
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        projected:
+                          description: projected items for all in one resources secrets,
+                            configmaps, and downward API
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode are the mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            sources:
+                              description: sources is the list of volume projections
+                              items:
+                                description: Projection that may be projected along
+                                  with other supported volume types
+                                properties:
+                                  clusterTrustBundle:
+                                    description: |-
+                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                      of ClusterTrustBundle objects in an auto-updating file.
+
+
+                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+                                      ClusterTrustBundle objects can either be selected by name, or by the
+                                      combination of signer name and a label selector.
+
+
+                                      Kubelet performs aggressive normalization of the PEM contents written
+                                      into the pod filesystem.  Esoteric PEM features such as inter-block
+                                      comments and block headers are stripped.  Certificates are deduplicated.
+                                      The ordering of certificates within the file is arbitrary, and Kubelet
+                                      may change the order over time.
+                                    properties:
+                                      labelSelector:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this label selector.  Only has
+                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                          interpreted as "match nothing".  If set but empty, interpreted as "match
+                                          everything".
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      name:
+                                        description: |-
+                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                          with signerName and labelSelector.
+                                        type: string
+                                      optional:
+                                        description: |-
+                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                          aren't available.  If using name, then the named ClusterTrustBundle is
+                                          allowed not to exist.  If using signerName, then the combination of
+                                          signerName and labelSelector is allowed to match zero
+                                          ClusterTrustBundles.
+                                        type: boolean
+                                      path:
+                                        description: Relative path from the volume
+                                          root to write the bundle.
+                                        type: string
+                                      signerName:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this signer name.
+                                          Mutually-exclusive with name.  The contents of all selected
+                                          ClusterTrustBundles will be unified and deduplicated.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                  configMap:
+                                    description: configMap information about the configMap
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          ConfigMap will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the ConfigMap,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional specify whether the
+                                          ConfigMap or its keys must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  downwardAPI:
+                                    description: downwardAPI information about the
+                                      downwardAPI data to project
+                                    properties:
+                                      items:
+                                        description: Items is a list of DownwardAPIVolume
+                                          file
+                                        items:
+                                          description: DownwardAPIVolumeFile represents
+                                            information to create the file containing
+                                            the pod field
+                                          properties:
+                                            fieldRef:
+                                              description: 'Required: Selects a field
+                                                of the pod: only annotations, labels,
+                                                name and namespace are supported.'
+                                              properties:
+                                                apiVersion:
+                                                  description: Version of the schema
+                                                    the FieldPath is written in terms
+                                                    of, defaults to "v1".
+                                                  type: string
+                                                fieldPath:
+                                                  description: Path of the field to
+                                                    select in the specified API version.
+                                                  type: string
+                                              required:
+                                              - fieldPath
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            mode:
+                                              description: |-
+                                                Optional: mode bits used to set permissions on this file, must be an octal value
+                                                between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: 'Required: Path is  the
+                                                relative path name of the file to
+                                                be created. Must not be absolute or
+                                                contain the ''..'' path. Must be utf-8
+                                                encoded. The first item of the relative
+                                                path must not start with ''..'''
+                                              type: string
+                                            resourceFieldRef:
+                                              description: |-
+                                                Selects a resource of the container: only resources limits and requests
+                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                              properties:
+                                                containerName:
+                                                  description: 'Container name: required
+                                                    for volumes, optional for env
+                                                    vars'
+                                                  type: string
+                                                divisor:
+                                                  anyOf:
+                                                  - type: integer
+                                                  - type: string
+                                                  description: Specifies the output
+                                                    format of the exposed resources,
+                                                    defaults to "1"
+                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                  x-kubernetes-int-or-string: true
+                                                resource:
+                                                  description: 'Required: resource
+                                                    to select'
+                                                  type: string
+                                              required:
+                                              - resource
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                          required:
+                                          - path
+                                          type: object
+                                        type: array
+                                    type: object
+                                  secret:
+                                    description: secret information about the secret
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          Secret will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the Secret,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional field specify whether
+                                          the Secret or its key must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  serviceAccountToken:
+                                    description: serviceAccountToken is information
+                                      about the serviceAccountToken data to project
+                                    properties:
+                                      audience:
+                                        description: |-
+                                          audience is the intended audience of the token. A recipient of a token
+                                          must identify itself with an identifier specified in the audience of the
+                                          token, and otherwise should reject the token. The audience defaults to the
+                                          identifier of the apiserver.
+                                        type: string
+                                      expirationSeconds:
+                                        description: |-
+                                          expirationSeconds is the requested duration of validity of the service
+                                          account token. As the token approaches expiration, the kubelet volume
+                                          plugin will proactively rotate the service account token. The kubelet will
+                                          start trying to rotate the token if the token is older than 80 percent of
+                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                          and must be at least 10 minutes.
+                                        format: int64
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the path relative to the mount point of the file to project the
+                                          token into.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                type: object
+                              type: array
+                          type: object
+                        quobyte:
+                          description: quobyte represents a Quobyte mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            group:
+                              description: |-
+                                group to map volume access to
+                                Default is no group
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                Defaults to false.
+                              type: boolean
+                            registry:
+                              description: |-
+                                registry represents a single or multiple Quobyte Registry services
+                                specified as a string as host:port pair (multiple entries are separated with commas)
+                                which acts as the central registry for volumes
+                              type: string
+                            tenant:
+                              description: |-
+                                tenant owning the given Quobyte volume in the Backend
+                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                              type: string
+                            user:
+                              description: |-
+                                user to map volume access to
+                                Defaults to serivceaccount user
+                              type: string
+                            volume:
+                              description: volume is a string that references an already
+                                created Quobyte volume by name.
+                              type: string
+                          required:
+                          - registry
+                          - volume
+                          type: object
+                        rbd:
+                          description: |-
+                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/rbd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            image:
+                              description: |-
+                                image is the rados image name.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            keyring:
+                              description: |-
+                                keyring is the path to key ring for RBDUser.
+                                Default is /etc/ceph/keyring.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            monitors:
+                              description: |-
+                                monitors is a collection of Ceph monitors.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            pool:
+                              description: |-
+                                pool is the rados pool name.
+                                Default is rbd.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is name of the authentication secret for RBDUser. If provided
+                                overrides keyring.
+                                Default is nil.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is the rados user name.
+                                Default is admin.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - image
+                          - monitors
+                          type: object
+                        scaleIO:
+                          description: scaleIO represents a ScaleIO persistent volume
+                            attached and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs".
+                                Default is "xfs".
+                              type: string
+                            gateway:
+                              description: gateway is the host address of the ScaleIO
+                                API Gateway.
+                              type: string
+                            protectionDomain:
+                              description: protectionDomain is the name of the ScaleIO
+                                Protection Domain for the configured storage.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef references to the secret for ScaleIO user and other
+                                sensitive information. If this is not provided, Login operation will fail.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            sslEnabled:
+                              description: sslEnabled Flag enable/disable SSL communication
+                                with Gateway, default false
+                              type: boolean
+                            storageMode:
+                              description: |-
+                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                Default is ThinProvisioned.
+                              type: string
+                            storagePool:
+                              description: storagePool is the ScaleIO Storage Pool
+                                associated with the protection domain.
+                              type: string
+                            system:
+                              description: system is the name of the storage system
+                                as configured in ScaleIO.
+                              type: string
+                            volumeName:
+                              description: |-
+                                volumeName is the name of a volume already created in the ScaleIO system
+                                that is associated with this volume source.
+                              type: string
+                          required:
+                          - gateway
+                          - secretRef
+                          - system
+                          type: object
+                        secret:
+                          description: |-
+                            secret represents a secret that should populate this volume.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values
+                                for mode bits. Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items If unspecified, each key-value pair in the Data field of the referenced
+                                Secret will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the Secret,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            optional:
+                              description: optional field specify whether the Secret
+                                or its keys must be defined
+                              type: boolean
+                            secretName:
+                              description: |-
+                                secretName is the name of the secret in the pod's namespace to use.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              type: string
+                          type: object
+                        storageos:
+                          description: storageOS represents a StorageOS volume attached
+                            and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef specifies the secret to use for obtaining the StorageOS API
+                                credentials.  If not specified, default values will be attempted.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeName:
+                              description: |-
+                                volumeName is the human-readable name of the StorageOS volume.  Volume
+                                names are only unique within a namespace.
+                              type: string
+                            volumeNamespace:
+                              description: |-
+                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                namespace is specified then the Pod's namespace will be used.  This allows the
+                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                Set VolumeName to any name to override the default behaviour.
+                                Set to "default" if you are not using namespaces within StorageOS.
+                                Namespaces that do not pre-exist within StorageOS will be created.
+                              type: string
+                          type: object
+                        vsphereVolume:
+                          description: vsphereVolume represents a vSphere volume attached
+                            and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            storagePolicyID:
+                              description: storagePolicyID is the storage Policy Based
+                                Management (SPBM) profile ID associated with the StoragePolicyName.
+                              type: string
+                            storagePolicyName:
+                              description: storagePolicyName is the storage Policy
+                                Based Management (SPBM) profile name.
+                              type: string
+                            volumePath:
+                              description: volumePath is the path that identifies
+                                vSphere volume vmdk
+                              type: string
+                          required:
+                          - volumePath
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                required:
+                - volumeMounts
+                - volumes
+                type: object
+              oneReplicaPerNode:
+                description: |-
+                  oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
+                  Enabling this configuration in an existing cluster will roll the cluster.
+                type: boolean
+              passwordEncoder:
+                description: passwordEncoder specifies password encoder secret for
+                  Schema Registry.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer contains the directory path in the container where
+                      the required secret is mounted.
+                      Directory should have the file `password-encoder.txt`. The contents should include a new password.
+                      Old password is optional and required only for rotation.
+                      More info: https://docs.confluent.io/operator/current/co-password-encoder-secret.
+                    type: string
+                  secretRef:
+                    description: |-
+                      secretRef specifies the secret name. The secret should have the key
+                      `password-encoder.txt`. The contents should include a new password.
+                      Old password is optional and required only for rotation.
+                      More info: https://docs.confluent.io/operator/current/co-password-encoder-secret.
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              pdb:
+                description: |-
+                  configures PodDisruptionBudget for the Confluent Platform component.
+                  by default PDB is configured based on pre-detemined formula.
+                properties:
+                  enabled:
+                    description: enabled specifies whether the PodDisruptionBudget
+                      is enabled
+                    type: boolean
+                  maxUnavailable:
+                    description: maxUnavailable is the maximum number of pods that
+                      can be unavailable during the disruption.
+                    format: int32
+                    type: integer
+                required:
+                - enabled
+                type: object
+              podTemplate:
+                description: podTemplate specifies the statefulset pod template configuration.
+                properties:
+                  affinity:
+                    description: |-
+                      affinity specifies a group of affinity scheduling rules.
+                      More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
+                    properties:
+                      nodeAffinity:
+                        description: Describes node affinity scheduling rules for
+                          the pod.
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node matches the corresponding matchExpressions; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: |-
+                                An empty preferred scheduling term matches all objects with implicit weight 0
+                                (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                              properties:
+                                preference:
+                                  description: A node selector term, associated with
+                                    the corresponding weight.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                weight:
+                                  description: Weight associated with matching the
+                                    corresponding nodeSelectorTerm, in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - preference
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to an update), the system
+                              may or may not try to eventually evict the pod from its node.
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      podAffinity:
+                        description: Describes pod affinity scheduling rules (e.g.
+                          co-locate this pod in the same node, zone, etc. as some
+                          other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                      podAntiAffinity:
+                        description: Describes pod anti-affinity scheduling rules
+                          (e.g. avoid putting this pod in the same node, zone, etc.
+                          as some other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the anti-affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling anti-affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the anti-affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the anti-affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs stored with the resource and
+                      may be set by external tools to store and retrieve arbitrary metadata. They
+                      are not queryable and should be preserved when modifying objects. More
+                      info: http://kubernetes.io/docs/user-guide/annotations.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  envVars:
+                    description: |-
+                      envVars contain environment variables to be injected into containers.
+                      More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
+                    items:
+                      description: EnvVar represents an environment variable present
+                        in a Container.
+                      properties:
+                        name:
+                          description: Name of the environment variable. Must be a
+                            C_IDENTIFIER.
+                          type: string
+                        value:
+                          description: |-
+                            Variable references $(VAR_NAME) are expanded
+                            using the previously defined environment variables in the container and
+                            any service environment variables. If a variable cannot be resolved,
+                            the reference in the input string will be unchanged. Double $$ are reduced
+                            to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                            "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                            Escaped references will never be expanded, regardless of whether the variable
+                            exists or not.
+                            Defaults to "".
+                          type: string
+                        valueFrom:
+                          description: Source for the environment variable's value.
+                            Cannot be used if value is not empty.
+                          properties:
+                            configMapKeyRef:
+                              description: Selects a key of a ConfigMap.
+                              properties:
+                                key:
+                                  description: The key to select.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the ConfigMap or its
+                                    key must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            fieldRef:
+                              description: |-
+                                Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                              properties:
+                                apiVersion:
+                                  description: Version of the schema the FieldPath
+                                    is written in terms of, defaults to "v1".
+                                  type: string
+                                fieldPath:
+                                  description: Path of the field to select in the
+                                    specified API version.
+                                  type: string
+                              required:
+                              - fieldPath
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            resourceFieldRef:
+                              description: |-
+                                Selects a resource of the container: only resources limits and requests
+                                (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                              properties:
+                                containerName:
+                                  description: 'Container name: required for volumes,
+                                    optional for env vars'
+                                  type: string
+                                divisor:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: Specifies the output format of the
+                                    exposed resources, defaults to "1"
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                resource:
+                                  description: 'Required: resource to select'
+                                  type: string
+                              required:
+                              - resource
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            secretKeyRef:
+                              description: Selects a key of a secret in the pod's
+                                namespace
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the Secret or its key
+                                    must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs that can be used to organize and categorize
+                      (scope and select) objects.
+                      More info: http://kubernetes.io/docs/user-guide/labels.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  podSecurityContext:
+                    description: |-
+                      PodSecurityContext holds pod-level security attributes and common container settings.
+                      Some fields are also present in container.securityContext.  Field values of
+                      container.securityContext take precedence over field values of PodSecurityContext.
+                    properties:
+                      fsGroup:
+                        description: |-
+                          A special supplemental group that applies to all containers in a pod.
+                          Some volume types allow the Kubelet to change the ownership of that volume
+                          to be owned by the pod:
+
+
+                          1. The owning GID will be the FSGroup
+                          2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+                          3. The permission bits are OR'd with rw-rw----
+
+
+                          If unset, the Kubelet will not modify the ownership and permissions of any volume.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      fsGroupChangePolicy:
+                        description: |-
+                          fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+                          before being exposed inside Pod. This field will only apply to
+                          volume types which support fsGroup based ownership(and permissions).
+                          It will have no effect on ephemeral volume types such as: secret, configmaps
+                          and emptydir.
+                          Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to all containers.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in SecurityContext.  If set in
+                          both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+                          takes precedence for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by the containers in this pod.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      supplementalGroups:
+                        description: |-
+                          A list of groups applied to the first process run in each container, in addition
+                          to the container's primary GID, the fsGroup (if specified), and group memberships
+                          defined in the container image for the uid of the container process. If unspecified,
+                          no additional groups are added to any container. Note that group memberships
+                          defined in the container image for the uid of the container process are still effective,
+                          even if they are not included in this list.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          format: int64
+                          type: integer
+                        type: array
+                      sysctls:
+                        description: |-
+                          Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+                          sysctls (by the container runtime) might fail to launch.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          description: Sysctl defines a kernel parameter to be set
+                          properties:
+                            name:
+                              description: Name of a property to set
+                              type: string
+                            value:
+                              description: Value of a property to set
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        type: array
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options within a container's SecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  priorityClassName:
+                    description: priorityClassName specifies the priority class for
+                      the pod (if any).
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  probe:
+                    description: probe contains the fields for standard Kubernetes
+                      readiness/liveness probe configuration.
+                    properties:
+                      liveness:
+                        description: |-
+                          liveness configures the Kubernetes probe settings. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                      readiness:
+                        description: |-
+                          readiness configures the Kubernetes probe setting. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  resources:
+                    description: resources describe the compute resource requirements.
+                    properties:
+                      claims:
+                        description: |-
+                          Claims lists the names of resources, defined in spec.resourceClaims,
+                          that are used by this container.
+
+
+                          This is an alpha field and requires enabling the
+                          DynamicResourceAllocation feature gate.
+
+
+                          This field is immutable. It can only be set for containers.
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: |-
+                                Name must match the name of one entry in pod.spec.resourceClaims of
+                                the Pod where this field is used. It makes that resource available
+                                inside a container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Limits describes the maximum amount of compute resources allowed.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Requests describes the minimum amount of compute resources required.
+                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                    type: object
+                  securityContext:
+                    description: |-
+                      SecurityContext holds security configuration that will be applied to a container.
+                      Some fields are present in both SecurityContext and PodSecurityContext.  When both
+                      are set, the values in SecurityContext take precedence.
+                    properties:
+                      allowPrivilegeEscalation:
+                        description: |-
+                          AllowPrivilegeEscalation controls whether a process can gain more
+                          privileges than its parent process. This bool directly controls if
+                          the no_new_privs flag will be set on the container process.
+                          AllowPrivilegeEscalation is true always when the container is:
+                          1) run as Privileged
+                          2) has CAP_SYS_ADMIN
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      capabilities:
+                        description: |-
+                          The capabilities to add/drop when running containers.
+                          Defaults to the default set of capabilities granted by the container runtime.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          add:
+                            description: Added capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                          drop:
+                            description: Removed capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                        type: object
+                      privileged:
+                        description: |-
+                          Run container in privileged mode.
+                          Processes in privileged containers are essentially equivalent to root on the host.
+                          Defaults to false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      procMount:
+                        description: |-
+                          procMount denotes the type of proc mount to use for the containers.
+                          The default is DefaultProcMount which uses the container runtime defaults for
+                          readonly paths and masked paths.
+                          This requires the ProcMountType feature flag to be enabled.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      readOnlyRootFilesystem:
+                        description: |-
+                          Whether this container has a read-only root filesystem.
+                          Default is false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to the container.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by this container. If seccomp options are
+                          provided at both the pod & container level, the container options
+                          override the pod options.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options from the PodSecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of the service account used to run this pod.
+                      More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
+                    type: string
+                  terminationGracePeriodSeconds:
+                    description: terminationGracePeriodSeconds is the grace period
+                      before the pod is deleted.
+                    format: int64
+                    type: integer
+                  tolerations:
+                    description: |-
+                      tolerations specify the pods to schedule onto the nodes with matching taints, using
+                      the triple `<key,value,effect>` and the matching operator `<operator>`.
+                    items:
+                      description: |-
+                        The pod this Toleration is attached to tolerates any taint that matches
+                        the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: |-
+                            Effect indicates the taint effect to match. Empty means match all taint effects.
+                            When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          type: string
+                        key:
+                          description: |-
+                            Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                            If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          type: string
+                        operator:
+                          description: |-
+                            Operator represents a key's relationship to the value.
+                            Valid operators are Exists and Equal. Defaults to Equal.
+                            Exists is equivalent to wildcard for value, so that a pod can
+                            tolerate all taints of a particular category.
+                          type: string
+                        tolerationSeconds:
+                          description: |-
+                            TolerationSeconds represents the period of time the toleration (which must be
+                            of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                            it is not set, which means tolerate the taint forever (do not evict). Zero and
+                            negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          type: integer
+                        value:
+                          description: |-
+                            Value is the taint value the toleration matches to.
+                            If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          type: string
+                      type: object
+                    type: array
+                  topologySpreadConstraints:
+                    description: |-
+                      topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
+                      schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
+                    items:
+                      description: TopologySpreadConstraint specifies how to spread
+                        matching pods among the given topology.
+                      properties:
+                        labelSelector:
+                          description: |-
+                            LabelSelector is used to find matching pods.
+                            Pods that match this label selector are counted to determine the number of pods
+                            in their corresponding topology domain.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        matchLabelKeys:
+                          description: |-
+                            MatchLabelKeys is a set of pod label keys to select the pods over which
+                            spreading will be calculated. The keys are used to lookup values from the
+                            incoming pod labels, those key-value labels are ANDed with labelSelector
+                            to select the group of existing pods over which spreading will be calculated
+                            for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                            MatchLabelKeys cannot be set when LabelSelector isn't set.
+                            Keys that don't exist in the incoming pod labels will
+                            be ignored. A null or empty list means only match against labelSelector.
+
+
+                            This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        maxSkew:
+                          description: |-
+                            MaxSkew describes the degree to which pods may be unevenly distributed.
+                            When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                            between the number of matching pods in the target topology and the global minimum.
+                            The global minimum is the minimum number of matching pods in an eligible domain
+                            or zero if the number of eligible domains is less than MinDomains.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 2/2/1:
+                            In this case, the global minimum is 1.
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |   P   |
+                            - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                            scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                            violate MaxSkew(1).
+                            - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                            When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                            to topologies that satisfy it.
+                            It's a required field. Default value is 1 and 0 is not allowed.
+                          format: int32
+                          type: integer
+                        minDomains:
+                          description: |-
+                            MinDomains indicates a minimum number of eligible domains.
+                            When the number of eligible domains with matching topology keys is less than minDomains,
+                            Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                            And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                            this value has no effect on scheduling.
+                            As a result, when the number of eligible domains is less than minDomains,
+                            scheduler won't schedule more than maxSkew Pods to those domains.
+                            If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                            Valid values are integers greater than 0.
+                            When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+                            For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                            labelSelector spread as 2/2/2:
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |  P P  |
+                            The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                            In this situation, new pod with the same labelSelector cannot be scheduled,
+                            because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                            it will violate MaxSkew.
+
+
+                            This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
+                          format: int32
+                          type: integer
+                        nodeAffinityPolicy:
+                          description: |-
+                            NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                            when calculating pod topology spread skew. Options are:
+                            - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                            - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+                            If this value is nil, the behavior is equivalent to the Honor policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        nodeTaintsPolicy:
+                          description: |-
+                            NodeTaintsPolicy indicates how we will treat node taints when calculating
+                            pod topology spread skew. Options are:
+                            - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                            has a toleration, are included.
+                            - Ignore: node taints are ignored. All nodes are included.
+
+
+                            If this value is nil, the behavior is equivalent to the Ignore policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        topologyKey:
+                          description: |-
+                            TopologyKey is the key of node labels. Nodes that have a label with this key
+                            and identical values are considered to be in the same topology.
+                            We consider each <key, value> as a "bucket", and try to put balanced number
+                            of pods into each bucket.
+                            We define a domain as a particular instance of a topology.
+                            Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                            nodeAffinityPolicy and nodeTaintsPolicy.
+                            e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                            And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                            It's a required field.
+                          type: string
+                        whenUnsatisfiable:
+                          description: |-
+                            WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                            the spread constraint.
+                            - DoNotSchedule (default) tells the scheduler not to schedule it.
+                            - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                              but giving higher precedence to topologies that would help reduce the
+                              skew.
+                            A constraint is considered "Unsatisfiable" for an incoming pod
+                            if and only if every possible node assignment for that pod would violate
+                            "MaxSkew" on some topology.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 3/1/1:
+                            | zone1 | zone2 | zone3 |
+                            | P P P |   P   |   P   |
+                            If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                            to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                            MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                            won't make it *more* imbalanced.
+                            It's a required field.
+                          type: string
+                      required:
+                      - maxSkew
+                      - topologyKey
+                      - whenUnsatisfiable
+                      type: object
+                    type: array
+                type: object
+              replicas:
+                description: |-
+                  replicas is the desired number of replicas.
+                  A change to this setting will roll the cluster.
+                format: int32
+                type: integer
+              telemetry:
+                description: telemetry specifies the Confluent telemetry reporter
+                  configuration.
+                properties:
+                  global:
+                    description: |-
+                      global allows disabling telemetry configuration.
+                      If CFK is deployed with telemetry, this field is only
+                      used to disable telemetry. The default value is `true` if
+                      telemetry is enabled at the global level.
+                    type: boolean
+                type: object
+              tls:
+                description: tls specifies the global TLS configurations for the REST
+                  API endpoint.
+                properties:
+                  autoGeneratedCerts:
+                    description: |-
+                      autoGeneratedCerts specifies that the certificates are auto-generated based on
+                      the CA key pair provided.
+                    type: boolean
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                    minLength: 1
+                    type: string
+                  fips:
+                    description: |-
+                      fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
+                      TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                    properties:
+                      enabled:
+                        description: enabled specifies whether to enable the FIPS
+                          configuration for cp components.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                  ignoreTrustStoreConfig:
+                    description: |-
+                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                      for the Confluent component.
+                    type: boolean
+                  jksPassword:
+                    description: jksPassword references the secret containing the
+                      JKS password.
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the name of the secret containing the JKS password.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  secretRef:
+                    description: |-
+                      secretRef references the secret containing the certificates.
+                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+            required:
+            - image
+            type: object
+          status:
+            description: status defines the observed state of the Schema Registry
+              cluster.
+            properties:
+              arbitraryData:
+                description: arbitraryData is the map for any arbitrary data associated
+                  with this Confluent component.
+                x-kubernetes-preserve-unknown-fields: true
+              authorizationType:
+                description: authorizationType is the authorization type for this
+                  Confluent component.
+                type: string
+              clusterName:
+                description: clusterName is the name of the Confluent Platform component
+                  cluster.
+                type: string
+              clusterNamespace:
+                description: clusterNamespace is the namespace where the Confluent
+                  Platform component cluster is running.
+                type: string
+              conditions:
+                description: conditions specify the latest available observations
+                  of the current state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              currentReplicas:
+                description: currentReplicas is the number of currently running replicas.
+                format: int32
+                type: integer
+              groupId:
+                description: groupId is the group id of the Schema Registry cluster.
+                type: string
+              internalSecrets:
+                description: |-
+                  internalSecrets are internal secrets created
+                  by CFK for this Confluent component.
+                items:
+                  type: string
+                type: array
+              internalTopicNames:
+                description: internalTopicNames are the topics used by the component
+                  for internal use.
+                items:
+                  type: string
+                type: array
+              kafka:
+                description: kafka is the Kafka client side status for the Schema
+                  Registry cluster.
+                properties:
+                  authenticationType:
+                    description: authenticationType describes the authentication method
+                      for the Kafka cluster.
+                    type: string
+                  bootstrapEndpoint:
+                    description: bootstrapEndpoint specifies the Kafka bootstrap endpoint.
+                    type: string
+                  tls:
+                    description: tls indicates whether TLS is enabled for the Kafka
+                      dependency.
+                    type: boolean
+                type: object
+              listeners:
+                additionalProperties:
+                  description: ListenerStatus describes general information about
+                    the listeners.
+                  properties:
+                    advertisedExternalEndpoints:
+                      description: advertisedExternalEndpoints specifies other advertised
+                        endpoints used, especially for Kafka.
+                      items:
+                        type: string
+                      type: array
+                    authenticationType:
+                      description: authenticationType shows the authentication type
+                        configured by the listener.
+                      type: string
+                    externalAccessType:
+                      description: externalAccessType shows the external access type
+                        used for the listener.
+                      type: string
+                    externalEndpoint:
+                      description: externalEndpoint specifies the external endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    internalEndpoint:
+                      description: internalEndpoint specifies the internal endpoint
+                        to connect to the Confluent component cluster.
+                      type: string
+                    tls:
+                      description: tls shows whether TLS is configured for the listener.
+                      type: boolean
+                  type: object
+                description: listeners is a map of listener type and the status of
+                  Schema Registry Listeners.
+                type: object
+                x-kubernetes-map-type: granular
+              metricPrefix:
+                description: metricPrefix is the prefix for the JMX metric of the
+                  Schema Registry cluster.
+                type: string
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              operatorVersion:
+                description: operatorVersion is the internal version of CFK.
+                type: string
+              phase:
+                description: |-
+                  phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
+                  or 'RUNNING'
+                  'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
+                  'RUNNING' means the Confluent Platform component has been successfully deployed.
+                type: string
+              rbac:
+                description: rbac contains the RBAC-related status when RBAC is enabled.
+                properties:
+                  clusterID:
+                    description: clusterID specifies the id of the cluster.
+                    type: string
+                  internalRolebindings:
+                    description: internalRolebindings specifies the internal rolebindings.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              readyReplicas:
+                description: readyReplicas is the number of currently ready replicas.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the number of replicas.
+                format: int32
+                type: integer
+              restConfig:
+                description: restConfig is the REST API configuration of the Schema
+                  Registry cluster.
+                properties:
+                  advertisedExternalEndpoints:
+                    description: advertisedExternalEndpoints specifies other advertised
+                      endpoints used, especially for Kafka.
+                    items:
+                      type: string
+                    type: array
+                  authenticationType:
+                    description: authenticationType shows the authentication type
+                      configured by the listener.
+                    type: string
+                  externalAccessType:
+                    description: externalAccessType shows the external access type
+                      used for the listener.
+                    type: string
+                  externalEndpoint:
+                    description: externalEndpoint specifies the external endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  internalEndpoint:
+                    description: internalEndpoint specifies the internal endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  tls:
+                    description: tls shows whether TLS is configured for the listener.
+                    type: boolean
+                type: object
+              selector:
+                description: |-
+                  selector gets the label selector of the child pod.
+                  The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        labelSelectorPath: .status.selector
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemas.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemas.yaml
new file mode 100644
index 000000000..b50396d44
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_schemas.yaml
@@ -0,0 +1,590 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: schemas.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: Schema
+    listKind: SchemaList
+    plural: schemas
+    shortNames:
+    - schema
+    singular: schema
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.format
+      name: Format
+      type: string
+    - jsonPath: .status.id
+      name: ID
+      type: string
+    - jsonPath: .status.version
+      name: Version
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.schemaRegistryEndpoint
+      name: SchemaRegistryEndpoint
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the Schema.
+            properties:
+              compatibilityLevel:
+                description: |-
+                  compatibilityLevel specifies the compatibility level requirement for the schema under the specified subject.
+                  Valid options are `BACKWARD`, `BACKWARD_TRANSITIVE`, `FORWARD`, `FORWARD_TRANSITIVE`, `FULL`, `FULL_TRANSITIVE` and `NONE`.
+                  more info: https://docs.confluent.io/platform/current/schema-registry/avro.html#schema-evolution-and-compatibility
+                enum:
+                - BACKWARD
+                - BACKWARD_TRANSITIVE
+                - FORWARD
+                - FORWARD_TRANSITIVE
+                - FULL
+                - FULL_TRANSITIVE
+                - NONE
+                type: string
+              data:
+                description: data defines the data required to create the schema.
+                properties:
+                  configRef:
+                    description: configRef is the name of the Kubernetes ConfigMap
+                      resource containing the schema.
+                    minLength: 1
+                    type: string
+                  format:
+                    description: format is the format type of the encoded schema.
+                      Valid options are `avro`, `json`, and `protobuf`.
+                    enum:
+                    - avro
+                    - json
+                    - protobuf
+                    minLength: 1
+                    type: string
+                required:
+                - configRef
+                - format
+                type: object
+              mode:
+                description: |-
+                  Mode specifies the schema registry mode for the schemas under the specified subject.
+                  Valid options are `IMPORT`, `READONLY`, `READWRITE`.
+                enum:
+                - IMPORT
+                - READONLY
+                - READWRITE
+                type: string
+              name:
+                description: |-
+                  name specifies the subject name of schema. If not configured, the Schema CR name is used
+                  as the subject name.
+                maxLength: 255
+                minLength: 1
+                pattern: ^[^\\]*$
+                type: string
+              normalize:
+                description: |-
+                  Normalize specifies whether to normalize the schema at the time of registering to schema registry.
+                  more info: https://docs.confluent.io/platform/current/schema-registry/fundamentals/serdes-develop/index.html#schema-normalization
+                type: boolean
+              schemaReferences:
+                description: schemaReferences defines the schema references in the
+                  schema data.
+                items:
+                  description: SchemaReference is the schema to be used as a reference
+                    for the new schema.
+                  properties:
+                    avro:
+                      description: avro is the data for the referenced Avro schema.
+                      properties:
+                        avro:
+                          description: name is the fully qualified name of the referenced
+                            Avro schema.
+                          minLength: 1
+                          type: string
+                      required:
+                      - avro
+                      type: object
+                    format:
+                      description: format is the format type of the referenced schema.
+                        Valid options are `avro`, `json`, and `protobuf`.
+                      enum:
+                      - avro
+                      - json
+                      - protobuf
+                      minLength: 1
+                      type: string
+                    json:
+                      description: json is the data for the referenced JSON schema.
+                      properties:
+                        url:
+                          description: url is the referenced JSON schema url.
+                          minLength: 1
+                          type: string
+                      required:
+                      - url
+                      type: object
+                    protobuf:
+                      description: protobuf is the data for the referenced Protobuf
+                        schema.
+                      properties:
+                        file:
+                          description: file is the file name of the referenced Protobuf
+                            schema.
+                          minLength: 1
+                          type: string
+                      required:
+                      - file
+                      type: object
+                    subject:
+                      description: subject is the subject name for the referenced
+                        schema through the configRef.
+                      minLength: 1
+                      type: string
+                    version:
+                      description: version is the version type of the referenced schema.
+                      format: int32
+                      type: integer
+                  required:
+                  - format
+                  - subject
+                  - version
+                  type: object
+                type: array
+              schemaRegistryClusterRef:
+                description: schemaRegistryClusterRef references the CFK-managed Schema
+                  Registry cluster.
+                properties:
+                  name:
+                    description: name specifies the name of the Confluent Platform
+                      component cluster.
+                    type: string
+                  namespace:
+                    description: namespace specifies the namespace where the Confluent
+                      Platform component cluster is running.
+                    type: string
+                required:
+                - name
+                type: object
+              schemaRegistryRest:
+                description: schemaRegistryRest specifies the Schema Registry REST
+                  API configuration.
+                properties:
+                  authentication:
+                    description: authentication specifies the REST API authentication
+                      mechanism.
+                    properties:
+                      basic:
+                        description: basic specifies the basic authentication settings
+                          for the REST API client.
+                        properties:
+                          debug:
+                            description: debug enables the basic authentication debug
+                              logs for JaaS configuration.
+                            type: boolean
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer allows to pass the basic credential through a directory path in the container.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            minLength: 1
+                            type: string
+                          restrictedRoles:
+                            description: |-
+                              restrictedRoles specify the restricted roles on the server side only.
+                              Changes will be only reflected in Control Center.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            minItems: 1
+                            type: array
+                          roles:
+                            description: |-
+                              roles specify the roles on the server side only.
+                              This configuration is ignored on the client side configuration.
+                            items:
+                              type: string
+                            type: array
+                          secretRef:
+                            description: |-
+                              secretRef defines secret reference to pass the required credentials.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      bearer:
+                        description: bearer specifies the bearer authentication settings
+                          for the REST API client.
+                        properties:
+                          directoryPathInContainer:
+                            description: |-
+                              directoryPathInContainer specifies the directory path in the container
+                              where the credential is mounted.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: |-
+                              secretRef specifies the name of the secret that contains the credential.
+                              More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        type: object
+                      oauth:
+                        description: oauth specifies the OAuth authentication settings
+                          for the REST API client.
+                        properties:
+                          configuration:
+                            description: configuration specifies the OAuth server
+                              settings.
+                            properties:
+                              audience:
+                                description: audience specifies the audience claim
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              expectedIssuer:
+                                description: expectedIssuer specifies the expected
+                                  issuer in the JWT payload.
+                                minLength: 1
+                                type: string
+                              groupsClaimName:
+                                description: groupsClaimName specifies the name of
+                                  claim in token for identifying the groups of subject
+                                  in the JWT payload.
+                                minLength: 1
+                                type: string
+                              jwksEndpointUri:
+                                description: |-
+                                  jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                                  It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                                minLength: 1
+                                type: string
+                              loginConnectTimeoutMs:
+                                description: LoginConnectTimeoutMs sets connect timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginReadTimeoutMs:
+                                description: LoginReadTimeoutMs sets read timeout
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMaxMs:
+                                description: LoginRetryBackoffMaxMs sets max retry
+                                  backoff with IDP in ms
+                                format: int32
+                                type: integer
+                              loginRetryBackoffMs:
+                                description: LoginRetryBackoffMs sets retry backoff
+                                  with IDP in ms
+                                format: int32
+                                type: integer
+                              scope:
+                                description: |-
+                                  scope is optional and required only when your identity provider doesn't have
+                                  a default scope or your groups claim is linked to a scope.
+                                minLength: 1
+                                type: string
+                              subClaimName:
+                                description: subClaimName specifies name of claim
+                                  in JWT to use for the subject.
+                                minLength: 1
+                                type: string
+                              tokenEndpointUri:
+                                description: |-
+                                  tokenBaseEndpointUri specifies the base uri for token endpoint.
+                                  This is required for OAuth for inter broker communication along with
+                                  clientId & clientSecret in JassConfig or JassConfigPassthrough
+                                minLength: 1
+                                type: string
+                            type: object
+                          directoryPathInContainer:
+                            description: directoryPathInContainer allows to pass the
+                              basic credential through a directory path in the container.
+                            minLength: 1
+                            type: string
+                          secretRef:
+                            description: secretRef defines secret reference to pass
+                              the required credentials.
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - configuration
+                        type: object
+                      type:
+                        description: type specifies the REST API authentication type.
+                          Valid options are `basic`, `bearer`, `mtls` and `oauth`.
+                        enum:
+                        - basic
+                        - bearer
+                        - mtls
+                        - oauth
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  endpoint:
+                    description: endpoint specifies where Confluent REST API is running.
+                    minLength: 1
+                    pattern: ^https?://.*
+                    type: string
+                  kafkaClusterID:
+                    description: |-
+                      kafkaClusterID specifies the id of Kafka cluster.
+                      It takes precedence over using the Kafka REST API to get the cluster id.
+                    minLength: 1
+                    type: string
+                  tls:
+                    description: "tls specifies the custom TLS structure for the application
+                      resources,\n\t// e.g. connector, topic, schema, of the Confluent
+                      Platform components.\n\t// +optional"
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer contains the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, `jksPassword.txt` keys are mounted.
+                        minLength: 1
+                        type: string
+                      jksPassword:
+                        description: jksPassword specifies the secret name that contains
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef specifies the secret name that contains the certificates.
+                          More info about certificates key/value format: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                type: object
+            required:
+            - data
+            type: object
+          status:
+            description: status defines the observed state of the Schema.
+            properties:
+              appState:
+                default: Unknown
+                description: appState is the current state of the Schema application.
+                enum:
+                - Unknown
+                - Created
+                - Failed
+                - Deleted
+                type: string
+              compatibilityLevel:
+                description: compatibilityLevel specifies the compatibility level
+                  of the schema under the subject.
+                type: string
+              conditions:
+                description: conditions are the latest available observed state of
+                  the schema.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              deletedVersions:
+                description: deletedVersions are the successfully hard deleted versions
+                  for the subject.
+                items:
+                  format: int32
+                  type: integer
+                type: array
+              format:
+                description: format is the format of the latest schema for the subject.
+                type: string
+              id:
+                description: id is the id of the latest schema for the subject.
+                format: int32
+                type: integer
+              mode:
+                description: Mode specifies the operating mode of schema under the
+                  subject.
+                type: string
+              normalize:
+                description: Normalize specifies whether schema has been normalized
+                  at the time of registering.
+                type: boolean
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              schemaReferences:
+                description: schemaReferences are the schema references for the subject.
+                items:
+                  description: SchemaReference is the schema to be used as a reference
+                    for the new schema.
+                  properties:
+                    avro:
+                      description: avro is the data for the referenced Avro schema.
+                      properties:
+                        avro:
+                          description: name is the fully qualified name of the referenced
+                            Avro schema.
+                          minLength: 1
+                          type: string
+                      required:
+                      - avro
+                      type: object
+                    format:
+                      description: format is the format type of the referenced schema.
+                        Valid options are `avro`, `json`, and `protobuf`.
+                      enum:
+                      - avro
+                      - json
+                      - protobuf
+                      minLength: 1
+                      type: string
+                    json:
+                      description: json is the data for the referenced JSON schema.
+                      properties:
+                        url:
+                          description: url is the referenced JSON schema url.
+                          minLength: 1
+                          type: string
+                      required:
+                      - url
+                      type: object
+                    protobuf:
+                      description: protobuf is the data for the referenced Protobuf
+                        schema.
+                      properties:
+                        file:
+                          description: file is the file name of the referenced Protobuf
+                            schema.
+                          minLength: 1
+                          type: string
+                      required:
+                      - file
+                      type: object
+                    subject:
+                      description: subject is the subject name for the referenced
+                        schema through the configRef.
+                      minLength: 1
+                      type: string
+                    version:
+                      description: version is the version type of the referenced schema.
+                      format: int32
+                      type: integer
+                  required:
+                  - format
+                  - subject
+                  - version
+                  type: object
+                type: array
+              schemaRegistryAuthenticationType:
+                description: schemaRegistryAuthenticationType is the authentication
+                  method used.
+                type: string
+              schemaRegistryEndpoint:
+                description: schemaRegistryEndpoint is the Schema Registry REST endpoint.
+                type: string
+              schemaRegistryTLS:
+                description: schemaRegistryTLS shows whether the Schema Registry is
+                  using TLS.
+                type: boolean
+              softDeletedVersions:
+                description: softDeletedVersions are the successfully soft deleted
+                  versions for the subject.
+                items:
+                  format: int32
+                  type: integer
+                type: array
+              state:
+                description: state is the state of the Schema CR.
+                type: string
+              subject:
+                description: subject is the subject of the schema.
+                type: string
+              version:
+                description: version is the version of the latest schema for the subject.
+                format: int32
+                type: integer
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_zookeepers.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_zookeepers.yaml
new file mode 100644
index 000000000..5a89c94c7
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/crds/platform.confluent.io_zookeepers.yaml
@@ -0,0 +1,4713 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: zookeepers.platform.confluent.io
+spec:
+  group: platform.confluent.io
+  names:
+    categories:
+    - all
+    - confluent-platform
+    - confluent
+    kind: Zookeeper
+    listKind: ZookeeperList
+    plural: zookeepers
+    shortNames:
+    - zookeeper
+    - zk
+    singular: zookeeper
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.replicas
+      name: Replicas
+      type: string
+    - jsonPath: .status.readyReplicas
+      name: Ready
+      type: string
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.endpoint
+      name: Endpoint
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Zookeeper is the schema for the Zookeeper API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec defines the desired state of the Zookeeper cluster.
+            properties:
+              authentication:
+                description: authentication specifies the authentication configuration.
+                properties:
+                  jaasConfig:
+                    description: |-
+                      jaasConfig specifies the JaaS configuration.
+                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the required credentials.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  jaasConfigPassThrough:
+                    description: |-
+                      jaasConfigPassThrough specifies another way to provide JaaS configuration.
+                      More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                        minLength: 1
+                        type: string
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the required credentials for authentication.
+                          More info: https://docs.confluent.io/operator/current/co-authenticate.html
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    type: object
+                  oauthSettings:
+                    description: |-
+                      oauthSettings specifies the OAuth settings.
+                      This needs to passed with the authentication type `oauth`.
+                    properties:
+                      audience:
+                        description: audience specifies the audience claim in the
+                          JWT payload.
+                        minLength: 1
+                        type: string
+                      expectedIssuer:
+                        description: expectedIssuer specifies the expected issuer
+                          in the JWT payload.
+                        minLength: 1
+                        type: string
+                      groupsClaimName:
+                        description: groupsClaimName specifies the name of claim in
+                          token for identifying the groups of subject in the JWT payload.
+                        minLength: 1
+                        type: string
+                      jwksEndpointUri:
+                        description: |-
+                          jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
+                          It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
+                        minLength: 1
+                        type: string
+                      loginConnectTimeoutMs:
+                        description: LoginConnectTimeoutMs sets connect timeout with
+                          IDP in ms
+                        format: int32
+                        type: integer
+                      loginReadTimeoutMs:
+                        description: LoginReadTimeoutMs sets read timeout with IDP
+                          in ms
+                        format: int32
+                        type: integer
+                      loginRetryBackoffMaxMs:
+                        description: LoginRetryBackoffMaxMs sets max retry backoff
+                          with IDP in ms
+                        format: int32
+                        type: integer
+                      loginRetryBackoffMs:
+                        description: LoginRetryBackoffMs sets retry backoff with IDP
+                          in ms
+                        format: int32
+                        type: integer
+                      scope:
+                        description: |-
+                          scope is optional and required only when your identity provider doesn't have
+                          a default scope or your groups claim is linked to a scope.
+                        minLength: 1
+                        type: string
+                      subClaimName:
+                        description: subClaimName specifies name of claim in JWT to
+                          use for the subject.
+                        minLength: 1
+                        type: string
+                      tokenEndpointUri:
+                        description: |-
+                          tokenBaseEndpointUri specifies the base uri for token endpoint.
+                          This is required for OAuth for inter broker communication along with
+                          clientId & clientSecret in JassConfig or JassConfigPassthrough
+                        minLength: 1
+                        type: string
+                    type: object
+                  principalMappingRules:
+                    items:
+                      type: string
+                    type: array
+                  type:
+                    description: |-
+                      type specifies the Kafka or Zookeeper authentication type.
+                      Valid options are `plain`, `digest`, `mtls`, `ldap` & `oauth`.
+                    enum:
+                    - plain
+                    - digest
+                    - mtls
+                    - ldap
+                    - oauth
+                    type: string
+                required:
+                - type
+                type: object
+              configOverrides:
+                description: |-
+                  configOverrides specifies configs to override the server/JVM/log4j/peer
+                  properties for the Zookeeper cluster.
+                  A change to this property will roll the cluster.
+                properties:
+                  jvm:
+                    description: |-
+                      jvm is a list of JVM configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  log4j:
+                    description: |-
+                      log4j is a list of Log4J configuration supported by the Confluent Platform component.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  peers:
+                    description: |-
+                      peers specify a list of dynamic peer configurations for the Zookeeper cluster. This is only required when deploying stretch
+                      Zookeeper for MRC deployments and should include all the Zookeeper peers in other DCs that form the ensemble.
+                      This will either add or update the existing configuration.
+                    items:
+                      type: string
+                    type: array
+                  server:
+                    description: |-
+                      server is a list of server configuration supported by the Confluent Platform component.
+                      This will either add or update existing configuration.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              dataVolumeCapacity:
+                anyOf:
+                - type: integer
+                - type: string
+                description: dataVolumeCapacity specifies the data volume size.
+                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                x-kubernetes-int-or-string: true
+              externalAccess:
+                description: |-
+                  externalAccess specifies the external access configuration.
+                  Should only be specified when Zookeeper peers are on another network.
+                properties:
+                  loadBalancer:
+                    description: loadBalancer specifies the configuration to create
+                      a Kubernetes load balancer service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain is the domain name of the component cluster.
+                        minLength: 1
+                        type: string
+                      externalTrafficPolicy:
+                        description: externalTrafficPolicy specifies the external
+                          traffic policy for the service. Valid options are `Local`
+                          and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      loadBalancerSourceRanges:
+                        description: loadBalancerSourceRanges specify the source ranges.
+                        items:
+                          type: string
+                        type: array
+                      port:
+                        description: |-
+                          port specifies the external port for the client consumption.
+                          If not configured, the same internal/external port is configured for the component.
+                          Information about the port can be retrieved through the status API.
+                        format: int32
+                        type: integer
+                      prefix:
+                        description: |-
+                          prefix specify the prefix for the given domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      servicePorts:
+                        description: servicePorts specify the user-provided service
+                          port(s).
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - domain
+                    type: object
+                  nodePort:
+                    description: nodePort specifies the configuration to create a
+                      Kubernetes node port service.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      externalTrafficPolicy:
+                        description: |-
+                          externalTrafficPolicy specifies the external traffic policy for the service.
+                          Valid options are `Local` and `Cluster`.
+                        enum:
+                        - Local
+                        - Cluster
+                        type: string
+                      host:
+                        description: host defines the host name of the cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      nodePortOffset:
+                        description: |-
+                          nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
+                          to the replicas count.
+                          NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
+                          The default Kubernetes Node Port range is `30000` - `32762`.
+                        format: int32
+                        minimum: 0
+                        type: integer
+                      servicePorts:
+                        description: |-
+                          servicePorts specify user-provided service port(s).
+                          For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
+                        items:
+                          description: ServicePort contains information on service's
+                            port.
+                          properties:
+                            appProtocol:
+                              description: |-
+                                The application protocol for this port.
+                                This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+                                This field follows standard Kubernetes label syntax.
+                                Valid values are either:
+
+
+                                * Un-prefixed protocol names - reserved for IANA standard service names (as per
+                                RFC-6335 and https://www.iana.org/assignments/service-names).
+
+
+                                * Kubernetes-defined prefixed names:
+                                  * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+                                  * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+                                  * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+
+
+                                * Other protocols should use implementation-defined prefixed names such as
+                                mycompany.com/my-custom-protocol.
+                              type: string
+                            name:
+                              description: |-
+                                The name of this port within the service. This must be a DNS_LABEL.
+                                All ports within a ServiceSpec must have unique names. When considering
+                                the endpoints for a Service, this must match the 'name' field in the
+                                EndpointPort.
+                                Optional if only one ServicePort is defined on this service.
+                              type: string
+                            nodePort:
+                              description: |-
+                                The port on each node on which this service is exposed when type is
+                                NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+                                specified, in-range, and not in use it will be used, otherwise the
+                                operation will fail.  If not specified, a port will be allocated if this
+                                Service requires one.  If this field is specified when creating a
+                                Service which does not need it, creation will fail. This field will be
+                                wiped when updating a Service to no longer need it (e.g. changing type
+                                from NodePort to ClusterIP).
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+                              format: int32
+                              type: integer
+                            port:
+                              description: The port that will be exposed by this service.
+                              format: int32
+                              type: integer
+                            protocol:
+                              default: TCP
+                              description: |-
+                                The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+                                Default is TCP.
+                              type: string
+                            targetPort:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Number or name of the port to access on the pods targeted by the service.
+                                Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+                                If this is a string, it will be looked up as a named port in the
+                                target Pod's container ports. If this is not specified, the value
+                                of the 'port' field is used (an identity map).
+                                This field is ignored for services with clusterIP=None, and should be
+                                omitted or set equal to the 'port' field.
+                                More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+                              x-kubernetes-int-or-string: true
+                          required:
+                          - port
+                          type: object
+                        type: array
+                      sessionAffinity:
+                        description: |-
+                          sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
+                          The default value is `None`.
+                          More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
+                        enum:
+                        - ClientIP
+                        - None
+                        type: string
+                      sessionAffinityConfig:
+                        description: SessionAffinityConfig contains the configurations
+                          of the session affinity.
+                        properties:
+                          clientIP:
+                            description: clientIP contains the configurations of Client
+                              IP based session affinity.
+                            properties:
+                              timeoutSeconds:
+                                description: |-
+                                  timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+                                  The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+                                  Default value is 10800(for 3 hours).
+                                format: int32
+                                type: integer
+                            type: object
+                        type: object
+                    required:
+                    - host
+                    - nodePortOffset
+                    type: object
+                  route:
+                    description: route specifies the configuration to create a route
+                      service in OpenShift.
+                    properties:
+                      advertisedURL:
+                        description: |-
+                          advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
+                          If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
+                          set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
+                          This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
+                          the external DNS must be resolved inside the Kubernetes cluster.
+                          This configuration will not take effect if MDS enabled dual listener setup.
+                        properties:
+                          enabled:
+                            description: |-
+                              enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
+                              Has no effect with Zookeeper, which will always create a listener per pod.
+                            type: boolean
+                          prefix:
+                            description: |-
+                              prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
+                              If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
+                              It uses 'zookeeper' as default prefix for Zookeeper in the same way.
+                            minLength: 1
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: annotations is a map of string key and value
+                          pairs. It specifies Kubernetes annotations for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      domain:
+                        description: domain specifies the domain name of the Confluent
+                          component cluster.
+                        minLength: 1
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: labels is a map of string key and value pairs.
+                          It specifies Kubernetes labels for this service.
+                        type: object
+                        x-kubernetes-map-type: granular
+                      prefix:
+                        description: |-
+                          prefix specifies the component prefix when configured for the domain.
+                          The default value is the name of the cluster.
+                        minLength: 1
+                        type: string
+                      wildcardPolicy:
+                        description: |-
+                          wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
+                          The default value is `None`.
+                        enum:
+                        - Subdomain
+                        - None
+                        type: string
+                    required:
+                    - domain
+                    type: object
+                  type:
+                    description: |-
+                      type specifies the Kubernetes external service for the component.
+                      Valid options are `loadBalancer`, `nodePort`, and `route`.
+                    enum:
+                    - loadBalancer
+                    - nodePort
+                    - route
+                    minLength: 1
+                    type: string
+                required:
+                - type
+                type: object
+              headlessService:
+                description: headlessService specifies the configuration of the Kubernetes
+                  headless service.
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs.
+                      It specifies the annotations to be added to the CFK-created headless service.
+                      These annotations are merged with the injectAnnotations and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs.
+                      It specifies the labels to be added to the CFK-created headless service.
+                      These labels are merged with the injectLabels and take precedence.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  publishNotReadyAddresses:
+                    description: |-
+                      publishNotReadyAddresses specifies the publishNotReadyAddresses field.
+                      For Kafka, this value must be true. The default value is true.
+                    type: boolean
+                type: object
+              image:
+                description: |-
+                  image specifies the application and the init docker image configurations.
+                  A change to this setting will roll the cluster.
+                properties:
+                  application:
+                    description: |-
+                      application is the Docker image name of the application. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  init:
+                    description: |-
+                      init is the init-container name. Specify
+                      `<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
+                    pattern: .+:.+
+                    type: string
+                  pullPolicy:
+                    description: |-
+                      pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
+                      The default value is `IfNotPresent`.
+                    enum:
+                    - Always
+                    - Never
+                    - IfNotPresent
+                    type: string
+                  pullSecretRef:
+                    description: |-
+                      pullSecretRef references the secrets in the same namespace to be used for pulling images.
+                      Image pull secrets are distinct from secrets because secrets
+                      can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
+                      More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+                    items:
+                      type: string
+                    type: array
+                required:
+                - application
+                - init
+                type: object
+              injectAnnotations:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectAnnotations are the annotations injected to the internal resources that CFK created.
+                  The internal annotations are preserved and cannot be overridden.
+                  For pod annotations, use `podTemplate.annotations`.
+                type: object
+                x-kubernetes-map-type: granular
+              injectLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  injectLabels are the labels injected to the internal resources that CFK created.
+                  The internal labels are preserved and cannot be overridden.
+                  For pod labels, use `podTemplate.labels`.
+                type: object
+                x-kubernetes-map-type: granular
+              k8sClusterDomain:
+                description: |-
+                  k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
+                  The default is the `cluster.local` domain.
+                type: string
+              license:
+                description: license specifies the license configuration for the Confluent
+                  Platform component.
+                properties:
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      the license key is mounted. More info:
+                      https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    minLength: 1
+                    type: string
+                  globalLicense:
+                    description: globalLicense specifies whether the Confluent Platform
+                      component shares the common global license.
+                    type: boolean
+                  secretRef:
+                    description: |-
+                      secretRef references the secret that provides the license for the Confluent Platform component.
+                      More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+              logVolumeCapacity:
+                anyOf:
+                - type: integer
+                - type: string
+                description: logVolumeCapacity specifies the log volume size.
+                pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                x-kubernetes-int-or-string: true
+              metrics:
+                description: metrics specify the security settings for the metric
+                  services.
+                properties:
+                  authentication:
+                    description: authentication specifies the authentication configuration
+                      for the metrics.
+                    properties:
+                      type:
+                        description: type specifies the metrics authentication method.
+                          The valid option is `mtls`.
+                        enum:
+                        - mtls
+                        type: string
+                    required:
+                    - type
+                    type: object
+                  prometheus:
+                    description: prometheus specifies the configuration overrides
+                      for the JMX-Prometheus exporter.
+                    properties:
+                      blacklist:
+                        items:
+                          type: string
+                        type: array
+                      rules:
+                        items:
+                          description: Rule defines the Prometheus Exporter rule override.
+                          properties:
+                            attrNameSnakeCase:
+                              type: boolean
+                            cache:
+                              type: boolean
+                            help:
+                              minLength: 1
+                              type: string
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                              x-kubernetes-map-type: granular
+                            name:
+                              minLength: 1
+                              type: string
+                            pattern:
+                              minLength: 1
+                              type: string
+                            type:
+                              minLength: 1
+                              type: string
+                            value:
+                              minLength: 1
+                              type: string
+                            valueFactor:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              default: 1
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        type: array
+                      whitelist:
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  tls:
+                    description: tls specifies the TLS configuration for the metrics.
+                    properties:
+                      directoryPathInContainer:
+                        description: |-
+                          directoryPathInContainer specifies the directory path in the container where
+                          `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                          `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                        minLength: 1
+                        type: string
+                      enabled:
+                        description: enabled specifies to enable the TLS configuration
+                          for the Confluent component.
+                        type: boolean
+                      ignoreTrustStoreConfig:
+                        description: |-
+                          ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                          for the Confluent component.
+                        type: boolean
+                      jksPassword:
+                        description: jksPassword references the secret containing
+                          the JKS password.
+                        properties:
+                          secretRef:
+                            description: |-
+                              secretRef references the name of the secret containing the JKS password.
+                              More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                            maxLength: 30
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                        required:
+                        - secretRef
+                        type: object
+                      secretRef:
+                        description: |-
+                          secretRef references the secret containing the certificates.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                type: object
+              mountedSecrets:
+                description: |-
+                  mountedSecrets list the secrets injected to
+                  the underlying statefulset configuration. The secret reference is mounted
+                  in the default path `/mnt/secrets/<secret-name>`. The underlying resources
+                  will follow the secret as a file configuration.
+                  More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
+                  A change to this setting will roll the cluster.
+                items:
+                  description: |-
+                    MountedSecrets provides a way to inject a custom secret to the underlying
+                    statefulset.
+                  properties:
+                    keyItems:
+                      description: keyItems are key and path names.
+                      items:
+                        description: Maps a string key to a path within a volume.
+                        properties:
+                          key:
+                            description: key is the key to project.
+                            type: string
+                          mode:
+                            description: |-
+                              mode is Optional: mode bits used to set permissions on this file.
+                              Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                              YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                              If not specified, the volume defaultMode will be used.
+                              This might be in conflict with other options that affect the file
+                              mode, like fsGroup, and the result can be other mode bits set.
+                            format: int32
+                            type: integer
+                          path:
+                            description: |-
+                              path is the relative path of the file to map the key to.
+                              May not be an absolute path.
+                              May not contain the path element '..'.
+                              May not start with the string '..'.
+                            type: string
+                        required:
+                        - key
+                        - path
+                        type: object
+                      type: array
+                    secretRef:
+                      description: secretRef references the name of the secret.
+                      maxLength: 30
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - secretRef
+                  type: object
+                type: array
+              mountedVolumes:
+                description: |-
+                  mountedVolumes list the custom volumes that need to be mounted into the
+                  underlying statefulset.
+                  A change to this setting will roll the cluster.
+                properties:
+                  volumeMounts:
+                    description: |-
+                      volumeMounts specify the list of volume mounts for the pods in the
+                      statefulset.
+                    items:
+                      description: VolumeMount describes a mounting of a Volume within
+                        a container.
+                      properties:
+                        mountPath:
+                          description: |-
+                            Path within the container at which the volume should be mounted.  Must
+                            not contain ':'.
+                          type: string
+                        mountPropagation:
+                          description: |-
+                            mountPropagation determines how mounts are propagated from the host
+                            to container and the other way around.
+                            When not set, MountPropagationNone is used.
+                            This field is beta in 1.10.
+                          type: string
+                        name:
+                          description: This must match the Name of a Volume.
+                          type: string
+                        readOnly:
+                          description: |-
+                            Mounted read-only if true, read-write otherwise (false or unspecified).
+                            Defaults to false.
+                          type: boolean
+                        subPath:
+                          description: |-
+                            Path within the volume from which the container's volume should be mounted.
+                            Defaults to "" (volume's root).
+                          type: string
+                        subPathExpr:
+                          description: |-
+                            Expanded path within the volume from which the container's volume should be mounted.
+                            Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+                            Defaults to "" (volume's root).
+                            SubPathExpr and SubPath are mutually exclusive.
+                          type: string
+                      required:
+                      - mountPath
+                      - name
+                      type: object
+                    type: array
+                  volumes:
+                    description: |-
+                      volumes specify the list of volumes that can be mounted into the pods
+                      of statefulset.
+                    items:
+                      description: Volume represents a named volume in a pod that
+                        may be accessed by any container in the pod.
+                      properties:
+                        awsElasticBlockStore:
+                          description: |-
+                            awsElasticBlockStore represents an AWS Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly value true will force the readOnly setting in VolumeMounts.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: boolean
+                            volumeID:
+                              description: |-
+                                volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        azureDisk:
+                          description: azureDisk represents an Azure Data Disk mount
+                            on the host and bind mount to the pod.
+                          properties:
+                            cachingMode:
+                              description: 'cachingMode is the Host Caching mode:
+                                None, Read Only, Read Write.'
+                              type: string
+                            diskName:
+                              description: diskName is the Name of the data disk in
+                                the blob storage
+                              type: string
+                            diskURI:
+                              description: diskURI is the URI of data disk in the
+                                blob storage
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is Filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            kind:
+                              description: 'kind expected values are Shared: multiple
+                                blob disks per storage account  Dedicated: single
+                                blob disk per storage account  Managed: azure managed
+                                data disk (only in managed availability set). defaults
+                                to shared'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                          required:
+                          - diskName
+                          - diskURI
+                          type: object
+                        azureFile:
+                          description: azureFile represents an Azure File Service
+                            mount on the host and bind mount to the pod.
+                          properties:
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretName:
+                              description: secretName is the  name of secret that
+                                contains Azure Storage Account Name and Key
+                              type: string
+                            shareName:
+                              description: shareName is the azure share Name
+                              type: string
+                          required:
+                          - secretName
+                          - shareName
+                          type: object
+                        cephfs:
+                          description: cephFS represents a Ceph FS mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            monitors:
+                              description: |-
+                                monitors is Required: Monitors is a collection of Ceph monitors
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            path:
+                              description: 'path is Optional: Used as the mounted
+                                root, rather than the full Ceph tree, default is /'
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: boolean
+                            secretFile:
+                              description: |-
+                                secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is optional: User is the rados user name, default is admin
+                                More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - monitors
+                          type: object
+                        cinder:
+                          description: |-
+                            cinder represents a cinder volume attached and mounted on kubelets host machine.
+                            More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is optional: points to a secret object containing parameters used to connect
+                                to OpenStack.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeID:
+                              description: |-
+                                volumeID used to identify the volume in cinder.
+                                More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        configMap:
+                          description: configMap represents a configMap that should
+                            populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items if unspecified, each key-value pair in the Data field of the referenced
+                                ConfigMap will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the ConfigMap,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            name:
+                              description: |-
+                                Name of the referent.
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              type: string
+                            optional:
+                              description: optional specify whether the ConfigMap
+                                or its keys must be defined
+                              type: boolean
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        csi:
+                          description: csi (Container Storage Interface) represents
+                            ephemeral storage that is handled by certain external
+                            CSI drivers (Beta feature).
+                          properties:
+                            driver:
+                              description: |-
+                                driver is the name of the CSI driver that handles this volume.
+                                Consult with your admin for the correct name as registered in the cluster.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType to mount. Ex. "ext4", "xfs", "ntfs".
+                                If not provided, the empty value is passed to the associated CSI driver
+                                which will determine the default filesystem to apply.
+                              type: string
+                            nodePublishSecretRef:
+                              description: |-
+                                nodePublishSecretRef is a reference to the secret object containing
+                                sensitive information to pass to the CSI driver to complete the CSI
+                                NodePublishVolume and NodeUnpublishVolume calls.
+                                This field is optional, and  may be empty if no secret is required. If the
+                                secret object contains more than one secret, all secret references are passed.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            readOnly:
+                              description: |-
+                                readOnly specifies a read-only configuration for the volume.
+                                Defaults to false (read/write).
+                              type: boolean
+                            volumeAttributes:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                volumeAttributes stores driver-specific properties that are passed to the CSI
+                                driver. Consult your driver's documentation for supported values.
+                              type: object
+                          required:
+                          - driver
+                          type: object
+                        downwardAPI:
+                          description: downwardAPI represents downward API about the
+                            pod that should populate this volume
+                          properties:
+                            defaultMode:
+                              description: |-
+                                Optional: mode bits to use on created files by default. Must be a
+                                Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: Items is a list of downward API volume
+                                file
+                              items:
+                                description: DownwardAPIVolumeFile represents information
+                                  to create the file containing the pod field
+                                properties:
+                                  fieldRef:
+                                    description: 'Required: Selects a field of the
+                                      pod: only annotations, labels, name and namespace
+                                      are supported.'
+                                    properties:
+                                      apiVersion:
+                                        description: Version of the schema the FieldPath
+                                          is written in terms of, defaults to "v1".
+                                        type: string
+                                      fieldPath:
+                                        description: Path of the field to select in
+                                          the specified API version.
+                                        type: string
+                                    required:
+                                    - fieldPath
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  mode:
+                                    description: |-
+                                      Optional: mode bits used to set permissions on this file, must be an octal value
+                                      between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: 'Required: Path is  the relative
+                                      path name of the file to be created. Must not
+                                      be absolute or contain the ''..'' path. Must
+                                      be utf-8 encoded. The first item of the relative
+                                      path must not start with ''..'''
+                                    type: string
+                                  resourceFieldRef:
+                                    description: |-
+                                      Selects a resource of the container: only resources limits and requests
+                                      (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                    properties:
+                                      containerName:
+                                        description: 'Container name: required for
+                                          volumes, optional for env vars'
+                                        type: string
+                                      divisor:
+                                        anyOf:
+                                        - type: integer
+                                        - type: string
+                                        description: Specifies the output format of
+                                          the exposed resources, defaults to "1"
+                                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                        x-kubernetes-int-or-string: true
+                                      resource:
+                                        description: 'Required: resource to select'
+                                        type: string
+                                    required:
+                                    - resource
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                required:
+                                - path
+                                type: object
+                              type: array
+                          type: object
+                        emptyDir:
+                          description: |-
+                            emptyDir represents a temporary directory that shares a pod's lifetime.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                          properties:
+                            medium:
+                              description: |-
+                                medium represents what type of storage medium should back this directory.
+                                The default is "" which means to use the node's default medium.
+                                Must be an empty string (default) or Memory.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              type: string
+                            sizeLimit:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                sizeLimit is the total amount of local storage required for this EmptyDir volume.
+                                The size limit is also applicable for memory medium.
+                                The maximum usage on memory medium EmptyDir would be the minimum value between
+                                the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+                                The default is nil which means that the limit is undefined.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+                              pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        ephemeral:
+                          description: |-
+                            ephemeral represents a volume that is handled by a cluster storage driver.
+                            The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+                            and deleted when the pod is removed.
+
+
+                            Use this if:
+                            a) the volume is only needed while the pod runs,
+                            b) features of normal volumes like restoring from snapshot or capacity
+                               tracking are needed,
+                            c) the storage driver is specified through a storage class, and
+                            d) the storage driver supports dynamic volume provisioning through
+                               a PersistentVolumeClaim (see EphemeralVolumeSource for more
+                               information on the connection between this volume type
+                               and PersistentVolumeClaim).
+
+
+                            Use PersistentVolumeClaim or one of the vendor-specific
+                            APIs for volumes that persist for longer than the lifecycle
+                            of an individual pod.
+
+
+                            Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+                            be used that way - see the documentation of the driver for
+                            more information.
+
+
+                            A pod can use both types of ephemeral volumes and
+                            persistent volumes at the same time.
+                          properties:
+                            volumeClaimTemplate:
+                              description: |-
+                                Will be used to create a stand-alone PVC to provision the volume.
+                                The pod in which this EphemeralVolumeSource is embedded will be the
+                                owner of the PVC, i.e. the PVC will be deleted together with the
+                                pod.  The name of the PVC will be `<pod name>-<volume name>` where
+                                `<volume name>` is the name from the `PodSpec.Volumes` array
+                                entry. Pod validation will reject the pod if the concatenated name
+                                is not valid for a PVC (for example, too long).
+
+
+                                An existing PVC with that name that is not owned by the pod
+                                will *not* be used for the pod to avoid using an unrelated
+                                volume by mistake. Starting the pod is then blocked until
+                                the unrelated PVC is removed. If such a pre-created PVC is
+                                meant to be used by the pod, the PVC has to updated with an
+                                owner reference to the pod once the pod exists. Normally
+                                this should not be necessary, but it may be useful when
+                                manually reconstructing a broken cluster.
+
+
+                                This field is read-only and no changes will be made by Kubernetes
+                                to the PVC after it has been created.
+
+
+                                Required, must not be nil.
+                              properties:
+                                metadata:
+                                  description: |-
+                                    May contain labels and annotations that will be copied into the PVC
+                                    when creating it. No other fields are allowed and will be rejected during
+                                    validation.
+                                  type: object
+                                spec:
+                                  description: |-
+                                    The specification for the PersistentVolumeClaim. The entire content is
+                                    copied unchanged into the PVC that gets created from this
+                                    template. The same fields as in a PersistentVolumeClaim
+                                    are also valid here.
+                                  properties:
+                                    accessModes:
+                                      description: |-
+                                        accessModes contains the desired access modes the volume should have.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+                                      items:
+                                        type: string
+                                      type: array
+                                    dataSource:
+                                      description: |-
+                                        dataSource field can be used to specify either:
+                                        * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+                                        * An existing PVC (PersistentVolumeClaim)
+                                        If the provisioner or an external controller can support the specified data source,
+                                        it will create a new volume based on the contents of the specified data source.
+                                        When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+                                        and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+                                        If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    dataSourceRef:
+                                      description: |-
+                                        dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+                                        volume is desired. This may be any object from a non-empty API group (non
+                                        core object) or a PersistentVolumeClaim object.
+                                        When this field is specified, volume binding will only succeed if the type of
+                                        the specified object matches some installed volume populator or dynamic
+                                        provisioner.
+                                        This field will replace the functionality of the dataSource field and as such
+                                        if both fields are non-empty, they must have the same value. For backwards
+                                        compatibility, when namespace isn't specified in dataSourceRef,
+                                        both fields (dataSource and dataSourceRef) will be set to the same
+                                        value automatically if one of them is empty and the other is non-empty.
+                                        When namespace is specified in dataSourceRef,
+                                        dataSource isn't set to the same value and must be empty.
+                                        There are three important differences between dataSource and dataSourceRef:
+                                        * While dataSource only allows two specific types of objects, dataSourceRef
+                                          allows any non-core object, as well as PersistentVolumeClaim objects.
+                                        * While dataSource ignores disallowed values (dropping them), dataSourceRef
+                                          preserves all values, and generates an error if a disallowed value is
+                                          specified.
+                                        * While dataSource only allows local objects, dataSourceRef allows objects
+                                          in any namespaces.
+                                        (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+                                        (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup is the group for the resource being referenced.
+                                            If APIGroup is not specified, the specified Kind must be in the core API group.
+                                            For any other third-party types, APIGroup is required.
+                                          type: string
+                                        kind:
+                                          description: Kind is the type of resource
+                                            being referenced
+                                          type: string
+                                        name:
+                                          description: Name is the name of resource
+                                            being referenced
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace is the namespace of resource being referenced
+                                            Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+                                            (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                    resources:
+                                      description: |-
+                                        resources represents the minimum resources the volume should have.
+                                        If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+                                        that are lower than previous value but must still be higher than capacity recorded in the
+                                        status field of the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+                                      properties:
+                                        limits:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Limits describes the maximum amount of compute resources allowed.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                        requests:
+                                          additionalProperties:
+                                            anyOf:
+                                            - type: integer
+                                            - type: string
+                                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                            x-kubernetes-int-or-string: true
+                                          description: |-
+                                            Requests describes the minimum amount of compute resources required.
+                                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                                          type: object
+                                      type: object
+                                    selector:
+                                      description: selector is a label query over
+                                        volumes to consider for binding.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    storageClassName:
+                                      description: |-
+                                        storageClassName is the name of the StorageClass required by the claim.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+                                      type: string
+                                    volumeAttributesClassName:
+                                      description: |-
+                                        volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+                                        If specified, the CSI driver will create or update the volume with the attributes defined
+                                        in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+                                        it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+                                        will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+                                        If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+                                        will be set by the persistentvolume controller if it exists.
+                                        If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+                                        set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+                                        exists.
+                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+                                      type: string
+                                    volumeMode:
+                                      description: |-
+                                        volumeMode defines what type of volume is required by the claim.
+                                        Value of Filesystem is implied when not included in claim spec.
+                                      type: string
+                                    volumeName:
+                                      description: volumeName is the binding reference
+                                        to the PersistentVolume backing this claim.
+                                      type: string
+                                  type: object
+                              required:
+                              - spec
+                              type: object
+                          type: object
+                        fc:
+                          description: fc represents a Fibre Channel resource that
+                            is attached to a kubelet's host machine and then exposed
+                            to the pod.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            lun:
+                              description: 'lun is Optional: FC target lun number'
+                              format: int32
+                              type: integer
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            targetWWNs:
+                              description: 'targetWWNs is Optional: FC target worldwide
+                                names (WWNs)'
+                              items:
+                                type: string
+                              type: array
+                            wwids:
+                              description: |-
+                                wwids Optional: FC volume world wide identifiers (wwids)
+                                Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        flexVolume:
+                          description: |-
+                            flexVolume represents a generic volume resource that is
+                            provisioned/attached using an exec based plugin.
+                          properties:
+                            driver:
+                              description: driver is the name of the driver to use
+                                for this volume.
+                              type: string
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+                              type: string
+                            options:
+                              additionalProperties:
+                                type: string
+                              description: 'options is Optional: this field holds
+                                extra command options if any.'
+                              type: object
+                            readOnly:
+                              description: |-
+                                readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is Optional: secretRef is reference to the secret object containing
+                                sensitive information to pass to the plugin scripts. This may be
+                                empty if no secret object is specified. If the secret object
+                                contains more than one secret, all secrets are passed to the plugin
+                                scripts.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          required:
+                          - driver
+                          type: object
+                        flocker:
+                          description: flocker represents a Flocker volume attached
+                            to a kubelet's host machine. This depends on the Flocker
+                            control service being running
+                          properties:
+                            datasetName:
+                              description: |-
+                                datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+                                should be considered as deprecated
+                              type: string
+                            datasetUUID:
+                              description: datasetUUID is the UUID of the dataset.
+                                This is unique identifier of a Flocker dataset
+                              type: string
+                          type: object
+                        gcePersistentDisk:
+                          description: |-
+                            gcePersistentDisk represents a GCE Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            partition:
+                              description: |-
+                                partition is the partition in the volume that you want to mount.
+                                If omitted, the default is to mount by volume name.
+                                Examples: For volume /dev/sda1, you specify the partition as "1".
+                                Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              format: int32
+                              type: integer
+                            pdName:
+                              description: |-
+                                pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+                              type: boolean
+                          required:
+                          - pdName
+                          type: object
+                        gitRepo:
+                          description: |-
+                            gitRepo represents a git repository at a particular revision.
+                            DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+                            EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+                            into the Pod's container.
+                          properties:
+                            directory:
+                              description: |-
+                                directory is the target directory name.
+                                Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+                                git repository.  Otherwise, if specified, the volume will contain the git repository in
+                                the subdirectory with the given name.
+                              type: string
+                            repository:
+                              description: repository is the URL
+                              type: string
+                            revision:
+                              description: revision is the commit hash for the specified
+                                revision.
+                              type: string
+                          required:
+                          - repository
+                          type: object
+                        glusterfs:
+                          description: |-
+                            glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/glusterfs/README.md
+                          properties:
+                            endpoints:
+                              description: |-
+                                endpoints is the endpoint name that details Glusterfs topology.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            path:
+                              description: |-
+                                path is the Glusterfs volume path.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+                              type: boolean
+                          required:
+                          - endpoints
+                          - path
+                          type: object
+                        hostPath:
+                          description: |-
+                            hostPath represents a pre-existing file or directory on the host
+                            machine that is directly exposed to the container. This is generally
+                            used for system agents or other privileged things that are allowed
+                            to see the host machine. Most containers will NOT need this.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                            ---
+                            TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+                            mount host directories as read/write.
+                          properties:
+                            path:
+                              description: |-
+                                path of the directory on the host.
+                                If the path is a symlink, it will follow the link to the real path.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                            type:
+                              description: |-
+                                type for HostPath Volume
+                                Defaults to ""
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        iscsi:
+                          description: |-
+                            iscsi represents an ISCSI Disk resource that is attached to a
+                            kubelet's host machine and then exposed to the pod.
+                            More info: https://examples.k8s.io/volumes/iscsi/README.md
+                          properties:
+                            chapAuthDiscovery:
+                              description: chapAuthDiscovery defines whether support
+                                iSCSI Discovery CHAP authentication
+                              type: boolean
+                            chapAuthSession:
+                              description: chapAuthSession defines whether support
+                                iSCSI Session CHAP authentication
+                              type: boolean
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            initiatorName:
+                              description: |-
+                                initiatorName is the custom iSCSI Initiator Name.
+                                If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+                                <target portal>:<volume name> will be created for the connection.
+                              type: string
+                            iqn:
+                              description: iqn is the target iSCSI Qualified Name.
+                              type: string
+                            iscsiInterface:
+                              description: |-
+                                iscsiInterface is the interface Name that uses an iSCSI transport.
+                                Defaults to 'default' (tcp).
+                              type: string
+                            lun:
+                              description: lun represents iSCSI Target Lun number.
+                              format: int32
+                              type: integer
+                            portals:
+                              description: |-
+                                portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              items:
+                                type: string
+                              type: array
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                              type: boolean
+                            secretRef:
+                              description: secretRef is the CHAP Secret for iSCSI
+                                target and initiator authentication
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            targetPortal:
+                              description: |-
+                                targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+                                is other than default (typically TCP ports 860 and 3260).
+                              type: string
+                          required:
+                          - iqn
+                          - lun
+                          - targetPortal
+                          type: object
+                        name:
+                          description: |-
+                            name of the volume.
+                            Must be a DNS_LABEL and unique within the pod.
+                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          type: string
+                        nfs:
+                          description: |-
+                            nfs represents an NFS mount on the host that shares a pod's lifetime
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                          properties:
+                            path:
+                              description: |-
+                                path that is exported by the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the NFS export to be mounted with read-only permissions.
+                                Defaults to false.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: boolean
+                            server:
+                              description: |-
+                                server is the hostname or IP address of the NFS server.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+                              type: string
+                          required:
+                          - path
+                          - server
+                          type: object
+                        persistentVolumeClaim:
+                          description: |-
+                            persistentVolumeClaimVolumeSource represents a reference to a
+                            PersistentVolumeClaim in the same namespace.
+                            More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                          properties:
+                            claimName:
+                              description: |-
+                                claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+                                More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Will force the ReadOnly setting in VolumeMounts.
+                                Default false.
+                              type: boolean
+                          required:
+                          - claimName
+                          type: object
+                        photonPersistentDisk:
+                          description: photonPersistentDisk represents a PhotonController
+                            persistent disk attached and mounted on kubelets host
+                            machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            pdID:
+                              description: pdID is the ID that identifies Photon Controller
+                                persistent disk
+                              type: string
+                          required:
+                          - pdID
+                          type: object
+                        portworxVolume:
+                          description: portworxVolume represents a portworx volume
+                            attached and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fSType represents the filesystem type to mount
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            volumeID:
+                              description: volumeID uniquely identifies a Portworx
+                                volume
+                              type: string
+                          required:
+                          - volumeID
+                          type: object
+                        projected:
+                          description: projected items for all in one resources secrets,
+                            configmaps, and downward API
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode are the mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            sources:
+                              description: sources is the list of volume projections
+                              items:
+                                description: Projection that may be projected along
+                                  with other supported volume types
+                                properties:
+                                  clusterTrustBundle:
+                                    description: |-
+                                      ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+                                      of ClusterTrustBundle objects in an auto-updating file.
+
+
+                                      Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+
+                                      ClusterTrustBundle objects can either be selected by name, or by the
+                                      combination of signer name and a label selector.
+
+
+                                      Kubelet performs aggressive normalization of the PEM contents written
+                                      into the pod filesystem.  Esoteric PEM features such as inter-block
+                                      comments and block headers are stripped.  Certificates are deduplicated.
+                                      The ordering of certificates within the file is arbitrary, and Kubelet
+                                      may change the order over time.
+                                    properties:
+                                      labelSelector:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this label selector.  Only has
+                                          effect if signerName is set.  Mutually-exclusive with name.  If unset,
+                                          interpreted as "match nothing".  If set but empty, interpreted as "match
+                                          everything".
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      name:
+                                        description: |-
+                                          Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+                                          with signerName and labelSelector.
+                                        type: string
+                                      optional:
+                                        description: |-
+                                          If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+                                          aren't available.  If using name, then the named ClusterTrustBundle is
+                                          allowed not to exist.  If using signerName, then the combination of
+                                          signerName and labelSelector is allowed to match zero
+                                          ClusterTrustBundles.
+                                        type: boolean
+                                      path:
+                                        description: Relative path from the volume
+                                          root to write the bundle.
+                                        type: string
+                                      signerName:
+                                        description: |-
+                                          Select all ClusterTrustBundles that match this signer name.
+                                          Mutually-exclusive with name.  The contents of all selected
+                                          ClusterTrustBundles will be unified and deduplicated.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                  configMap:
+                                    description: configMap information about the configMap
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          ConfigMap will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the ConfigMap,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional specify whether the
+                                          ConfigMap or its keys must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  downwardAPI:
+                                    description: downwardAPI information about the
+                                      downwardAPI data to project
+                                    properties:
+                                      items:
+                                        description: Items is a list of DownwardAPIVolume
+                                          file
+                                        items:
+                                          description: DownwardAPIVolumeFile represents
+                                            information to create the file containing
+                                            the pod field
+                                          properties:
+                                            fieldRef:
+                                              description: 'Required: Selects a field
+                                                of the pod: only annotations, labels,
+                                                name and namespace are supported.'
+                                              properties:
+                                                apiVersion:
+                                                  description: Version of the schema
+                                                    the FieldPath is written in terms
+                                                    of, defaults to "v1".
+                                                  type: string
+                                                fieldPath:
+                                                  description: Path of the field to
+                                                    select in the specified API version.
+                                                  type: string
+                                              required:
+                                              - fieldPath
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                            mode:
+                                              description: |-
+                                                Optional: mode bits used to set permissions on this file, must be an octal value
+                                                between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: 'Required: Path is  the
+                                                relative path name of the file to
+                                                be created. Must not be absolute or
+                                                contain the ''..'' path. Must be utf-8
+                                                encoded. The first item of the relative
+                                                path must not start with ''..'''
+                                              type: string
+                                            resourceFieldRef:
+                                              description: |-
+                                                Selects a resource of the container: only resources limits and requests
+                                                (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+                                              properties:
+                                                containerName:
+                                                  description: 'Container name: required
+                                                    for volumes, optional for env
+                                                    vars'
+                                                  type: string
+                                                divisor:
+                                                  anyOf:
+                                                  - type: integer
+                                                  - type: string
+                                                  description: Specifies the output
+                                                    format of the exposed resources,
+                                                    defaults to "1"
+                                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                  x-kubernetes-int-or-string: true
+                                                resource:
+                                                  description: 'Required: resource
+                                                    to select'
+                                                  type: string
+                                              required:
+                                              - resource
+                                              type: object
+                                              x-kubernetes-map-type: atomic
+                                          required:
+                                          - path
+                                          type: object
+                                        type: array
+                                    type: object
+                                  secret:
+                                    description: secret information about the secret
+                                      data to project
+                                    properties:
+                                      items:
+                                        description: |-
+                                          items if unspecified, each key-value pair in the Data field of the referenced
+                                          Secret will be projected into the volume as a file whose name is the
+                                          key and content is the value. If specified, the listed keys will be
+                                          projected into the specified paths, and unlisted keys will not be
+                                          present. If a key is specified which is not present in the Secret,
+                                          the volume setup will error unless it is marked optional. Paths must be
+                                          relative and may not contain the '..' path or start with '..'.
+                                        items:
+                                          description: Maps a string key to a path
+                                            within a volume.
+                                          properties:
+                                            key:
+                                              description: key is the key to project.
+                                              type: string
+                                            mode:
+                                              description: |-
+                                                mode is Optional: mode bits used to set permissions on this file.
+                                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                                YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                                If not specified, the volume defaultMode will be used.
+                                                This might be in conflict with other options that affect the file
+                                                mode, like fsGroup, and the result can be other mode bits set.
+                                              format: int32
+                                              type: integer
+                                            path:
+                                              description: |-
+                                                path is the relative path of the file to map the key to.
+                                                May not be an absolute path.
+                                                May not contain the path element '..'.
+                                                May not start with the string '..'.
+                                              type: string
+                                          required:
+                                          - key
+                                          - path
+                                          type: object
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name of the referent.
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Add other useful fields. apiVersion, kind, uid?
+                                        type: string
+                                      optional:
+                                        description: optional field specify whether
+                                          the Secret or its key must be defined
+                                        type: boolean
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  serviceAccountToken:
+                                    description: serviceAccountToken is information
+                                      about the serviceAccountToken data to project
+                                    properties:
+                                      audience:
+                                        description: |-
+                                          audience is the intended audience of the token. A recipient of a token
+                                          must identify itself with an identifier specified in the audience of the
+                                          token, and otherwise should reject the token. The audience defaults to the
+                                          identifier of the apiserver.
+                                        type: string
+                                      expirationSeconds:
+                                        description: |-
+                                          expirationSeconds is the requested duration of validity of the service
+                                          account token. As the token approaches expiration, the kubelet volume
+                                          plugin will proactively rotate the service account token. The kubelet will
+                                          start trying to rotate the token if the token is older than 80 percent of
+                                          its time to live or if the token is older than 24 hours.Defaults to 1 hour
+                                          and must be at least 10 minutes.
+                                        format: int64
+                                        type: integer
+                                      path:
+                                        description: |-
+                                          path is the path relative to the mount point of the file to project the
+                                          token into.
+                                        type: string
+                                    required:
+                                    - path
+                                    type: object
+                                type: object
+                              type: array
+                          type: object
+                        quobyte:
+                          description: quobyte represents a Quobyte mount on the host
+                            that shares a pod's lifetime
+                          properties:
+                            group:
+                              description: |-
+                                group to map volume access to
+                                Default is no group
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+                                Defaults to false.
+                              type: boolean
+                            registry:
+                              description: |-
+                                registry represents a single or multiple Quobyte Registry services
+                                specified as a string as host:port pair (multiple entries are separated with commas)
+                                which acts as the central registry for volumes
+                              type: string
+                            tenant:
+                              description: |-
+                                tenant owning the given Quobyte volume in the Backend
+                                Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+                              type: string
+                            user:
+                              description: |-
+                                user to map volume access to
+                                Defaults to serivceaccount user
+                              type: string
+                            volume:
+                              description: volume is a string that references an already
+                                created Quobyte volume by name.
+                              type: string
+                          required:
+                          - registry
+                          - volume
+                          type: object
+                        rbd:
+                          description: |-
+                            rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+                            More info: https://examples.k8s.io/volumes/rbd/README.md
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type of the volume that you want to mount.
+                                Tip: Ensure that the filesystem type is supported by the host operating system.
+                                Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+                                TODO: how do we prevent errors in the filesystem from compromising the machine
+                              type: string
+                            image:
+                              description: |-
+                                image is the rados image name.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            keyring:
+                              description: |-
+                                keyring is the path to key ring for RBDUser.
+                                Default is /etc/ceph/keyring.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            monitors:
+                              description: |-
+                                monitors is a collection of Ceph monitors.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              items:
+                                type: string
+                              type: array
+                            pool:
+                              description: |-
+                                pool is the rados pool name.
+                                Default is rbd.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly here will force the ReadOnly setting in VolumeMounts.
+                                Defaults to false.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef is name of the authentication secret for RBDUser. If provided
+                                overrides keyring.
+                                Default is nil.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            user:
+                              description: |-
+                                user is the rados user name.
+                                Default is admin.
+                                More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+                              type: string
+                          required:
+                          - image
+                          - monitors
+                          type: object
+                        scaleIO:
+                          description: scaleIO represents a ScaleIO persistent volume
+                            attached and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs".
+                                Default is "xfs".
+                              type: string
+                            gateway:
+                              description: gateway is the host address of the ScaleIO
+                                API Gateway.
+                              type: string
+                            protectionDomain:
+                              description: protectionDomain is the name of the ScaleIO
+                                Protection Domain for the configured storage.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly Defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef references to the secret for ScaleIO user and other
+                                sensitive information. If this is not provided, Login operation will fail.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            sslEnabled:
+                              description: sslEnabled Flag enable/disable SSL communication
+                                with Gateway, default false
+                              type: boolean
+                            storageMode:
+                              description: |-
+                                storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+                                Default is ThinProvisioned.
+                              type: string
+                            storagePool:
+                              description: storagePool is the ScaleIO Storage Pool
+                                associated with the protection domain.
+                              type: string
+                            system:
+                              description: system is the name of the storage system
+                                as configured in ScaleIO.
+                              type: string
+                            volumeName:
+                              description: |-
+                                volumeName is the name of a volume already created in the ScaleIO system
+                                that is associated with this volume source.
+                              type: string
+                          required:
+                          - gateway
+                          - secretRef
+                          - system
+                          type: object
+                        secret:
+                          description: |-
+                            secret represents a secret that should populate this volume.
+                            More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                          properties:
+                            defaultMode:
+                              description: |-
+                                defaultMode is Optional: mode bits used to set permissions on created files by default.
+                                Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                YAML accepts both octal and decimal values, JSON requires decimal values
+                                for mode bits. Defaults to 0644.
+                                Directories within the path are not affected by this setting.
+                                This might be in conflict with other options that affect the file
+                                mode, like fsGroup, and the result can be other mode bits set.
+                              format: int32
+                              type: integer
+                            items:
+                              description: |-
+                                items If unspecified, each key-value pair in the Data field of the referenced
+                                Secret will be projected into the volume as a file whose name is the
+                                key and content is the value. If specified, the listed keys will be
+                                projected into the specified paths, and unlisted keys will not be
+                                present. If a key is specified which is not present in the Secret,
+                                the volume setup will error unless it is marked optional. Paths must be
+                                relative and may not contain the '..' path or start with '..'.
+                              items:
+                                description: Maps a string key to a path within a
+                                  volume.
+                                properties:
+                                  key:
+                                    description: key is the key to project.
+                                    type: string
+                                  mode:
+                                    description: |-
+                                      mode is Optional: mode bits used to set permissions on this file.
+                                      Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+                                      YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+                                      If not specified, the volume defaultMode will be used.
+                                      This might be in conflict with other options that affect the file
+                                      mode, like fsGroup, and the result can be other mode bits set.
+                                    format: int32
+                                    type: integer
+                                  path:
+                                    description: |-
+                                      path is the relative path of the file to map the key to.
+                                      May not be an absolute path.
+                                      May not contain the path element '..'.
+                                      May not start with the string '..'.
+                                    type: string
+                                required:
+                                - key
+                                - path
+                                type: object
+                              type: array
+                            optional:
+                              description: optional field specify whether the Secret
+                                or its keys must be defined
+                              type: boolean
+                            secretName:
+                              description: |-
+                                secretName is the name of the secret in the pod's namespace to use.
+                                More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+                              type: string
+                          type: object
+                        storageos:
+                          description: storageOS represents a StorageOS volume attached
+                            and mounted on Kubernetes nodes.
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is the filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            readOnly:
+                              description: |-
+                                readOnly defaults to false (read/write). ReadOnly here will force
+                                the ReadOnly setting in VolumeMounts.
+                              type: boolean
+                            secretRef:
+                              description: |-
+                                secretRef specifies the secret to use for obtaining the StorageOS API
+                                credentials.  If not specified, default values will be attempted.
+                              properties:
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            volumeName:
+                              description: |-
+                                volumeName is the human-readable name of the StorageOS volume.  Volume
+                                names are only unique within a namespace.
+                              type: string
+                            volumeNamespace:
+                              description: |-
+                                volumeNamespace specifies the scope of the volume within StorageOS.  If no
+                                namespace is specified then the Pod's namespace will be used.  This allows the
+                                Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+                                Set VolumeName to any name to override the default behaviour.
+                                Set to "default" if you are not using namespaces within StorageOS.
+                                Namespaces that do not pre-exist within StorageOS will be created.
+                              type: string
+                          type: object
+                        vsphereVolume:
+                          description: vsphereVolume represents a vSphere volume attached
+                            and mounted on kubelets host machine
+                          properties:
+                            fsType:
+                              description: |-
+                                fsType is filesystem type to mount.
+                                Must be a filesystem type supported by the host operating system.
+                                Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+                              type: string
+                            storagePolicyID:
+                              description: storagePolicyID is the storage Policy Based
+                                Management (SPBM) profile ID associated with the StoragePolicyName.
+                              type: string
+                            storagePolicyName:
+                              description: storagePolicyName is the storage Policy
+                                Based Management (SPBM) profile name.
+                              type: string
+                            volumePath:
+                              description: volumePath is the path that identifies
+                                vSphere volume vmdk
+                              type: string
+                          required:
+                          - volumePath
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                required:
+                - volumeMounts
+                - volumes
+                type: object
+              oneReplicaPerNode:
+                description: |-
+                  oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
+                  Enabling this configuration in an existing cluster will roll the cluster.
+                type: boolean
+              pdb:
+                description: |-
+                  configures PodDisruptionBudget for the Confluent Platform component.
+                  by default PDB is configured based on pre-detemined formula.
+                properties:
+                  enabled:
+                    description: enabled specifies whether the PodDisruptionBudget
+                      is enabled
+                    type: boolean
+                  maxUnavailable:
+                    description: maxUnavailable is the maximum number of pods that
+                      can be unavailable during the disruption.
+                    format: int32
+                    type: integer
+                required:
+                - enabled
+                type: object
+              peers:
+                description: |-
+                  peers specify a list of dynamic peer configurations for the Zookeeper cluster. This is only required when deploying stretch
+                  Zookeeper for MRC deployments and should include all the Zookeeper peers in other DCs that form the ensemble.
+                  This will either add or update the existing configuration.
+                items:
+                  type: string
+                type: array
+              podTemplate:
+                description: podTemplate specifies the statefulset pod template configuration.
+                properties:
+                  affinity:
+                    description: |-
+                      affinity specifies a group of affinity scheduling rules.
+                      More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
+                    properties:
+                      nodeAffinity:
+                        description: Describes node affinity scheduling rules for
+                          the pod.
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node matches the corresponding matchExpressions; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: |-
+                                An empty preferred scheduling term matches all objects with implicit weight 0
+                                (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+                              properties:
+                                preference:
+                                  description: A node selector term, associated with
+                                    the corresponding weight.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                weight:
+                                  description: Weight associated with matching the
+                                    corresponding nodeSelectorTerm, in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - preference
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to an update), the system
+                              may or may not try to eventually evict the pod from its node.
+                            properties:
+                              nodeSelectorTerms:
+                                description: Required. A list of node selector terms.
+                                  The terms are ORed.
+                                items:
+                                  description: |-
+                                    A null or empty node selector term matches no objects. The requirements of
+                                    them are ANDed.
+                                    The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+                                  properties:
+                                    matchExpressions:
+                                      description: A list of node selector requirements
+                                        by node's labels.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchFields:
+                                      description: A list of node selector requirements
+                                        by node's fields.
+                                      items:
+                                        description: |-
+                                          A node selector requirement is a selector that contains values, a key, and an operator
+                                          that relates the key and values.
+                                        properties:
+                                          key:
+                                            description: The label key that the selector
+                                              applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              Represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              An array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. If the operator is Gt or Lt, the values
+                                              array must have a single element, which will be interpreted as an integer.
+                                              This array is replaced during a strategic merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            required:
+                            - nodeSelectorTerms
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      podAffinity:
+                        description: Describes pod affinity scheduling rules (e.g.
+                          co-locate this pod in the same node, zone, etc. as some
+                          other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                      podAntiAffinity:
+                        description: Describes pod anti-affinity scheduling rules
+                          (e.g. avoid putting this pod in the same node, zone, etc.
+                          as some other pod(s)).
+                        properties:
+                          preferredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              The scheduler will prefer to schedule pods to nodes that satisfy
+                              the anti-affinity expressions specified by this field, but it may choose
+                              a node that violates one or more of the expressions. The node that is
+                              most preferred is the one with the greatest sum of weights, i.e.
+                              for each node that meets all of the scheduling requirements (resource
+                              request, requiredDuringScheduling anti-affinity expressions, etc.),
+                              compute a sum by iterating through the elements of this field and adding
+                              "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              node(s) with the highest sum are the most preferred.
+                            items:
+                              description: The weights of all of the matched WeightedPodAffinityTerm
+                                fields are added per-node to find the most preferred
+                                node(s)
+                              properties:
+                                podAffinityTerm:
+                                  description: Required. A pod affinity term, associated
+                                    with the corresponding weight.
+                                  properties:
+                                    labelSelector:
+                                      description: |-
+                                        A label query over a set of resources, in this case pods.
+                                        If it's null, this PodAffinityTerm matches with no Pods.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    matchLabelKeys:
+                                      description: |-
+                                        MatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                        Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    mismatchLabelKeys:
+                                      description: |-
+                                        MismatchLabelKeys is a set of pod label keys to select which pods will
+                                        be taken into consideration. The keys are used to lookup values from the
+                                        incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                        to select the group of existing pods which pods will be taken into consideration
+                                        for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                        pod labels will be ignored. The default value is empty.
+                                        The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                        Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                        This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                      items:
+                                        type: string
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    namespaceSelector:
+                                      description: |-
+                                        A label query over the set of namespaces that the term applies to.
+                                        The term is applied to the union of the namespaces selected by this field
+                                        and the ones listed in the namespaces field.
+                                        null selector and null or empty namespaces list means "this pod's namespace".
+                                        An empty selector ({}) matches all namespaces.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    namespaces:
+                                      description: |-
+                                        namespaces specifies a static list of namespace names that the term applies to.
+                                        The term is applied to the union of the namespaces listed in this field
+                                        and the ones selected by namespaceSelector.
+                                        null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                      items:
+                                        type: string
+                                      type: array
+                                    topologyKey:
+                                      description: |-
+                                        This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                        the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                        whose value of the label with key topologyKey matches that of any node on which any of the
+                                        selected pods is running.
+                                        Empty topologyKey is not allowed.
+                                      type: string
+                                  required:
+                                  - topologyKey
+                                  type: object
+                                weight:
+                                  description: |-
+                                    weight associated with matching the corresponding podAffinityTerm,
+                                    in the range 1-100.
+                                  format: int32
+                                  type: integer
+                              required:
+                              - podAffinityTerm
+                              - weight
+                              type: object
+                            type: array
+                          requiredDuringSchedulingIgnoredDuringExecution:
+                            description: |-
+                              If the anti-affinity requirements specified by this field are not met at
+                              scheduling time, the pod will not be scheduled onto the node.
+                              If the anti-affinity requirements specified by this field cease to be met
+                              at some point during pod execution (e.g. due to a pod label update), the
+                              system may or may not try to eventually evict the pod from its node.
+                              When there are multiple elements, the lists of nodes corresponding to each
+                              podAffinityTerm are intersected, i.e. all terms must be satisfied.
+                            items:
+                              description: |-
+                                Defines a set of pods (namely those matching the labelSelector
+                                relative to the given namespace(s)) that this pod should be
+                                co-located (affinity) or not co-located (anti-affinity) with,
+                                where co-located is defined as running on a node whose value of
+                                the label with key <topologyKey> matches that of any node on which
+                                a pod of the set of pods is running
+                              properties:
+                                labelSelector:
+                                  description: |-
+                                    A label query over a set of resources, in this case pods.
+                                    If it's null, this PodAffinityTerm matches with no Pods.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                matchLabelKeys:
+                                  description: |-
+                                    MatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                                    Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                mismatchLabelKeys:
+                                  description: |-
+                                    MismatchLabelKeys is a set of pod label keys to select which pods will
+                                    be taken into consideration. The keys are used to lookup values from the
+                                    incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
+                                    to select the group of existing pods which pods will be taken into consideration
+                                    for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+                                    pod labels will be ignored. The default value is empty.
+                                    The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
+                                    Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
+                                    This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+                                  items:
+                                    type: string
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                namespaceSelector:
+                                  description: |-
+                                    A label query over the set of namespaces that the term applies to.
+                                    The term is applied to the union of the namespaces selected by this field
+                                    and the ones listed in the namespaces field.
+                                    null selector and null or empty namespaces list means "this pod's namespace".
+                                    An empty selector ({}) matches all namespaces.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    namespaces specifies a static list of namespace names that the term applies to.
+                                    The term is applied to the union of the namespaces listed in this field
+                                    and the ones selected by namespaceSelector.
+                                    null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+                                  items:
+                                    type: string
+                                  type: array
+                                topologyKey:
+                                  description: |-
+                                    This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+                                    the labelSelector in the specified namespaces, where co-located is defined as running on a node
+                                    whose value of the label with key topologyKey matches that of any node on which any of the
+                                    selected pods is running.
+                                    Empty topologyKey is not allowed.
+                                  type: string
+                              required:
+                              - topologyKey
+                              type: object
+                            type: array
+                        type: object
+                    type: object
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      annotations is a map of string key and value pairs stored with the resource and
+                      may be set by external tools to store and retrieve arbitrary metadata. They
+                      are not queryable and should be preserved when modifying objects. More
+                      info: http://kubernetes.io/docs/user-guide/annotations.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  envVars:
+                    description: |-
+                      envVars contain environment variables to be injected into containers.
+                      More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
+                    items:
+                      description: EnvVar represents an environment variable present
+                        in a Container.
+                      properties:
+                        name:
+                          description: Name of the environment variable. Must be a
+                            C_IDENTIFIER.
+                          type: string
+                        value:
+                          description: |-
+                            Variable references $(VAR_NAME) are expanded
+                            using the previously defined environment variables in the container and
+                            any service environment variables. If a variable cannot be resolved,
+                            the reference in the input string will be unchanged. Double $$ are reduced
+                            to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+                            "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+                            Escaped references will never be expanded, regardless of whether the variable
+                            exists or not.
+                            Defaults to "".
+                          type: string
+                        valueFrom:
+                          description: Source for the environment variable's value.
+                            Cannot be used if value is not empty.
+                          properties:
+                            configMapKeyRef:
+                              description: Selects a key of a ConfigMap.
+                              properties:
+                                key:
+                                  description: The key to select.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the ConfigMap or its
+                                    key must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            fieldRef:
+                              description: |-
+                                Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+                                spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+                              properties:
+                                apiVersion:
+                                  description: Version of the schema the FieldPath
+                                    is written in terms of, defaults to "v1".
+                                  type: string
+                                fieldPath:
+                                  description: Path of the field to select in the
+                                    specified API version.
+                                  type: string
+                              required:
+                              - fieldPath
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            resourceFieldRef:
+                              description: |-
+                                Selects a resource of the container: only resources limits and requests
+                                (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+                              properties:
+                                containerName:
+                                  description: 'Container name: required for volumes,
+                                    optional for env vars'
+                                  type: string
+                                divisor:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  description: Specifies the output format of the
+                                    exposed resources, defaults to "1"
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                                resource:
+                                  description: 'Required: resource to select'
+                                  type: string
+                              required:
+                              - resource
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            secretKeyRef:
+                              description: Selects a key of a secret in the pod's
+                                namespace
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name of the referent.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Add other useful fields. apiVersion, kind, uid?
+                                  type: string
+                                optional:
+                                  description: Specify whether the Secret or its key
+                                    must be defined
+                                  type: boolean
+                              required:
+                              - key
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                      required:
+                      - name
+                      type: object
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      labels is a map of string key and value pairs that can be used to organize and categorize
+                      (scope and select) objects.
+                      More info: http://kubernetes.io/docs/user-guide/labels.
+                    type: object
+                    x-kubernetes-map-type: granular
+                  podSecurityContext:
+                    description: |-
+                      PodSecurityContext holds pod-level security attributes and common container settings.
+                      Some fields are also present in container.securityContext.  Field values of
+                      container.securityContext take precedence over field values of PodSecurityContext.
+                    properties:
+                      fsGroup:
+                        description: |-
+                          A special supplemental group that applies to all containers in a pod.
+                          Some volume types allow the Kubelet to change the ownership of that volume
+                          to be owned by the pod:
+
+
+                          1. The owning GID will be the FSGroup
+                          2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+                          3. The permission bits are OR'd with rw-rw----
+
+
+                          If unset, the Kubelet will not modify the ownership and permissions of any volume.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      fsGroupChangePolicy:
+                        description: |-
+                          fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+                          before being exposed inside Pod. This field will only apply to
+                          volume types which support fsGroup based ownership(and permissions).
+                          It will have no effect on ephemeral volume types such as: secret, configmaps
+                          and emptydir.
+                          Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in SecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence
+                          for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to all containers.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in SecurityContext.  If set in
+                          both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+                          takes precedence for that container.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by the containers in this pod.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      supplementalGroups:
+                        description: |-
+                          A list of groups applied to the first process run in each container, in addition
+                          to the container's primary GID, the fsGroup (if specified), and group memberships
+                          defined in the container image for the uid of the container process. If unspecified,
+                          no additional groups are added to any container. Note that group memberships
+                          defined in the container image for the uid of the container process are still effective,
+                          even if they are not included in this list.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          format: int64
+                          type: integer
+                        type: array
+                      sysctls:
+                        description: |-
+                          Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+                          sysctls (by the container runtime) might fail to launch.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        items:
+                          description: Sysctl defines a kernel parameter to be set
+                          properties:
+                            name:
+                              description: Name of a property to set
+                              type: string
+                            value:
+                              description: Value of a property to set
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        type: array
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options within a container's SecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  priorityClassName:
+                    description: priorityClassName specifies the priority class for
+                      the pod (if any).
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                  probe:
+                    description: probe contains the fields for standard Kubernetes
+                      readiness/liveness probe configuration.
+                    properties:
+                      liveness:
+                        description: |-
+                          liveness configures the Kubernetes probe settings. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                      readiness:
+                        description: |-
+                          readiness configures the Kubernetes probe setting. The changes
+                          will override the existing default configuration.
+                        properties:
+                          failureThreshold:
+                            description: |-
+                              failureThreshold is the minimum consecutive failures for the probe to be considered failed.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          initialDelaySeconds:
+                            description: |-
+                              initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          path:
+                            description: Path for the HTTP probe
+                            type: string
+                          periodSeconds:
+                            description: |-
+                              periodSeconds specifies how often to perform the probe.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                          port:
+                            description: Number of the port to access on the container
+                            type: integer
+                          successThreshold:
+                            description: |-
+                              successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
+                              The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
+                            format: int32
+                            type: integer
+                          timeoutSeconds:
+                            description: |-
+                              timeoutSeconds is the number of seconds after which the probe times out.
+                              Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
+                            format: int32
+                            type: integer
+                        type: object
+                    type: object
+                  resources:
+                    description: resources describe the compute resource requirements.
+                    properties:
+                      claims:
+                        description: |-
+                          Claims lists the names of resources, defined in spec.resourceClaims,
+                          that are used by this container.
+
+
+                          This is an alpha field and requires enabling the
+                          DynamicResourceAllocation feature gate.
+
+
+                          This field is immutable. It can only be set for containers.
+                        items:
+                          description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                          properties:
+                            name:
+                              description: |-
+                                Name must match the name of one entry in pod.spec.resourceClaims of
+                                the Pod where this field is used. It makes that resource available
+                                inside a container.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                        x-kubernetes-list-map-keys:
+                        - name
+                        x-kubernetes-list-type: map
+                      limits:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Limits describes the maximum amount of compute resources allowed.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                      requests:
+                        additionalProperties:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                          x-kubernetes-int-or-string: true
+                        description: |-
+                          Requests describes the minimum amount of compute resources required.
+                          If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                          otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                          More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                        type: object
+                    type: object
+                  securityContext:
+                    description: |-
+                      SecurityContext holds security configuration that will be applied to a container.
+                      Some fields are present in both SecurityContext and PodSecurityContext.  When both
+                      are set, the values in SecurityContext take precedence.
+                    properties:
+                      allowPrivilegeEscalation:
+                        description: |-
+                          AllowPrivilegeEscalation controls whether a process can gain more
+                          privileges than its parent process. This bool directly controls if
+                          the no_new_privs flag will be set on the container process.
+                          AllowPrivilegeEscalation is true always when the container is:
+                          1) run as Privileged
+                          2) has CAP_SYS_ADMIN
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      capabilities:
+                        description: |-
+                          The capabilities to add/drop when running containers.
+                          Defaults to the default set of capabilities granted by the container runtime.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          add:
+                            description: Added capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                          drop:
+                            description: Removed capabilities
+                            items:
+                              description: Capability represent POSIX capabilities
+                                type
+                              type: string
+                            type: array
+                        type: object
+                      privileged:
+                        description: |-
+                          Run container in privileged mode.
+                          Processes in privileged containers are essentially equivalent to root on the host.
+                          Defaults to false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      procMount:
+                        description: |-
+                          procMount denotes the type of proc mount to use for the containers.
+                          The default is DefaultProcMount which uses the container runtime defaults for
+                          readonly paths and masked paths.
+                          This requires the ProcMountType feature flag to be enabled.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: string
+                      readOnlyRootFilesystem:
+                        description: |-
+                          Whether this container has a read-only root filesystem.
+                          Default is false.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        type: boolean
+                      runAsGroup:
+                        description: |-
+                          The GID to run the entrypoint of the container process.
+                          Uses runtime default if unset.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      runAsNonRoot:
+                        description: |-
+                          Indicates that the container must run as a non-root user.
+                          If true, the Kubelet will validate the image at runtime to ensure that it
+                          does not run as UID 0 (root) and fail to start the container if it does.
+                          If unset or false, no such validation will be performed.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                        type: boolean
+                      runAsUser:
+                        description: |-
+                          The UID to run the entrypoint of the container process.
+                          Defaults to user specified in image metadata if unspecified.
+                          May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        format: int64
+                        type: integer
+                      seLinuxOptions:
+                        description: |-
+                          The SELinux context to be applied to the container.
+                          If unspecified, the container runtime will allocate a random SELinux context for each
+                          container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+                          PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          level:
+                            description: Level is SELinux level label that applies
+                              to the container.
+                            type: string
+                          role:
+                            description: Role is a SELinux role label that applies
+                              to the container.
+                            type: string
+                          type:
+                            description: Type is a SELinux type label that applies
+                              to the container.
+                            type: string
+                          user:
+                            description: User is a SELinux user label that applies
+                              to the container.
+                            type: string
+                        type: object
+                      seccompProfile:
+                        description: |-
+                          The seccomp options to use by this container. If seccomp options are
+                          provided at both the pod & container level, the container options
+                          override the pod options.
+                          Note that this field cannot be set when spec.os.name is windows.
+                        properties:
+                          localhostProfile:
+                            description: |-
+                              localhostProfile indicates a profile defined in a file on the node should be used.
+                              The profile must be preconfigured on the node to work.
+                              Must be a descending path, relative to the kubelet's configured seccomp profile location.
+                              Must be set if type is "Localhost". Must NOT be set for any other type.
+                            type: string
+                          type:
+                            description: |-
+                              type indicates which kind of seccomp profile will be applied.
+                              Valid options are:
+
+
+                              Localhost - a profile defined in a file on the node should be used.
+                              RuntimeDefault - the container runtime default profile should be used.
+                              Unconfined - no profile should be applied.
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      windowsOptions:
+                        description: |-
+                          The Windows specific settings applied to all containers.
+                          If unspecified, the options from the PodSecurityContext will be used.
+                          If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                          Note that this field cannot be set when spec.os.name is linux.
+                        properties:
+                          gmsaCredentialSpec:
+                            description: |-
+                              GMSACredentialSpec is where the GMSA admission webhook
+                              (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+                              GMSA credential spec named by the GMSACredentialSpecName field.
+                            type: string
+                          gmsaCredentialSpecName:
+                            description: GMSACredentialSpecName is the name of the
+                              GMSA credential spec to use.
+                            type: string
+                          hostProcess:
+                            description: |-
+                              HostProcess determines if a container should be run as a 'Host Process' container.
+                              All of a Pod's containers must have the same effective HostProcess value
+                              (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+                              In addition, if HostProcess is true then HostNetwork must also be set to true.
+                            type: boolean
+                          runAsUserName:
+                            description: |-
+                              The UserName in Windows to run the entrypoint of the container process.
+                              Defaults to the user specified in image metadata if unspecified.
+                              May also be set in PodSecurityContext. If set in both SecurityContext and
+                              PodSecurityContext, the value specified in SecurityContext takes precedence.
+                            type: string
+                        type: object
+                    type: object
+                  serviceAccountName:
+                    description: |-
+                      ServiceAccountName is the name of the service account used to run this pod.
+                      More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
+                    type: string
+                  terminationGracePeriodSeconds:
+                    description: terminationGracePeriodSeconds is the grace period
+                      before the pod is deleted.
+                    format: int64
+                    type: integer
+                  tolerations:
+                    description: |-
+                      tolerations specify the pods to schedule onto the nodes with matching taints, using
+                      the triple `<key,value,effect>` and the matching operator `<operator>`.
+                    items:
+                      description: |-
+                        The pod this Toleration is attached to tolerates any taint that matches
+                        the triple <key,value,effect> using the matching operator <operator>.
+                      properties:
+                        effect:
+                          description: |-
+                            Effect indicates the taint effect to match. Empty means match all taint effects.
+                            When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                          type: string
+                        key:
+                          description: |-
+                            Key is the taint key that the toleration applies to. Empty means match all taint keys.
+                            If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                          type: string
+                        operator:
+                          description: |-
+                            Operator represents a key's relationship to the value.
+                            Valid operators are Exists and Equal. Defaults to Equal.
+                            Exists is equivalent to wildcard for value, so that a pod can
+                            tolerate all taints of a particular category.
+                          type: string
+                        tolerationSeconds:
+                          description: |-
+                            TolerationSeconds represents the period of time the toleration (which must be
+                            of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+                            it is not set, which means tolerate the taint forever (do not evict). Zero and
+                            negative values will be treated as 0 (evict immediately) by the system.
+                          format: int64
+                          type: integer
+                        value:
+                          description: |-
+                            Value is the taint value the toleration matches to.
+                            If the operator is Exists, the value should be empty, otherwise just a regular string.
+                          type: string
+                      type: object
+                    type: array
+                  topologySpreadConstraints:
+                    description: |-
+                      topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
+                      schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
+                    items:
+                      description: TopologySpreadConstraint specifies how to spread
+                        matching pods among the given topology.
+                      properties:
+                        labelSelector:
+                          description: |-
+                            LabelSelector is used to find matching pods.
+                            Pods that match this label selector are counted to determine the number of pods
+                            in their corresponding topology domain.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        matchLabelKeys:
+                          description: |-
+                            MatchLabelKeys is a set of pod label keys to select the pods over which
+                            spreading will be calculated. The keys are used to lookup values from the
+                            incoming pod labels, those key-value labels are ANDed with labelSelector
+                            to select the group of existing pods over which spreading will be calculated
+                            for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+                            MatchLabelKeys cannot be set when LabelSelector isn't set.
+                            Keys that don't exist in the incoming pod labels will
+                            be ignored. A null or empty list means only match against labelSelector.
+
+
+                            This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        maxSkew:
+                          description: |-
+                            MaxSkew describes the degree to which pods may be unevenly distributed.
+                            When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+                            between the number of matching pods in the target topology and the global minimum.
+                            The global minimum is the minimum number of matching pods in an eligible domain
+                            or zero if the number of eligible domains is less than MinDomains.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 2/2/1:
+                            In this case, the global minimum is 1.
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |   P   |
+                            - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+                            scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+                            violate MaxSkew(1).
+                            - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+                            When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+                            to topologies that satisfy it.
+                            It's a required field. Default value is 1 and 0 is not allowed.
+                          format: int32
+                          type: integer
+                        minDomains:
+                          description: |-
+                            MinDomains indicates a minimum number of eligible domains.
+                            When the number of eligible domains with matching topology keys is less than minDomains,
+                            Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+                            And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+                            this value has no effect on scheduling.
+                            As a result, when the number of eligible domains is less than minDomains,
+                            scheduler won't schedule more than maxSkew Pods to those domains.
+                            If value is nil, the constraint behaves as if MinDomains is equal to 1.
+                            Valid values are integers greater than 0.
+                            When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+
+                            For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+                            labelSelector spread as 2/2/2:
+                            | zone1 | zone2 | zone3 |
+                            |  P P  |  P P  |  P P  |
+                            The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+                            In this situation, new pod with the same labelSelector cannot be scheduled,
+                            because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+                            it will violate MaxSkew.
+
+
+                            This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
+                          format: int32
+                          type: integer
+                        nodeAffinityPolicy:
+                          description: |-
+                            NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+                            when calculating pod topology spread skew. Options are:
+                            - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+                            - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+
+                            If this value is nil, the behavior is equivalent to the Honor policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        nodeTaintsPolicy:
+                          description: |-
+                            NodeTaintsPolicy indicates how we will treat node taints when calculating
+                            pod topology spread skew. Options are:
+                            - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+                            has a toleration, are included.
+                            - Ignore: node taints are ignored. All nodes are included.
+
+
+                            If this value is nil, the behavior is equivalent to the Ignore policy.
+                            This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+                          type: string
+                        topologyKey:
+                          description: |-
+                            TopologyKey is the key of node labels. Nodes that have a label with this key
+                            and identical values are considered to be in the same topology.
+                            We consider each <key, value> as a "bucket", and try to put balanced number
+                            of pods into each bucket.
+                            We define a domain as a particular instance of a topology.
+                            Also, we define an eligible domain as a domain whose nodes meet the requirements of
+                            nodeAffinityPolicy and nodeTaintsPolicy.
+                            e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+                            And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+                            It's a required field.
+                          type: string
+                        whenUnsatisfiable:
+                          description: |-
+                            WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+                            the spread constraint.
+                            - DoNotSchedule (default) tells the scheduler not to schedule it.
+                            - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+                              but giving higher precedence to topologies that would help reduce the
+                              skew.
+                            A constraint is considered "Unsatisfiable" for an incoming pod
+                            if and only if every possible node assignment for that pod would violate
+                            "MaxSkew" on some topology.
+                            For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+                            labelSelector spread as 3/1/1:
+                            | zone1 | zone2 | zone3 |
+                            | P P P |   P   |   P   |
+                            If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+                            to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+                            MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+                            won't make it *more* imbalanced.
+                            It's a required field.
+                          type: string
+                      required:
+                      - maxSkew
+                      - topologyKey
+                      - whenUnsatisfiable
+                      type: object
+                    type: array
+                type: object
+              replicas:
+                description: |-
+                  replicas is the desired number of replicas.
+                  A change to this setting will roll the cluster.
+                format: int32
+                type: integer
+              storageClass:
+                description: |-
+                  storageClass specifies the user-provided storage class. If not
+                  configured, the default storage class is used.
+                properties:
+                  name:
+                    description: name is the storage class name.
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - name
+                type: object
+              tls:
+                description: tls specifies the TLS configuration.
+                properties:
+                  autoGeneratedCerts:
+                    description: |-
+                      autoGeneratedCerts specifies that the certificates are auto-generated based on
+                      the CA key pair provided.
+                    type: boolean
+                  directoryPathInContainer:
+                    description: |-
+                      directoryPathInContainer specifies the directory path in the container where
+                      `keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
+                      `truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
+                    minLength: 1
+                    type: string
+                  fips:
+                    description: |-
+                      fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
+                      TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
+                    properties:
+                      enabled:
+                        description: enabled specifies whether to enable the FIPS
+                          configuration for cp components.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
+                  ignoreTrustStoreConfig:
+                    description: |-
+                      ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
+                      for the Confluent component.
+                    type: boolean
+                  jksPassword:
+                    description: jksPassword references the secret containing the
+                      JKS password.
+                    properties:
+                      secretRef:
+                        description: |-
+                          secretRef references the name of the secret containing the JKS password.
+                          More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                        maxLength: 30
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - secretRef
+                    type: object
+                  secretRef:
+                    description: |-
+                      secretRef references the secret containing the certificates.
+                      More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
+                    maxLength: 30
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                type: object
+            required:
+            - dataVolumeCapacity
+            - image
+            - logVolumeCapacity
+            type: object
+          status:
+            description: status defines the observed state of the Zookeeper cluster.
+            properties:
+              arbitraryData:
+                description: arbitraryData is the map for any arbitrary data associated
+                  with this Confluent component.
+                x-kubernetes-preserve-unknown-fields: true
+              authorizationType:
+                description: authorizationType is the authorization type for this
+                  Confluent component.
+                type: string
+              clusterName:
+                description: clusterName is the name of the Confluent Platform component
+                  cluster.
+                type: string
+              clusterNamespace:
+                description: clusterNamespace is the namespace where the Confluent
+                  Platform component cluster is running.
+                type: string
+              conditions:
+                description: conditions specify the latest available observations
+                  of the current state.
+                items:
+                  description: Condition represent the latest available observations
+                    of the current state.
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime shows the last time the condition
+                        was evaluated.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime shows the last time the condition
+                        was transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message shows a human-readable message with details
+                        about the transition.
+                      type: string
+                    reason:
+                      description: reason shows the reason for the last transition
+                        of the condition.
+                      type: string
+                    status:
+                      description: status shows the status of the condition, one of
+                        `True`, `False`, or `Unknown`.
+                      type: string
+                    type:
+                      description: type shows the condition type.
+                      type: string
+                  type: object
+                type: array
+              currentReplicas:
+                description: currentReplicas is the number of currently running replicas.
+                format: int32
+                type: integer
+              internalSecrets:
+                description: |-
+                  internalSecrets are internal secrets created
+                  by CFK for this Confluent component.
+                items:
+                  type: string
+                type: array
+              internalTopicNames:
+                description: internalTopicNames are the topics used by the component
+                  for internal use.
+                items:
+                  type: string
+                type: array
+              myIdOffset:
+                description: myIdOffset shows the MyId offset configuration.
+                format: int32
+                type: integer
+              observedGeneration:
+                description: observedGeneration is the most recent generation observed
+                  for this Confluent component.
+                format: int64
+                type: integer
+              operatorVersion:
+                description: operatorVersion is the internal version of CFK.
+                type: string
+              phase:
+                description: |-
+                  phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
+                  or 'RUNNING'
+                  'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
+                  'RUNNING' means the Confluent Platform component has been successfully deployed.
+                type: string
+              readyReplicas:
+                description: readyReplicas is the number of currently ready replicas.
+                format: int32
+                type: integer
+              replicas:
+                description: replicas is the number of replicas.
+                format: int32
+                type: integer
+              restConfig:
+                description: restConfig is the REST API configuration of the Zookeeper
+                  cluster.
+                properties:
+                  advertisedExternalEndpoints:
+                    description: advertisedExternalEndpoints specifies other advertised
+                      endpoints used, especially for Kafka.
+                    items:
+                      type: string
+                    type: array
+                  authenticationType:
+                    description: authenticationType shows the authentication type
+                      configured by the listener.
+                    type: string
+                  externalAccessType:
+                    description: externalAccessType shows the external access type
+                      used for the listener.
+                    type: string
+                  externalEndpoint:
+                    description: externalEndpoint specifies the external endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  internalEndpoint:
+                    description: internalEndpoint specifies the internal endpoint
+                      to connect to the Confluent component cluster.
+                    type: string
+                  tls:
+                    description: tls shows whether TLS is configured for the listener.
+                    type: boolean
+                type: object
+              selector:
+                description: |-
+                  selector gets the label selector of the child pod.
+                  The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      scale:
+        specReplicasPath: .spec.replicas
+        statusReplicasPath: .status.replicas
+      status: {}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/NOTES.txt b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/NOTES.txt
new file mode 100644
index 000000000..13dc5b3bc
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/NOTES.txt
@@ -0,0 +1,4 @@
+                                              The Confluent Operator
+
+The Confluent Operator brings the component (Confluent Services) specific controllers for kubernetes by providing components specific Custom Resource
+Definition (CRD) as well as managing other Confluent Platform services
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/_helpers.tpl b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/_helpers.tpl
new file mode 100644
index 000000000..2815a8374
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/_helpers.tpl
@@ -0,0 +1,42 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "confluent-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "confluent-operator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "confluent-operator.service-account" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "confluent-operator.name" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "confluent-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/clusterrole.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/clusterrole.yaml
new file mode 100644
index 000000000..c689bfb5d
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/clusterrole.yaml
@@ -0,0 +1,172 @@
+{{- if .Values.rbac }}
+{{- $clusterRole := or (not .Values.namespaced) (.Values.kRaftEnabled) (gt (len .Values.namespaceList) 0)}}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if not $clusterRole }}
+kind: Role
+{{- else }}
+kind: ClusterRole
+{{- end }}
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+  name: {{ .Values.name }}
+  {{- if not $clusterRole }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+rules:
+- apiGroups:
+  - platform.confluent.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{- if .Values.clusterRole.openshift }}
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  - routes/custom-host
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{- end }}
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  - statefulsets/scale
+  - statefulsets/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - persistentvolumes
+  - secrets
+  - secrets/finalizers
+  - pods
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{- if gt (int (.Values.replicas)) 1 }}
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+{{- end }}
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - ingresses/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+{{- if $clusterRole }}
+  - list
+  - watch
+{{- end }}
+{{- if .Values.webhooks.enabled }}
+# Webhook configurations are cluster scoped
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+  name: {{ .Values.name }}-webhook-{{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}
+{{- end }}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/clusterrolebinding.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/clusterrolebinding.yaml
new file mode 100644
index 000000000..58aa9d043
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/clusterrolebinding.yaml
@@ -0,0 +1,56 @@
+{{- if .Values.rbac }}
+{{- $clusterRoleBinding := or (not .Values.namespaced) (.Values.kRaftEnabled) (gt (len .Values.namespaceList) 0)}}
+{{- if not $clusterRoleBinding  }}
+kind: RoleBinding
+{{- else }}
+kind: ClusterRoleBinding
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+  name: {{ .Values.name }}
+  {{- if not $clusterRoleBinding  }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "confluent-operator.service-account" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  {{- if not $clusterRoleBinding }}
+  kind: Role
+  {{- else }}
+  kind: ClusterRole
+  {{- end }}
+  name: {{ .Values.name }}
+  apiGroup: rbac.authorization.k8s.io
+# Webhook configurations are cluster scoped
+{{- if and (.Values.webhooks.enabled) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+  name: {{ .Values.name }}-webhook-{{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "confluent-operator.service-account" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Values.name }}-webhook-{{ .Release.Namespace }}
+  apiGroup: rbac.authorization.k8s.io
+  {{- end }}
+{{- end }}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/deployment.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/deployment.yaml
new file mode 100644
index 000000000..86a64d866
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/deployment.yaml
@@ -0,0 +1,238 @@
+{{- $_ := required "Namespace is required" .Release.Namespace }}
+{{- $_ := required "Name of operator is required." .Values.name }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+    version: {{ .Values.image.tag }}
+  name: {{ .Values.name }}
+  namespace:  {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: "confluent-operator"
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        {{- range $key, $value := .Values.pod.annotations }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+      labels:
+        app: "confluent-operator"
+        app.kubernetes.io/name: "confluent-operator"
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        confluent-platform: "true"
+        version: {{ .Values.image.tag }}
+        {{- range $key, $value := .Values.pod.labels }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+    spec:
+      {{- if not (empty $.Values.affinity) }}
+      affinity:
+{{ toYaml .Values.affinity | trim | indent 8 }}
+      {{- end }}
+      {{- if not (empty $.Values.tolerations) }}
+      tolerations:
+{{ toYaml .Values.tolerations | trim | indent 6 }}
+      {{- end }}
+      {{- if .Values.podSecurity.enabled }}
+      securityContext:
+{{ toYaml .Values.podSecurity.securityContext | indent 8 }}
+      {{- end }}
+      containers:
+      - args:
+        - --debug={{.Values.debug}}
+        - --fipsmode={{.Values.fipsmode}}
+        - --kraftClusterIdRecovery={{.Values.kRaftEnabled}}
+        {{- if gt (int (.Values.replicas)) 1 }}
+        - --enable-leader-election
+        {{- end }}
+        {{- if .Values.namespaced }}
+        {{- if empty .Values.namespaceList }}
+        - --namespaces={{ .Release.Namespace }}
+        {{- else}}
+        {{- $ns := "" }}
+        {{- range $i, $v := .Values.namespaceList }}
+        {{- $ns =  printf "%s,%s" $ns (trim $v) }}
+        {{- end }}
+        - --namespaces={{ substr 1 (len $ns) $ns }} 
+        {{- end }}
+        {{- end }}
+        name: {{ .Values.name }}
+        image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{.Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        readinessProbe:
+          httpGet:
+            port: 8080
+            path: /readyz
+        livenessProbe:
+          httpGet:
+            port: 8080
+            path: /healthz
+        resources:
+{{ toYaml .Values.resources | trim | indent 10 }}
+        env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: NODEIP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
+          - name: DD_ENTITY_ID
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.uid
+          - name: DEPLOYMENT_NAME
+            value: {{ .Values.name }}
+          - name: CONFLUENT_SERVICE_ACCOUNT_NAME
+            value: {{ template "confluent-operator.service-account" . }}
+        {{- if .Values.numDay2Worker }}
+          - name: DEFAULT_DAY2_WORKER
+            value: "{{ .Values.numDay2Worker }}"
+        {{- end }}
+        {{- if .Values.managedCerts.enabled }}
+          {{- if and (empty .Values.managedCerts.caCertificate.secretRef) (empty .Values.managedCerts.caCertificate.directoryPathInContainer) }}
+          {{- $_ := required "secretRef or directoryPathInContainer must be configured when managedCerts is enabled" .Values.managedCerts.secretRef }}
+          {{- end }}
+          {{- if ge (.Values.managedCerts.renewBeforeInDays) (.Values.managedCerts.certDurationInDays) }}
+          {{- $_ := required "managedCerts.certDurationInDays for managed certs should be greater than managedCerts.renewBeforeInDays" "" }}
+          {{- end }}
+          {{- if .Values.managedCerts.certDurationInDays }}
+          - name: CONFLUENT_MANAGED_CERTS_DURATION_DAYS
+            value: "{{ .Values.managedCerts.certDurationInDays }}"
+          {{- end }}
+          {{- if .Values.managedCerts.renewBeforeInDays }}
+          - name: CONFLUENT_MANAGED_CERTS_RENEW_BEFORE_DAYS
+            value: "{{ .Values.managedCerts.renewBeforeInDays }}"
+          {{- end }}
+          {{- if .Values.managedCerts.sans }}
+            {{- if not (regexMatch "[ -~]" .Values.managedCerts.sans) }}
+            {{- $_ := required "invalid characters in managedCerts.sans. Only first 128 ASCII characters are allowed" "" }}
+            {{- end }}
+          - name: CONFLUENT_MANAGED_CERTS_SANS
+            value: "{{ .Values.managedCerts.sans }}"
+          {{- end }}
+          {{- if .Values.managedCerts.caCertificate.secretRef }}
+          - name: CONFLUENT_MANAGED_CERTS_SECRET_NAME
+            value: {{ .Values.managedCerts.caCertificate.secretRef }}
+          {{- end }}
+          {{- if .Values.managedCerts.caCertificate.directoryPathInContainer }}
+          - name: CONFLUENT_MANAGED_CERTS_DIRECTORY_PATH
+            value: {{ .Values.managedCerts.caCertificate.directoryPathInContainer }}
+          {{- end }}
+        {{- end }}
+          {{- if .Values.licenseSecretRef }}
+          - name: CONFLUENT_LICENSE_SECRET_NAME
+            value: {{ .Values.licenseSecretRef }}
+          {{- else if .Values.license.secretRef }}
+          - name: CONFLUENT_LICENSE_SECRET_NAME
+            value: {{ .Values.license.secretRef }}
+          {{- end }}
+          {{- if .Values.license.directoryPathInContainer }}
+          - name: CONFLUENT_LICENSE_DIRECTORY_PATH
+            value: {{ .Values.license.directoryPathInContainer }}
+          {{- end }}
+          {{- if or (.Values.telemetry.enabled) (.Values.telemetry.operator.enabled) }}
+          {{- if and (empty .Values.telemetry.secretRef) (empty .Values.telemetry.directoryPathInContainer) }}
+          {{- $_ := required "secretRef or directoryPathInContainer must be configured when telemetry is enabled" .Values.telemetry.secretRef }}
+          {{- end }}
+          - name: CP_TELEMETRY_ENABLED
+            value: {{ quote .Values.telemetry.enabled }}
+          - name: OPERATOR_TELEMETRY_ENABLED
+            value: {{ quote .Values.telemetry.operator.enabled }}
+          {{- if .Values.telemetry.secretRef }}
+          - name: CONFLUENT_TELEMETRY_SECRET_NAME
+            value: {{ .Values.telemetry.secretRef }}
+          {{- end }}
+          {{- if .Values.telemetry.directoryPathInContainer }}
+          - name: CONFLUENT_TELEMETRY_DIRECTORY_PATH
+            value: {{ .Values.telemetry.directoryPathInContainer }}
+          {{- end }}
+          {{- if .Values.telemetry.proxy.enabled }}
+          - name: CONFLUENT_TELEMETRY_PROXY_ENABLED
+            value: "true"
+          {{- end }}
+          {{- if .Values.telemetry.proxy.credentialRequired }}
+          - name: CONFLUENT_TELEMETRY_PROXY_CREDENTIAL_REQUIRED
+            value: "true"
+          {{- end }}
+          {{- end }}
+      {{- if .Values.webhooks.enabled }}
+          {{- if and (empty .Values.webhooks.tls.secretRef) (empty .Values.webhooks.tls.directoryPathInContainer) }}
+          {{- $_ := required "secretRef or directoryPathInContainer must be configured when webhooks are enabled" .Values.webhooks.tls.secretRef }}
+          {{- end }}
+          {{- if .Values.webhooks.tls.secretRef }}
+          - name: CONFLUENT_WEBHOOKS_SECRET_NAME
+            value: {{ .Values.webhooks.tls.secretRef }}
+          {{- end }}
+          {{- if .Values.webhooks.tls.directoryPathInContainer }}
+          - name: CONFLUENT_WEBHOOKS_DIRECTORY_PATH
+            value: {{ .Values.webhooks.tls.directoryPathInContainer }}
+          {{- end }}
+          - name: CONFLUENT_WEBHOOKS_PORT
+            value: {{ quote .Values.webhooks.port }}
+      {{- end }}
+      {{- if .Values.containerSecurity.enabled }}
+        securityContext:
+{{ toYaml .Values.containerSecurity.securityContext | indent 10 }}
+      {{- end }}
+      {{- if or (not (empty .Values.mountedVolumes.volumeMounts)) (and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef)) }}
+        volumeMounts:
+      {{- end }}
+      {{- if not (empty .Values.mountedVolumes.volumeMounts) }}
+      {{- range .Values.mountedVolumes.volumeMounts }}
+      {{- if and ($.Values.webhooks.enabled) (or (eq .mountPath "/mnt/sslcerts/webhook") (eq .name "webhook-certs")) }}
+      {{- $_ := fail "mount path \"/mnt/sslcerts/webhook\" and name \"webhook-certs\" are reserved for webhooks" }}
+      {{- end }}
+          - {{ toYaml . | indent 12 | trim }}
+      {{- end }}
+      {{- end }}
+      {{- if and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef) }}
+          - mountPath: /mnt/sslcerts/webhook
+            name: webhook-certs
+            readOnly: true
+      {{- end }}
+      {{- if or (not (empty .Values.mountedVolumes.volumes)) (and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef)) }}
+      volumes:
+      {{- end }}
+      {{- if not (empty .Values.mountedVolumes.volumes ) }}
+      {{- range .Values.mountedVolumes.volumes }}
+      {{- if and ($.Values.webhooks.enabled) (eq .name "webhook-certs") }}
+      {{- $_ := fail "name \"webhook-certs\" is reserved for webhooks" }}
+      {{- end }}
+        - {{ toYaml . | indent 10 | trim }}
+      {{- end }}
+      {{- end }}
+      {{- if and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef) }}
+        - name: webhook-certs
+          secret:
+            defaultMode: 420
+            secretName: {{ .Values.webhooks.tls.secretRef }}
+      {{- end }}
+      {{- if and .Values.imagePullSecretRef (not .Values.serviceAccount.create) }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecretRef }}
+      {{- end }}
+      serviceAccountName: {{ template "confluent-operator.service-account" . }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- end }}
+      restartPolicy: Always
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/licensing.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/licensing.yaml
new file mode 100644
index 000000000..a8ab26bcd
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/licensing.yaml
@@ -0,0 +1,19 @@
+{{- if not .Values.licenseSecretRef }}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+  namespace: {{ .Release.Namespace }}
+  name: confluent-operator-licensing
+type: Opaque
+data:
+  {{- if .Values.licenseKey }}
+  license.txt: {{ .Values.licenseKey | b64enc }}
+  {{- end }}
+{{- end }}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/service.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/service.yaml
new file mode 100644
index 000000000..2f9ecbc98
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/service.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+  name: confluent-operator
+  namespace:  {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: http-metric
+      port: 7778
+      protocol: TCP
+      targetPort: 7778
+    {{- if (.Values.webhooks.enabled) }}
+    - name: webhook
+      port: {{ .Values.webhooks.port }}
+      protocol: TCP
+      targetPort: {{ .Values.webhooks.port }}
+    {{- end }}
+  selector:
+    app: "confluent-operator"
+    app.kubernetes.io/name: "confluent-operator"
+  type: ClusterIP
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/serviceaccount.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/serviceaccount.yaml
new file mode 100644
index 000000000..9ed5b692d
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+{{- if .Values.imagePullSecretRef }}
+imagePullSecrets:
+- name: {{ .Values.imagePullSecretRef }}
+{{- end }}
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+  name: {{ template "confluent-operator.service-account" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/validatingwebhookconfiguration.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 000000000..e7235f9fd
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,184 @@
+{{- if (.Values.webhooks.enabled) }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "confluent-operator"
+    helm.sh/chart: {{ include "confluent-operator.chart" . }}
+  name: confluent-operator-{{ .Release.Namespace }}.webhook.platform.confluent.io
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  clientConfig:
+    service:
+      name: confluent-operator
+      namespace: {{ .Release.Namespace }}
+      path: /confluent-operator/validate
+      port: {{ .Values.webhooks.port }}
+  failurePolicy: Fail
+  name: cfk-resources.webhooks.platform.confluent.io
+  namespaceSelector:
+    matchExpressions:
+      - key: confluent-operator.webhooks.platform.confluent.io/disable
+        operator: NotIn
+        values: [ "true" ]
+      {{- if .Values.namespaced }}
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+          {{- if empty .Values.namespaceList }}
+          - {{ .Release.Namespace }}
+          {{- else }}
+          {{- range $i, $v := .Values.namespaceList }}
+          - {{ trim $v }}
+          {{- end }}
+          {{- end }}
+      {{- end }}
+  objectSelector:
+    matchExpressions:
+      - key: confluent-operator.webhooks.platform.confluent.io/disable
+        operator: NotIn
+        values: [ "true" ]
+  rules:
+    - apiGroups:
+        - platform.confluent.io
+      apiVersions:
+        - v1beta1
+      operations:
+        - UPDATE
+        - DELETE
+      resources:
+        - zookeepers
+        - kafkas
+        - kraftcontrollers
+        - ksqldbs
+        - controlcenters
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: 10
+- admissionReviewVersions:
+    - v1beta1
+  clientConfig:
+    service:
+      name: confluent-operator
+      namespace: {{ .Release.Namespace }}
+      path: /confluent-operator/validate
+      port: {{ .Values.webhooks.port }}
+  failurePolicy: Fail
+  name: core-resources.webhooks.platform.confluent.io
+  namespaceSelector:
+    matchExpressions:
+      - key: confluent-operator.webhooks.platform.confluent.io/disable
+        operator: NotIn
+        values: [ "true" ]
+      {{- if .Values.namespaced }}
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+          {{- if empty .Values.namespaceList }}
+          - {{ .Release.Namespace }}
+          {{- else }}
+          {{- range $i, $v := .Values.namespaceList }}
+          - {{ trim $v }}
+          {{- end }}
+          {{- end }}
+      {{- end }}
+  objectSelector:
+    matchLabels:
+      confluent-platform: "true"
+  rules:
+    - apiGroups:
+        - apps
+      apiVersions:
+        - v1
+      operations:
+        - DELETE
+      resources:
+        - statefulsets
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: 10
+- admissionReviewVersions:
+    - v1beta1
+  clientConfig:
+    service:
+      name: confluent-operator
+      namespace: {{ .Release.Namespace }}
+      path: /confluent-operator/validate
+      port: {{ .Values.webhooks.port }}
+  failurePolicy: Fail
+  name: kafka-pods.webhooks.platform.confluent.io
+  namespaceSelector:
+    matchExpressions:
+      - key: confluent-operator.webhooks.platform.confluent.io/disable
+        operator: NotIn
+        values: [ "true" ]
+      {{- if .Values.namespaced }}
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+          {{- if empty .Values.namespaceList }}
+          - {{ .Release.Namespace }}
+          {{- else }}
+          {{- range $i, $v := .Values.namespaceList }}
+          - {{ trim $v }}
+          {{- end }}
+          {{- end }}
+      {{- end }}
+  objectSelector:
+    matchLabels:
+      confluent-platform: "true"
+      platform.confluent.io/type: kafka
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - DELETE
+      resources:
+        - pods
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: 30
+- admissionReviewVersions:
+    - v1beta1
+  clientConfig:
+    service:
+      name: confluent-operator
+      namespace: {{ .Release.Namespace }}
+      path: /confluent-operator/validate
+      port: {{ .Values.webhooks.port }}
+  failurePolicy: Fail
+  name: evictions.webhooks.platform.confluent.io
+  namespaceSelector:
+    matchExpressions:
+      {{- if .Values.namespaced }}
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+          {{- if empty .Values.namespaceList }}
+          - {{ .Release.Namespace }}
+          {{- else }}
+          {{- range $i, $v := .Values.namespaceList }}
+          - {{ trim $v }}
+          {{- end }}
+          {{- end }}
+      {{- end }}
+  rules:
+    - apiGroups:
+        - ""
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+      resources:
+        - pods/eviction
+      scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: 30
+{{- end }}
diff --git a/charts/confluent/confluent-for-kubernetes/0.1033.33/values.yaml b/charts/confluent/confluent-for-kubernetes/0.1033.33/values.yaml
new file mode 100644
index 000000000..1186a9478
--- /dev/null
+++ b/charts/confluent/confluent-for-kubernetes/0.1033.33/values.yaml
@@ -0,0 +1,269 @@
+## Confluent operator name
+##
+name: confluent-operator
+##
+## license Key
+##
+licenseKey: ""
+##
+## Load license either from the secret or through directoryPath.
+## This will take precedence over licenseKey field.
+##
+license:
+  ##
+  ## The license secret reference name is injected through
+  ## CONFLUENT_LICENSE_SECRET_NAME environment variable.
+  ## The expected key: license.txt. license.txt contains raw license data.
+  ## For backward compatibility, licenseSecretRef field takes precedence if configured.
+  secretRef: ""
+  ## The directoryPathInContainer value is injected through
+  ## CONFLUENT_LICENSE_DIRECTORY_PATH environment variable.
+  ## The expected key: license.txt. license.txt file must have value in pattern `license=<replace_with_key>`.
+  ##
+  ## This configuration takes precedence over license.secretRef or licenseSecretRef field.
+  ##
+  directoryPathInContainer: ""
+
+##
+## AutoGenerated certificates configuration.
+## We will continue using older model of reading CA from secret "ca-pair-sslcerts" unless
+## managedCerts.enabled is set to true.
+##
+managedCerts:
+  ##
+  ## Denotes whether CFK managed certs are configured with helm values. If this is set to true
+  ## values below will be used for auto-generated certificates and will cause a cluster roll
+  ## first time after this is enabled.
+  ##
+  enabled: false
+  ##
+  ## CA certificate pair for AutoGenerated certificates in this CFK operator deployment.
+  ##
+  caCertificate:
+    ##
+    ## CA pair secret reference name is injected through
+    ## CONFLUENT_MANAGED_CERTS_SECRET_NAME environment variable.
+    ## The expected keys are tls.crt and tls.key for CA Certificate and CA Certificate Key
+    ## respectively.
+    ##
+    secretRef: ""
+    ## The directoryPathInContainer value for CA pair certificates are injected through
+    ## CONFLUENT_MANAGED_CERTS_DIRECTORY_PATH environment variable.
+    ## The expected files are tls.crt and tls.key for CA Certificate and CA Certificate Key
+    ## respectively.
+    ##
+    directoryPathInContainer: ""
+  ##
+  ## Validity for Auto-generated certificates is injected through
+  ## CONFLUENT_MANAGED_CERTS_DURATION_DAYS environment variable.
+  ##
+  certDurationInDays: 60
+  ##
+  ## Renewal time for Auto-generated certificates is injected through
+  ## CONFLUENT_MANAGED_CERTS_RENEW_BEFORE_DAYS environment variable.
+  ##
+  renewBeforeInDays: 30
+  ##
+  ## SANs to be added for all auto-generated certificates generated by this
+  ## CFK operator. This is injected through CONFLUENT_MANAGED_CERTS_SANS
+  ## environment variable.
+  ## Use this for adding wild card SANs. Modifying this will trigger regeneration of
+  ## certs for all CP clusters managed by the CFK operator.
+  ##
+  sans: ""
+
+###
+## Image pull secret
+imagePullSecretRef:  confluent-registry
+## Confluent Operator Image Information
+##
+image:
+  registry: docker.io
+  repository: confluentinc/confluent-operator
+  pullPolicy: IfNotPresent
+  tag: "0.1033.33"
+
+###
+## Priority class for Confluent Operator pod
+priorityClassName: ""
+## Number of pods for Operator
+## Enables leader election if more than one replica
+replicas: 1
+## Confluent Operator Cluster Access
+## If true, operator only creates roles/rolebinding for the release namespace
+## Otherwise, it has cluster access with clusterrole/clusterrrolebinding
+namespaced: true
+### list of namespaces to watch by operator
+### This field only takes in effect if `namespaced=true`. By default, it will only watch the release namespace
+### Otherwise, it will watch specified namespaces. If watching only release namespace, do not specify this field
+namespaceList: []
+## Confluent Operator Pod Resources
+##
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 256Mi
+## Pod termination grace-period
+##
+terminationGracePeriodSeconds: 30
+## Enable debugging
+##
+debug: false
+## Enable Fips Mode
+##
+fipsmode: false
+## Set number of day2 workers
+##
+numDay2Worker: ""
+##
+## Configure affinity,
+## More information here https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+##
+affinity: {}
+##  Example for nodeAffinity, configure as required.
+##affinity:
+##  nodeAffinity:
+##    requiredDuringSchedulingIgnoredDuringExecution:
+##      nodeSelectorTerms:
+##      - matchExpressions:
+##        - key: "node-role.kubernetes.io/compute"
+##          operator: In
+##          values:
+##          - "true"
+
+##
+## Configure tolerations
+## https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+##
+tolerations: []
+##
+##tolerations:
+##- key: "dedicated"
+##  operator: "Equal"
+##  value: "operator"
+##  effect: "NoSchedule"
+
+## Pod Security Context
+##
+podSecurity:
+  enabled: true
+  securityContext:
+    fsGroup: 1001
+    runAsUser: 1001
+    runAsNonRoot: true
+
+## Container Security Context
+## Container security context overrides security context defined at pod level.
+## For example following container security context would override the
+## default PodSecurityContext defined above
+##
+## securityContext:
+##   runAsUser: 2001
+##   runAsNonRoot: false
+##
+## Refer to this documentation on how configure security context for container
+## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containerh
+##
+containerSecurity:
+  enabled: false
+  securityContext: {}
+
+##
+## ServiceAccount
+## If enabled it will create, otherwise it will
+## not create
+##
+serviceAccount:
+  create: true
+  name: ""
+## Enable Kubernetes RBAC
+## When set to true, it will create a proper role/rolebinding or cluster/clusterrolebinding based on namespaced field.
+## If a user doesn't have permission to create role/rolebinding then they can disable rbac field and
+## create required resources out of band to be used by the Operator. In this case, follow the
+## templates/clusterrole.yaml and templates/clusterrolebiding.yaml to create proper required resources.
+rbac: true
+
+## Enable extra Kubernetes API groups in role/clusterrole resource
+## When set to true, it will add apiGroups to role/clusterrole for OpenShift route resource
+clusterRole:
+  openshift: true
+
+###
+### Confluent Telemetry Report configuration
+## The secretRef contains following data,
+## telemetry.txt: |-
+##   api.key=<api_key>
+##   api.secret=<api_secret>
+##   proxy.url=<proxy_url>  # only required if proxy is enabled
+##   proxy.username=<proxy_username> # only required if proxy requires credential
+##   proxy.password=<proxy_password>
+##
+telemetry:
+  operator:
+    enabled: false
+  enabled: false
+  proxy:
+    enabled: false
+    credentialRequired: false
+  secretRef: ""
+  ## To use directoryPathInContainer, need to make sure
+  ## you mount telemetry.txt in the path you provided here in each pod
+  directoryPathInContainer: ""
+
+## In case of KRaft, we need to preserve the KRaft ClusterID in PV annotation
+## for disaster recovery case. Enabling this ensures we create proper ClusterRoles
+## to be able to set this annotation in PersistentVolumes.
+kRaftEnabled: false
+
+###
+### Webhooks configuration
+## To enable webhooks, it requires TLS certificates to set up webhook server,
+## which used for secure communication between webhook server and kubernetes api server.
+## Please provide the TLS keys and certificates with format as mentioned in this doc:
+## https://docs.confluent.io/operator/current/co-network-encryption.html#provide-tls-keys-and-certificates-in-pem-format.
+## The certificate must have the Subject Alternative Name (SAN) of the form: confluent-operator.<namespace>.svc
+webhooks:
+  enabled: false
+  port: 8443
+  tls:
+    secretRef: ""
+    directoryPathInContainer: ""
+
+##
+## Pod annotations/labels configurations
+##
+pod:
+  annotations:
+    prometheus.io/path: "/metrics"
+    prometheus.io/port: "7778"
+    prometheus.io/scrape: "true"
+  labels: {}
+# labels:
+#   key: "value"
+
+##
+## Load license from the secret reference
+## +Deprecated, use license.secretRef instead.
+##
+licenseSecretRef: ""
+
+##
+## Volumes to mount on CFK operator
+## Refer to the Kubernetes volume/volumeMounts format: https://kubernetes.io/docs/concepts/storage/volumes/
+##
+## Example with a PVC.
+## mountedVolumes:
+##   volumes:
+##   - name: custom-volume
+##     persistentVolumeClaim:
+##       claimName: pvc-test
+##   volumeMounts:
+##   - name: custom-volume
+##     mountPath: /mnt/<path_of_your_choice>
+##
+mountedVolumes:
+  volumes: []
+  volumeMounts: []
diff --git a/charts/speedscale/speedscale-operator/2.2.419/.helmignore b/charts/speedscale/speedscale-operator/2.2.419/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/speedscale/speedscale-operator/2.2.419/Chart.yaml b/charts/speedscale/speedscale-operator/2.2.419/Chart.yaml
new file mode 100644
index 000000000..41057f666
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/Chart.yaml
@@ -0,0 +1,27 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Speedscale Operator
+  catalog.cattle.io/kube-version: '>= 1.17.0-0'
+  catalog.cattle.io/release-name: speedscale-operator
+apiVersion: v1
+appVersion: 2.2.419
+description: Stress test your APIs with real world scenarios.  Collect and replay
+  traffic without scripting.
+home: https://speedscale.com
+icon: file://assets/icons/speedscale-operator.png
+keywords:
+- speedscale
+- test
+- testing
+- regression
+- reliability
+- load
+- replay
+- network
+- traffic
+kubeVersion: '>= 1.17.0-0'
+maintainers:
+- email: support@speedscale.com
+  name: Speedscale Support
+name: speedscale-operator
+version: 2.2.419
diff --git a/charts/speedscale/speedscale-operator/2.2.419/LICENSE b/charts/speedscale/speedscale-operator/2.2.419/LICENSE
new file mode 100644
index 000000000..b78723d62
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2021 Speedscale
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/charts/speedscale/speedscale-operator/2.2.419/README.md b/charts/speedscale/speedscale-operator/2.2.419/README.md
new file mode 100644
index 000000000..6ca25eed9
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/README.md
@@ -0,0 +1,111 @@
+![GitHub Tag](https://img.shields.io/github/v/tag/speedscale/operator-helm)
+
+
+# Speedscale Operator
+
+The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
+that watches for deployments to be applied to the cluster and takes action based on annotations. The operator
+can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around
+a deployment for testing. The operator itself is a deployment that will be always present on the cluster once
+the helm chart is installed.
+
+## Prerequisites
+
+- Kubernetes 1.20+
+- Helm 3+
+- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic
+
+## Get Repo Info
+
+```bash
+helm repo add speedscale https://speedscale.github.io/operator-helm/
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Install Chart
+
+An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one.
+
+```bash
+helm install speedscale-operator speedscale/speedscale-operator \
+	-n speedscale \
+	--create-namespace \
+	--set apiKey=<YOUR-SPEEDSCALE-API-KEY> \
+	--set clusterName=<YOUR-CLUSTER-NAME>
+```
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+### Pre-install job failure
+
+We use pre-install job to check provided API key and provision some of the required resources.
+
+If the job failed during the installation, you'll see the following error during install:
+
+```
+Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded
+```
+
+You can inspect the logs using this command:
+
+```bash
+kubectl -n speedscale logs job/speedscale-operator-pre-install
+```
+
+After fixing the error, uninstall the helm release, delete the failed job
+and try installing again:
+
+```bash
+helm -n speedscale uninstall speedscale-operator
+kubectl -n speedscale delete job speedscale-operator-pre-install
+```
+
+## Uninstall Chart
+
+```bash
+helm -n speedscale uninstall speedscale-operator
+```
+
+This removes all the Kubernetes components associated with the chart and deletes the release.
+
+_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
+
+CRDs created by this chart are not removed by default and should be manually cleaned up:
+
+```bash
+kubectl delete crd trafficreplays.speedscale.com
+```
+
+## Upgrading Chart
+
+```bash
+helm repo update
+helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator
+```
+
+Resources capturing traffic will need to be rolled to pick up the latest
+Speedscale sidecar. Use the rollout restart command for each namespace and
+resource type:
+
+```bash
+kubectl -n <namespace> rollout restart deployment
+```
+
+With Helm v3, CRDs created by this chart are not updated by default
+and should be manually updated.
+Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
+
+_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
+
+### Upgrading an existing Release to a new version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+
+## Help
+
+Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us
+on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)!
diff --git a/charts/speedscale/speedscale-operator/2.2.419/app-readme.md b/charts/speedscale/speedscale-operator/2.2.419/app-readme.md
new file mode 100644
index 000000000..6ca25eed9
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/app-readme.md
@@ -0,0 +1,111 @@
+![GitHub Tag](https://img.shields.io/github/v/tag/speedscale/operator-helm)
+
+
+# Speedscale Operator
+
+The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
+that watches for deployments to be applied to the cluster and takes action based on annotations. The operator
+can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around
+a deployment for testing. The operator itself is a deployment that will be always present on the cluster once
+the helm chart is installed.
+
+## Prerequisites
+
+- Kubernetes 1.20+
+- Helm 3+
+- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic
+
+## Get Repo Info
+
+```bash
+helm repo add speedscale https://speedscale.github.io/operator-helm/
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Install Chart
+
+An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one.
+
+```bash
+helm install speedscale-operator speedscale/speedscale-operator \
+	-n speedscale \
+	--create-namespace \
+	--set apiKey=<YOUR-SPEEDSCALE-API-KEY> \
+	--set clusterName=<YOUR-CLUSTER-NAME>
+```
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+### Pre-install job failure
+
+We use pre-install job to check provided API key and provision some of the required resources.
+
+If the job failed during the installation, you'll see the following error during install:
+
+```
+Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded
+```
+
+You can inspect the logs using this command:
+
+```bash
+kubectl -n speedscale logs job/speedscale-operator-pre-install
+```
+
+After fixing the error, uninstall the helm release, delete the failed job
+and try installing again:
+
+```bash
+helm -n speedscale uninstall speedscale-operator
+kubectl -n speedscale delete job speedscale-operator-pre-install
+```
+
+## Uninstall Chart
+
+```bash
+helm -n speedscale uninstall speedscale-operator
+```
+
+This removes all the Kubernetes components associated with the chart and deletes the release.
+
+_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
+
+CRDs created by this chart are not removed by default and should be manually cleaned up:
+
+```bash
+kubectl delete crd trafficreplays.speedscale.com
+```
+
+## Upgrading Chart
+
+```bash
+helm repo update
+helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator
+```
+
+Resources capturing traffic will need to be rolled to pick up the latest
+Speedscale sidecar. Use the rollout restart command for each namespace and
+resource type:
+
+```bash
+kubectl -n <namespace> rollout restart deployment
+```
+
+With Helm v3, CRDs created by this chart are not updated by default
+and should be manually updated.
+Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
+
+_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
+
+### Upgrading an existing Release to a new version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+
+## Help
+
+Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us
+on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)!
diff --git a/charts/speedscale/speedscale-operator/2.2.419/questions.yaml b/charts/speedscale/speedscale-operator/2.2.419/questions.yaml
new file mode 100644
index 000000000..29aee3895
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/questions.yaml
@@ -0,0 +1,9 @@
+questions:
+- variable: apiKey
+  default: "fffffffffffffffffffffffffffffffffffffffffffff"
+  description: "An API key is required to connect to the Speedscale cloud."
+  required: true
+  type: string
+  label: API Key
+  group: Authentication
+
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/NOTES.txt b/charts/speedscale/speedscale-operator/2.2.419/templates/NOTES.txt
new file mode 100644
index 000000000..cabb59b17
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/NOTES.txt
@@ -0,0 +1,12 @@
+Thank you for installing the Speedscale Operator!
+
+Next you'll need to add the Speedscale Proxy Sidecar to your deployments.
+See https://docs.speedscale.com/setup/sidecar/install/
+
+If upgrading use the rollout restart command for each namespace and resource
+type to ensure Speedscale sidecars are updated:
+
+  kubectl -n <namespace> rollout restart deployment
+
+Once your deployment is running the sidecar your service will show up on
+https://app.speedscale.com/.
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/admission.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/admission.yaml
new file mode 100644
index 000000000..301748a61
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/admission.yaml
@@ -0,0 +1,209 @@
+{{- $cacrt := "" -}}
+{{- $crt := "" -}}
+{{- $key := "" -}}
+{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-webhook-certs") -}}
+{{- if $s -}}
+{{- $cacrt = index $s.data "ca.crt" | default (index $s.data "tls.crt") | b64dec -}}
+{{- $crt = index $s.data "tls.crt" | b64dec -}}
+{{- $key = index $s.data "tls.key" | b64dec -}}
+{{ else }}
+{{- $altNames := list ( printf "speedscale-operator.%s" .Release.Namespace ) ( printf "speedscale-operator.%s.svc" .Release.Namespace ) -}}
+{{- $ca := genCA "speedscale-operator" 3650 -}}
+{{- $cert := genSignedCert "speedscale-operator" nil $altNames 3650 $ca -}}
+{{- $cacrt = $ca.Cert -}}
+{{- $crt = $cert.Cert -}}
+{{- $key = $cert.Key -}}
+{{- end -}}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: speedscale-operator
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    caBundle: {{ $cacrt | b64enc }}
+    service:
+      name: speedscale-operator
+      namespace: {{ .Release.Namespace }}
+      path: /mutate
+  failurePolicy: Ignore
+  name: sidecar.speedscale.com
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: "NotIn"
+        values:
+          - kube-system
+          - kube-node-lease
+    {{- if .Values.namespaceSelector }}
+      - key: kubernetes.io/metadata.name
+        operator: "In"
+        values:
+          {{- range .Values.namespaceSelector }}
+          - {{ . | quote }}
+          {{- end }}
+    {{- end }}
+  reinvocationPolicy: IfNeeded
+  rules:
+  - apiGroups:
+    - apps
+    - batch
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - deployments
+    - statefulsets
+    - daemonsets
+    - jobs
+    - replicasets
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - pods
+  - apiGroups:
+    - argoproj.io
+    apiVersions:
+    - "*"
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - rollouts
+  sideEffects: None
+  timeoutSeconds: 10
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: speedscale-operator-replay
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    caBundle: {{ $cacrt | b64enc }}
+    service:
+      name: speedscale-operator
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-speedscale-com-v1-trafficreplay
+  failurePolicy: Fail
+  name: replay.speedscale.com
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: "NotIn"
+        values:
+          - kube-system
+          - kube-node-lease
+    {{- if .Values.namespaceSelector }}
+      - key: kubernetes.io/metadata.name
+        operator: "In"
+        values:
+          {{- range .Values.namespaceSelector }}
+          - {{ . | quote }}
+          {{- end }}
+    {{- end }}
+  rules:
+  - apiGroups:
+    - speedscale.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - trafficreplays
+  sideEffects: None
+  timeoutSeconds: 10
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: speedscale-operator-replay
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    caBundle: {{ $cacrt | b64enc }}
+    service:
+      name: speedscale-operator
+      namespace: {{ .Release.Namespace }}
+      path: /validate-speedscale-com-v1-trafficreplay
+  failurePolicy: Fail
+  name: replay.speedscale.com
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: "NotIn"
+        values:
+          - kube-system
+          - kube-node-lease
+    {{- if .Values.namespaceSelector }}
+      - key: kubernetes.io/metadata.name
+        operator: "In"
+        values:
+          {{- range .Values.namespaceSelector }}
+          - {{ . | quote }}
+          {{- end }}
+    {{- end }}
+  rules:
+  - apiGroups:
+    - speedscale.com
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    - DELETE
+    resources:
+    - trafficreplays
+  sideEffects: None
+  timeoutSeconds: 10
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+  creationTimestamp: null
+  name: speedscale-webhook-certs
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ $cacrt | b64enc }}
+  tls.crt: {{ $crt | b64enc }}
+  tls.key: {{ $key | b64enc }}
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/configmap.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/configmap.yaml
new file mode 100644
index 000000000..04dfda91a
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/configmap.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: speedscale-operator
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+data:
+  CLUSTER_NAME: {{ .Values.clusterName }}
+  IMAGE_PULL_POLICY: {{ .Values.image.pullPolicy }}
+  IMAGE_PULL_SECRETS: ""
+  IMAGE_REGISTRY: {{ .Values.image.registry }}
+  IMAGE_TAG: {{ .Values.image.tag }}
+  INSTANCE_ID: '{{- $cm := (lookup "v1" "ConfigMap" .Release.Namespace "speedscale-operator") -}}{{ if $cm }}{{ $cm.data.INSTANCE_ID }}{{ else }}{{ ( printf "%s-%s" .Values.clusterName uuidv4 ) }}{{ end }}'
+  LOG_LEVEL: {{ .Values.logLevel }}
+  SPEEDSCALE_DLP_CONFIG: {{ .Values.dlp.config }}
+  SPEEDSCALE_FILTER_RULE: {{ .Values.filterRule }}
+  TELEMETRY_INTERVAL: 1s
+  WITH_DLP: {{ .Values.dlp.enabled | quote }}
+  WITH_INSPECTOR: {{ .Values.dashboardAccess | quote }}
+  API_KEY_SECRET_NAME: {{ .Values.apiKeySecret | quote }}
+  DEPLOY_DEMO: {{ .Values.deployDemo | quote }}
+  GLOBAL_ANNOTATIONS: {{ .Values.globalAnnotations | toJson | quote }}
+  GLOBAL_LABELS: {{ .Values.globalLabels | toJson | quote }}
+  {{- if .Values.http_proxy }}
+  HTTP_PROXY: {{ .Values.http_proxy }}
+  {{- end }}
+  {{- if .Values.https_proxy }}
+  HTTPS_PROXY: {{ .Values.https_proxy }}
+  {{- end }}
+  {{- if .Values.no_proxy }}
+  NO_PROXY: {{ .Values.no_proxy }}
+  {{- end }}
+  PRIVILEGED_SIDECARS: {{ .Values.privilegedSidecars | quote }}
+  DISABLE_SMARTDNS: {{ .Values.disableSidecarSmartReverseDNS | quote }}
+  SIDECAR_CONFIG: {{ .Values.sidecar | toJson | quote }}
+  FORWARDER_CONFIG: {{ .Values.forwarder | toJson | quote }}
+  TEST_PREP_TIMEOUT: {{ .Values.operator.test_prep_timeout }}
+  CONTROL_PLANE_TIMEOUT: {{ .Values.operator.control_plane_timeout }}
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/crds/trafficreplays.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/crds/trafficreplays.yaml
new file mode 100644
index 000000000..1bee7e157
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/crds/trafficreplays.yaml
@@ -0,0 +1,523 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.15.0
+  creationTimestamp: null
+  name: trafficreplays.speedscale.com
+spec:
+  group: speedscale.com
+  names:
+    kind: TrafficReplay
+    listKind: TrafficReplayList
+    plural: trafficreplays
+    shortNames:
+    - replay
+    singular: trafficreplay
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.active
+      name: Active
+      type: boolean
+    - jsonPath: .spec.mode
+      name: Mode
+      type: string
+    - jsonPath: .status.conditions[-1:].message
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: TrafficReplay is the Schema for the trafficreplays API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TrafficReplaySpec defines the desired state of TrafficReplay
+            properties:
+              buildTag:
+                description: |-
+                  BuildTag links a unique tag, build hash, etc. to the generated
+                  traffic replay report. That way you can connect the report results to the
+                  version of the code that was tested.
+                type: string
+              cleanup:
+                description: |-
+                  Cleanup is the name of cleanup mode used for this
+                  TrafficReplay.
+                enum:
+                - inventory
+                - all
+                - none
+                type: string
+              collectLogs:
+                description: |-
+                  CollectLogs enables or disables log collection from target
+                  workload. Defaults to true.
+                  DEPRECATED: use TestReport.ActualConfig.Cluster.CollectLogs
+                type: boolean
+              configChecksum:
+                description: |-
+                  ConfigChecksum, managed my the operator, is the SHA1 checksum of the
+                  configuration.
+                type: string
+              customURL:
+                description: |-
+                  CustomURL specifies a custom URL to send *ALL* traffic to.  Use
+                  Workload.CustomURI to send traffic to a specific URL for only that
+                  workload.
+                type: string
+              generatorLowData:
+                description: |-
+                  GeneratorLowData forces the generator into a high
+                  efficiency/low data output mode. This is ideal for high volume
+                  performance tests. Defaults to false.
+                  DEPRECATED
+                type: boolean
+              mode:
+                description: Mode is the name of replay mode used for this TrafficReplay.
+                enum:
+                - full-replay
+                - responder-only
+                - generator-only
+                type: string
+              needsReport:
+                description: Indicates whether a responder-only replay needs a report.
+                type: boolean
+              proxyMode:
+                description: |-
+                  ProxyMode defines proxy operational mode used with injected sidecar.
+                  DEPRECATED
+                type: string
+              responderLowData:
+                description: |-
+                  ResponderLowData forces the responder into a high
+                  efficiency/low data output mode. This is ideal for high volume
+                  performance tests. Defaults to false.
+                  DEPRECATED
+                type: boolean
+              secretRefs:
+                description: |-
+                  SecretRefs hold the references to the secrets which contain
+                  various secrets like (e.g. short-lived JWTs to be used by the generator
+                  for authorization with HTTP calls).
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to locate the referenced
+                    Kubernetes resource object.
+                  properties:
+                    name:
+                      description: Name of the referent.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+              sidecar:
+                description: |-
+                  Sidecar defines sidecar specific configuration.
+                  DEPRECATED: use Workloads
+                properties:
+                  inject:
+                    description: 'DEPRECATED: do not use'
+                    type: boolean
+                  patch:
+                    description: Patch is .yaml file patch for the Workload
+                    format: byte
+                    type: string
+                  tls:
+                    properties:
+                      in:
+                        description: In provides configuration for sidecar inbound
+                          TLS.
+                        properties:
+                          private:
+                            description: Private is the filename of the TLS inbound
+                              private key.
+                            type: string
+                          public:
+                            description: Public is the filename of the TLS inbound
+                              public key.
+                            type: string
+                          secret:
+                            description: Secret is a secret with the TLS keys to use
+                              for inbound traffic.
+                            type: string
+                        type: object
+                      mutual:
+                        description: Mutual provides configuration for sidecar mutual
+                          TLS.
+                        properties:
+                          private:
+                            description: Private is the filename of the mutual TLS
+                              private key.
+                            type: string
+                          public:
+                            description: Public is the filename of the mutual TLS
+                              public key.
+                            type: string
+                          secret:
+                            description: Secret is a secret with the mutual TLS keys.
+                            type: string
+                        type: object
+                      out:
+                        description: |-
+                          Out enables or disables TLS out on the
+                          sidecar during replay.
+                        type: boolean
+                    type: object
+                type: object
+              snapshotID:
+                description: |-
+                  SnapshotID is the id of the traffic snapshot for this
+                  TrafficReplay.
+                type: string
+              testConfigID:
+                description: |-
+                  TestConfigID is the id of the replay configuration to be used
+                  by the generator and responder for the TrafficReplay.
+                type: string
+              timeout:
+                description: |-
+                  Timeout is the time to wait for replay test to finish. Defaults
+                  to value of the `TIMEOUT` setting of the operator.
+                type: string
+              ttlAfterReady:
+                description: |-
+                  TTLAfterReady provides a TTL (time to live) mechanism to limit
+                  the lifetime of TrafficReplay object that have finished the execution and
+                  reached its final state (either complete or failed).
+                type: string
+              workloadRef:
+                description: |-
+                  WorkloadRef is the reference to the target workload (SUT) for
+                  TrafficReplay. The operations will be performed in the namespace of the
+                  target object.
+                  DEPRECATED: use Workloads
+                properties:
+                  apiVersion:
+                    description: API version of the referenced object.
+                    type: string
+                  kind:
+                    description: Kind of the referenced object.  Defaults to "Deployment".
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referenced object.  Required when defining for a test unless a
+                      custom URI is provided.  Always required when defining mocks.
+                    type: string
+                  namespace:
+                    description: Namespace of the referenced object. Defaults to the
+                      TrafficReplay namespace.
+                    type: string
+                required:
+                - name
+                type: object
+              workloads:
+                description: |-
+                  Workloads define target workloads (SUT) for a TrafficReplay. Many
+                  workloads may be provided, or none.  Workloads may be modified and
+                  restarted during replay to configure communication with a responder.
+                items:
+                  description: |-
+                    Workload represents a Kubernetes workload to be targeted during replay and
+                    associated settings.
+                  properties:
+                    customURI:
+                      description: |-
+                        CustomURI will be target of the traffic instead of directly targeting
+                        workload.  This is required if a Ref is not specified.
+                      type: string
+                    inTrafficKey:
+                      description: 'DEPRECATED: use Tests'
+                      type: string
+                    inTrafficKeys:
+                      description: 'DEPRECATED: use Tests'
+                      items:
+                        type: string
+                      type: array
+                    mocks:
+                      description: |-
+                        Mocks are strings used to identify slices of outbound snapshot traffic to
+                        mock for this workload and maps directly to a snapshot's `OutTraffic`
+                        field.  Snapshot egress traffic can be split across multiple slices where
+                        each slice contains part of the traffic.  A workload may specify multiple
+                        keys and multiple workloads may specify the same key.
+
+
+                        Only the traffic slices defined here will be mocked.  A workload with no
+                        keys defined will not mock any traffic.  Pass '*' to mock all traffic.
+
+
+                        Mock strings may only match part of the snapshot's `OutTraffic` key if the
+                        string matches exactly one key. For example, the test string
+                        `foo.example.com` would match the `OutTraffic` key of
+                        my-service:foo.example.com:8080, as long as no other keys would match
+                        `foo.example.com`.  Multiple mocks must be specified for multiple keys
+                        unless using '*'.
+                      items:
+                        type: string
+                      type: array
+                    outTrafficKeys:
+                      description: 'DEPRECATED: use Mocks'
+                      items:
+                        type: string
+                      type: array
+                    ref:
+                      description: |-
+                        Ref is a reference to a cluster workload, like a deployment or a
+                        statefulset.  This is required unless a CustomURI is specified.
+                      properties:
+                        apiVersion:
+                          description: API version of the referenced object.
+                          type: string
+                        kind:
+                          description: Kind of the referenced object.  Defaults to
+                            "Deployment".
+                          type: string
+                        name:
+                          description: |-
+                            Name of the referenced object.  Required when defining for a test unless a
+                            custom URI is provided.  Always required when defining mocks.
+                          type: string
+                        namespace:
+                          description: Namespace of the referenced object. Defaults
+                            to the TrafficReplay namespace.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    routing:
+                      description: Routing configures how workloads route egress traffic
+                        to responders
+                      enum:
+                      - hostalias
+                      - nat
+                      type: string
+                    sidecar:
+                      description: |-
+                        TODO: this is not implemented, come back and replace deprecated Sidecar with workload specific settings
+                        Sidecar defines sidecar specific configuration.
+                      properties:
+                        inject:
+                          description: 'DEPRECATED: do not use'
+                          type: boolean
+                        patch:
+                          description: Patch is .yaml file patch for the Workload
+                          format: byte
+                          type: string
+                        tls:
+                          properties:
+                            in:
+                              description: In provides configuration for sidecar inbound
+                                TLS.
+                              properties:
+                                private:
+                                  description: Private is the filename of the TLS
+                                    inbound private key.
+                                  type: string
+                                public:
+                                  description: Public is the filename of the TLS inbound
+                                    public key.
+                                  type: string
+                                secret:
+                                  description: Secret is a secret with the TLS keys
+                                    to use for inbound traffic.
+                                  type: string
+                              type: object
+                            mutual:
+                              description: Mutual provides configuration for sidecar
+                                mutual TLS.
+                              properties:
+                                private:
+                                  description: Private is the filename of the mutual
+                                    TLS private key.
+                                  type: string
+                                public:
+                                  description: Public is the filename of the mutual
+                                    TLS public key.
+                                  type: string
+                                secret:
+                                  description: Secret is a secret with the mutual
+                                    TLS keys.
+                                  type: string
+                              type: object
+                            out:
+                              description: |-
+                                Out enables or disables TLS out on the
+                                sidecar during replay.
+                              type: boolean
+                          type: object
+                      type: object
+                    tests:
+                      description: |-
+                        Tests are strings used to identify slices of inbound snapshot traffic this
+                        workload is targeting and maps directly to a snapshot's `InTraffic` field.
+                        Snapshot ingress traffic can be split across multiple slices where each
+                        slice contains part of the traffic.  A key must only be specified once
+                        across all workloads, but a workload may specify multiple keys.  Pass '*'
+                        to match all keys.
+
+
+                        Test strings may only match part of the snapshot's `InTraffic` key if the
+                        string matches exactly one key. For example, the test string
+                        `foo.example.com` would match the `InTraffic` key of
+                        my-service:foo.example.com:8080, as long as no other keys would match
+                        `foo.example.com`
+
+
+                        This field is optional in the spec to provide support for single-workload
+                        and legacy replays, but must be specified for multi-workload replays in
+                        order to provide deterministic replay configuration.
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            required:
+            - snapshotID
+            - testConfigID
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: TrafficReplayStatus defines the observed state of TrafficReplay
+            properties:
+              active:
+                description: Active indicates whether this traffic replay is currently
+                  underway or not.
+                type: boolean
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              finishedTime:
+                description: Information when the traffic replay has finished.
+                format: date-time
+                type: string
+              initializedTime:
+                description: Information when the test environment was successfully
+                  prepared.
+                format: date-time
+                type: string
+              lastHeartbeatTime:
+                description: 'DEPRECATED: will not be set'
+                format: date-time
+                type: string
+              observedGeneration:
+                description: ObservedGeneration is the last observed generation.
+                format: int64
+                type: integer
+              reconcileFailures:
+                description: |-
+                  ReconcileFailures is the number of times the traffic replay controller
+                  experienced an error during the reconciliation process.  The traffic
+                  replay will be deleted if too many errors occur.
+                format: int64
+                type: integer
+              reportID:
+                description: The id of the traffic replay report created.
+                type: string
+              reportURL:
+                description: The url to the traffic replay report.
+                type: string
+              startedTime:
+                description: Information when the traffic replay has started.
+                format: date-time
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/deployments.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/deployments.yaml
new file mode 100644
index 000000000..e5f329257
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/deployments.yaml
@@ -0,0 +1,132 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    operator.speedscale.com/ignore: "true"
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+  labels:
+    app: speedscale-operator
+    controlplane.speedscale.com/component: operator
+    {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 4}}
+    {{- end }}
+  name: speedscale-operator
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: speedscale-operator
+      controlplane.speedscale.com/component: operator
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 8}}
+        {{- end }}
+      labels:
+        app: speedscale-operator
+        controlplane.speedscale.com/component: operator
+        {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 8}}
+        {{- end }}
+    spec:
+      containers:
+      - command:
+        - /operator
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        envFrom:
+        - configMapRef:
+            name: speedscale-operator
+        # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core
+        # When a key exists in multiple sources, the value associated with the last source will take precedence.
+        # Values defined by an Env with a duplicate key will take precedence.
+        - configMapRef:
+            name: speedscale-operator-override
+            optional: true
+        - secretRef:
+            name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
+            optional: false
+        image: '{{ .Values.image.registry }}/operator:{{ .Values.image.tag }}'
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /healthz
+            port: health-check
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 30
+          successThreshold: 1
+          timeoutSeconds: 5
+        name: operator
+        ports:
+        - containerPort: 443
+          name: webhook-server
+        - containerPort: 8081
+          name: health-check
+        readinessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: /readyz
+            port: health-check
+            scheme: HTTP
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 5
+        resources: {{- toYaml .Values.operator.resources | nindent 10 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: false
+          # Run as root to bind 443 https://github.com/kubernetes/kubernetes/issues/56374
+          runAsUser: 0
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: webhook-certs
+          readOnly: true
+        - mountPath: /etc/ssl/speedscale
+          name: speedscale-tls-out
+          readOnly: true
+      hostNetwork: {{ .Values.hostNetwork }}
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: speedscale-operator
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - emptyDir: {}
+        name: tmp
+      - name: webhook-certs
+        secret:
+          secretName: speedscale-webhook-certs
+      - name: speedscale-tls-out
+        secret:
+          secretName: speedscale-certs
+      {{- if .Values.affinity }}
+      affinity: {{ toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/hooks.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/hooks.yaml
new file mode 100644
index 000000000..3e8231f19
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/hooks.yaml
@@ -0,0 +1,73 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "4"
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+  creationTimestamp: null
+  name: speedscale-operator-pre-install
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 4}}
+    {{- end }}
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 30
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 8}}
+        {{- end }}
+      creationTimestamp: null
+      labels:
+        {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 8}}
+        {{- end }}
+    spec:
+      containers:
+      - args:
+        - |-
+          # ensure valid settings before the chart reports a successfull install
+          {{- if .Values.http_proxy }}
+          HTTP_PROXY={{ .Values.http_proxy | quote }} \
+          {{- end }}
+          {{- if .Values.https_proxy }}
+          HTTPS_PROXY={{ .Values.https_proxy | quote }} \
+          {{- end }}
+          {{- if .Values.no_proxy }}
+          NO_PROXY={{ .Values.no_proxy | quote }} \
+          {{- end }}
+          speedctl init --overwrite --no-rcfile-update \
+          --api-key $SPEEDSCALE_API_KEY \
+          --app-url $SPEEDSCALE_APP_URL
+
+          # in case we're in istio
+          curl -X POST http://127.0.0.1:15000/quitquitquit || true
+        command:
+        - sh
+        - -c
+        envFrom:
+        - secretRef:
+            name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
+            optional: false
+        image: '{{ .Values.image.registry }}/speedscale-cli:{{ .Values.image.tag }}'
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        name: speedscale-cli
+        resources: {}
+      restartPolicy: Never
+      {{- if .Values.affinity }}
+      affinity: {{ toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/rbac.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/rbac.yaml
new file mode 100644
index 000000000..e1ea42d99
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/rbac.yaml
@@ -0,0 +1,244 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: speedscale-operator
+  {{- if .Values.globalAnnotations }}
+  annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  - daemonsets
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - pods
+  - services
+  - serviceaccounts
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  verbs:
+  - get
+  - list
+- apiGroups:
+    - ""
+  resources:
+    - events
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - envoyfilters
+  - sidecars
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - security.istio.io
+  resources:
+  - peerauthentications
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - speedscale.com
+  resources:
+  - trafficreplays
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - speedscale.com
+  resources:
+  - trafficreplays/status
+  verbs:
+  - get
+  - update
+  - patch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - rollouts
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: speedscale-operator
+  {{- if .Values.globalAnnotations }}
+  annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: speedscale-operator
+subjects:
+- kind: ServiceAccount
+  name: speedscale-operator
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  creationTimestamp: null
+  labels:
+    app: speedscale-operator
+    controlplane.speedscale.com/component: operator
+  name: speedscale-operator
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.globalAnnotations }}
+  annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
+  {{- end }}
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/secrets.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/secrets.yaml
new file mode 100644
index 000000000..1fb6999e4
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/secrets.yaml
@@ -0,0 +1,18 @@
+---
+{{ if .Values.apiKey }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: speedscale-apikey
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "3"
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+type: Opaque
+data:
+  SPEEDSCALE_API_KEY: {{ .Values.apiKey | b64enc }}
+  SPEEDSCALE_APP_URL: {{ .Values.appUrl | b64enc }}
+{{ end }}
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/services.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/services.yaml
new file mode 100644
index 000000000..f9da2c25c
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/services.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app: speedscale-operator
+    controlplane.speedscale.com/component: operator
+  name: speedscale-operator
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.globalAnnotations }}
+  annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+  selector:
+    app: speedscale-operator
+    controlplane.speedscale.com/component: operator
+status:
+  loadBalancer: {}
diff --git a/charts/speedscale/speedscale-operator/2.2.419/templates/tls.yaml b/charts/speedscale/speedscale-operator/2.2.419/templates/tls.yaml
new file mode 100644
index 000000000..4a2456288
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/templates/tls.yaml
@@ -0,0 +1,183 @@
+{{- $crt := "" -}}
+{{- $key := "" -}}
+{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-certs") -}}
+{{- if $s -}}
+{{- $crt = index $s.data "tls.crt" | b64dec -}}
+{{- $key = index $s.data "tls.key" | b64dec -}}
+{{ else }}
+{{- $cert := genCA "Speedscale" 3650 -}}
+{{- $crt = $cert.Cert -}}
+{{- $key = $cert.Key -}}
+{{- end -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "5"
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+  creationTimestamp: null
+  name: speedscale-operator-create-jks
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 4}}
+    {{- end }}
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 30
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 8}}
+        {{- end }}
+      creationTimestamp: null
+      labels:
+        {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 8}}
+        {{- end }}
+    spec:
+      containers:
+      - args:
+        - |-
+            keytool -keystore /usr/lib/jvm/jre/lib/security/cacerts  -importcert -noprompt -trustcacerts  -storepass changeit  -alias speedscale -file /etc/ssl/speedscale/tls.crt
+            kubectl -n ${POD_NAMESPACE} delete secret speedscale-jks || true
+            kubectl -n ${POD_NAMESPACE} create secret generic speedscale-jks --from-file=cacerts.jks=/usr/lib/jvm/jre/lib/security/cacerts
+
+            # in case we're in istio
+            curl -X POST http://127.0.0.1:15000/quitquitquit || true
+        command:
+        - sh
+        - -c
+        volumeMounts:
+        - mountPath: /etc/ssl/speedscale
+          name: speedscale-tls-out
+          readOnly: true
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        envFrom:
+        - secretRef:
+            name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
+            optional: false
+        image: '{{ .Values.image.registry }}/amazoncorretto'
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        name: create-jks
+        resources: {}
+      restartPolicy: Never
+      serviceAccountName: speedscale-operator-provisioning
+      volumes:
+      - name: speedscale-tls-out
+        secret:
+          secretName: speedscale-certs
+      {{- if .Values.affinity }}
+      affinity: {{ toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "1"
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+  creationTimestamp: null
+  labels:
+    app: speedscale-operator
+    controlplane.speedscale.com/component: operator
+  name: speedscale-operator-provisioning
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "2"
+  creationTimestamp: null
+  name: speedscale-operator-provisioning
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "3"
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+  creationTimestamp: null
+  name: speedscale-operator-provisioning
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: speedscale-operator-provisioning
+subjects:
+- kind: ServiceAccount
+  name: speedscale-operator-provisioning
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: before-hook-creation
+    {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+    {{- end }}
+  creationTimestamp: null
+  name: speedscale-certs
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ $crt | b64enc }}
+  tls.key: {{ $key | b64enc }}
diff --git a/charts/speedscale/speedscale-operator/2.2.419/values.yaml b/charts/speedscale/speedscale-operator/2.2.419/values.yaml
new file mode 100644
index 000000000..199752a36
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.2.419/values.yaml
@@ -0,0 +1,138 @@
+# An API key is required to connect to the Speedscale cloud.
+# If you need a key email support@speedscale.com.
+apiKey: ""
+
+# A secret name can be referenced instead of the api key itself.
+# The secret must be of the format:
+#
+# type: Opaque
+# data:
+#   SPEEDSCALE_API_KEY: <key>
+#   SPEEDSCALE_APP_URL: <appUrl>
+apiKeySecret: ""
+
+# Speedscale domain to use.
+appUrl: "app.speedscale.com"
+
+# The name of your cluster.
+clusterName: "my-cluster"
+
+# Speedscale components image settings.
+image:
+  registry: gcr.io/speedscale
+  tag: v2.2.419
+  pullPolicy: Always
+
+# Log level for Speedscale components.
+logLevel: "info"
+
+# Namespaces to be watched by Speedscale Operator as a list of names.
+namespaceSelector: []
+
+# Instructs operator to deploy resources necessary to interact with your cluster from the Speedscale dashboard.
+dashboardAccess: true
+
+# Filter Rule to apply to the Speedscale Forwarder
+filterRule: "standard"
+
+# Data Loss Prevention settings.
+dlp:
+  # Instructs operator to enable data loss prevention features
+  enabled: false
+
+  # Configuration for data loss prevention
+  config: "standard"
+
+# If the operator pod/webhooks need to be on the host network.
+# This is only needed if the control plane cannot connect directly to a pod
+# for eg. if Calico is used as EKS's default networking
+# https://docs.tigera.io/calico/3.25/getting-started/kubernetes/managed-public-cloud/eks#install-eks-with-calico-networking
+hostNetwork: false
+
+# A set of annotations to be applied to all Speedscale related deployments,
+# services, jobs, pods, etc.
+#
+# Example:
+# annotation.first: value
+# annotation.second: value
+globalAnnotations: {}
+
+# A set of labels to be applied to all Speedscale related deployments,
+# services, jobs, pods, etc.
+#
+# Example:
+# label1: value
+# label2: value
+globalLabels: {}
+
+# A full affinity object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity
+affinity: {}
+
+# The list of tolerations as detailed: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+tolerations: []
+
+# A nodeselector object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
+nodeSelector: {}
+
+# Deploy a demo app at startup. Set this to an empty string to not deploy.
+# Valid values: ["java", ""]
+deployDemo: "java"
+
+# Proxy connection settings if required by your network. These translate to standard proxy environment
+# variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY
+http_proxy: ""
+https_proxy: ""
+no_proxy: ""
+
+# control if sidecar init containers should run with privileged set
+privilegedSidecars: false
+
+# control if the sidecar should enable/disable use of the smart dns lookup feature (requires NET_ADMIN)
+disableSidecarSmartReverseDNS: false
+
+# Operator settings. These limits are recommended unless you have a cluster
+# with a very large number of workloads (for eg. 10k+ deployments, replicasets, etc.).
+operator:
+  resources:
+    limits:
+      cpu: 500m
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+  # how long to wait for the SUT to become ready
+  test_prep_timeout: 10m
+  # timeout for deploying & upgrading control plane components
+  control_plane_timeout: 5m
+
+
+# Default sidecar settings. Example:
+# sidecar:
+#   resources:
+#     limits:
+#       cpu: 500m
+#       memory: 512Mi
+#       ephemeral-storage: 100Mi
+#     requests:
+#       cpu: 10m
+#       memory: 32Mi
+#       ephemeral-storage: 100Mi
+#   ignore_src_hosts: example.com, example.org
+#   ignore_src_ips: 8.8.8.8, 1.1.1.1
+#   ignore_dst_hosts: example.com, example.org
+#   ignore_dst_ips: 8.8.8.8, 1.1.1.1
+#   insert_init_first: false
+#   tls_out: false
+#   reinitialize_iptables: false
+sidecar: {}
+
+# Forwarder settings
+# forwarder:
+#   resources:
+#     limits:
+#       cpu: 500m
+#       memory: 500M
+#     requests:
+#       cpu: 300m
+#       memory: 250M
+forwarder: {}
diff --git a/index.yaml b/index.yaml
index 1fa59ad5b..4baf3fdeb 100644
--- a/index.yaml
+++ b/index.yaml
@@ -4107,6 +4107,38 @@ entries:
     - assets/cerbos/cerbos-0.37.0.tgz
     version: 0.37.0
   cf-runtime:
+  - annotations:
+      artifacthub.io/changes: |
+        - kind: fixed
+          description: "engine image upgraded to v1.174.12 with fix to codefresh run --local command"
+      artifacthub.io/containsSecurityUpdates: "false"
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Codefresh
+      catalog.cattle.io/kube-version: '>=1.18-0'
+      catalog.cattle.io/release-name: cf-runtime
+    apiVersion: v2
+    created: "2024-09-17T00:42:16.609860495Z"
+    dependencies:
+    - name: cf-common
+      repository: file://./charts/cf-common
+      version: 0.16.0
+    description: A Helm chart for Codefresh Runner
+    digest: e31afe9412ca377375289eebdf98b57ff92f658f8781b0a27d72f5acb065cb7e
+    home: https://codefresh.io/
+    icon: file://assets/icons/cf-runtime.png
+    keywords:
+    - codefresh
+    - runner
+    kubeVersion: '>=1.18-0'
+    maintainers:
+    - name: codefresh
+      url: https://codefresh-io.github.io/
+    name: cf-runtime
+    sources:
+    - https://github.com/codefresh-io/venona
+    urls:
+    - assets/codefresh/cf-runtime-6.3.61.tgz
+    version: 6.3.61
   - annotations:
       artifacthub.io/changes: |
         - kind: fixed
@@ -6012,6 +6044,33 @@ entries:
     - assets/mongodb/community-operator-0.8.1.tgz
     version: 0.8.1
   confluent-for-kubernetes:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Confluent for Kubernetes
+      catalog.cattle.io/kube-version: '>=1.15-0'
+      catalog.cattle.io/release-name: confluent-for-kubernetes
+    apiVersion: v1
+    appVersion: 2.9.3
+    created: "2024-09-17T00:42:16.659953014Z"
+    description: A Helm chart to deploy Confluent for Kubernetes
+    digest: a4aa16b75470a0aaabfe17cbd549df7c3b8b62a8d508d6f17912d44b06b951ec
+    home: https://www.confluent.io/
+    icon: file://assets/icons/confluent-for-kubernetes.png
+    keywords:
+    - Confluent
+    - Confluent Operator
+    - Confluent Platform
+    - CFK
+    kubeVersion: '>=1.15-0'
+    maintainers:
+    - email: operator@confluent.io
+      name: Confluent Operator
+    name: confluent-for-kubernetes
+    sources:
+    - https://docs.confluent.io/current/index.html
+    urls:
+    - assets/confluent/confluent-for-kubernetes-0.1033.33.tgz
+    version: 0.1033.33
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: Confluent for Kubernetes
@@ -35839,6 +35898,37 @@ entries:
     - assets/btp/sextant-2.2.21.tgz
     version: 2.2.21
   speedscale-operator:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Speedscale Operator
+      catalog.cattle.io/kube-version: '>= 1.17.0-0'
+      catalog.cattle.io/release-name: speedscale-operator
+    apiVersion: v1
+    appVersion: 2.2.419
+    created: "2024-09-17T00:42:20.831602454Z"
+    description: Stress test your APIs with real world scenarios.  Collect and replay
+      traffic without scripting.
+    digest: 767122b99337e1b3e1398fdbf3aeaf17b9694ab7b7d36e2da05033772509e6fc
+    home: https://speedscale.com
+    icon: file://assets/icons/speedscale-operator.png
+    keywords:
+    - speedscale
+    - test
+    - testing
+    - regression
+    - reliability
+    - load
+    - replay
+    - network
+    - traffic
+    kubeVersion: '>= 1.17.0-0'
+    maintainers:
+    - email: support@speedscale.com
+      name: Speedscale Support
+    name: speedscale-operator
+    urls:
+    - assets/speedscale/speedscale-operator-2.2.419.tgz
+    version: 2.2.419
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: Speedscale Operator
@@ -42399,4 +42489,4 @@ entries:
     urls:
     - assets/netfoundry/ziti-host-1.5.1.tgz
     version: 1.5.1
-generated: "2024-09-14T00:51:02.883174568Z"
+generated: "2024-09-17T00:42:16.129150033Z"