From 009778b13014be067886f9d17579f65ae1597720 Mon Sep 17 00:00:00 2001
From: actions <actions@github.com>
Date: Thu, 7 Oct 2021 00:24:14 +0000
Subject: [PATCH] Bump chart version

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 .../rke2-canal-v3.20.1-build2021100601.tgz    | Bin 0 -> 27872 bytes
 .../v3.20.1-build2021100601/Chart.yaml        |  13 +
 .../templates/NOTES.txt                       |   3 +
 .../templates/_helpers.tpl                    |   7 +
 .../templates/config.yaml                     |  71 ++
 .../templates/crds/bgpconfigurations.crd.yaml | 144 +++
 .../templates/crds/bgppeers.crd.yaml          | 115 +++
 .../templates/crds/blockaffinities.crd.yaml   |  62 ++
 .../crds/clusterinformations.crd.yaml         |  65 ++
 .../crds/felixconfigurations.crd.yaml         | 565 ++++++++++++
 .../crds/globalnetworkpolicies.crd.yaml       | 856 ++++++++++++++++++
 .../templates/crds/globalnetworksets.crd.yaml |  55 ++
 .../templates/crds/hostendpoints.crd.yaml     | 109 +++
 .../templates/crds/ipamblocks.crd.yaml        |  82 ++
 .../templates/crds/ipamconfigs.crd.yaml       |  57 ++
 .../templates/crds/ipamhandles.crd.yaml       |  57 ++
 .../templates/crds/ippools.crd.yaml           | 100 ++
 .../templates/crds/networkpolicies.crd.yaml   | 838 +++++++++++++++++
 .../templates/crds/networksets.crd.yaml       |  52 ++
 .../templates/daemonset.yaml                  | 266 ++++++
 .../templates/rbac.yaml                       | 163 ++++
 .../templates/serviceaccount.yaml             |   6 +
 .../v3.20.1-build2021100601/values.yaml       |  82 ++
 index.yaml                                    |  17 +
 24 files changed, 3785 insertions(+)
 create mode 100755 assets/rke2-canal/rke2-canal-v3.20.1-build2021100601.tgz
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/Chart.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/NOTES.txt
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/_helpers.tpl
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/config.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/bgpconfigurations.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/bgppeers.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/blockaffinities.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/clusterinformations.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/felixconfigurations.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/globalnetworkpolicies.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/globalnetworksets.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/hostendpoints.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamblocks.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamconfigs.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamhandles.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ippools.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/networkpolicies.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/networksets.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/daemonset.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/rbac.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/serviceaccount.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/values.yaml

diff --git a/assets/rke2-canal/rke2-canal-v3.20.1-build2021100601.tgz b/assets/rke2-canal/rke2-canal-v3.20.1-build2021100601.tgz
new file mode 100755
index 0000000000000000000000000000000000000000..7e56c8e0df2702b332e0af3db64c81c4734d37ed
GIT binary patch
literal 27872
zcmYhiV{~T0)-4>{wr$&H$F^<Tw)4d4*tR<9Bputf)v=$i-}Bz{-MfF(ShH%a+O_8x
zwW~(WRm5>H7$E=i0BJ$!O=MJA%w!a~6nuC&P1!YB%+)w;bk%sdlr%ND6t(PaO&raA
z)K#1WWi0F+K(6}i{5H8(Xf|fQF>#*qT$+<8j1G7RXZhU{?JDXDWeFTMZF&m-UO|wN
z!fsOh0u@=$nG6y}UIFt?5s`DvQ`pS<oZ};lo*Wt)>Sp%%g9MF=$+6C#t6~uepF?FN
zc-=BEFc9SL4guWV-8K3Ke$UU>G$17+AsG?&dA9-Y?`ponu%V-(j8eX+3#9MH+lnu0
zzLbdUd|U=nqbxtA%Q><R!l#futur%#{;UF9#6(xa3evGwP=UQD8*>z-R#+Bel<Y66
z+bJrkN?kZNQ|1#t#-_3r3a_rWcXyH5DS^mw3KHl<<HhQWefj+Domq4%)coLJ*&S)B
zObExJw67^;>D1H|&99X}VM$32Gh3W-_b3$6YZ$Fpd>`>YzR*E*s6Nt@`jQCU_i6xF
z_Q^l(NrJ1pM1de?S5sLl0yw7vF~~2-$VksGNiWEr-;0}%>je{Ug^Ltc@9ZeSoTtF!
z{rR}#2jIbR&CO>}j1>#c)s?@Zqh-8){E0NhK@%Au9hNm!B39*hG{!L4_z~_tI$5c4
zxS+GcV{*K?0+UqE)&m8pS^EQLjHN2OD3x6K@Kh&NY%DGQjX9gpVG|!|U)b0F{JwKg
z=YW^<*5*2ZLLDYE?+WFfvupB?{azrcK$%**_#N<BkTljp)s1}lApA8<poGpcbmW`g
z+WPD<eCj0%TKf0byG^9am2Ve|f}-`XOudf6D151uIT<EE)?q9N@jE_9f=$tFklfa0
z4~4HYJ2_kt0hd~R>nR4nY64U{Pq#yk(|2Qy=nxyV*Aj<j&7Biql^EY**`)3;%1<_Q
z!bI`(r!y5>=1>B#<XoYAAUlMxk@O7)TZN@x47_{}?7QVBL9&OrS2xZ&*|`6aK!C4(
z7G~Hv15Bl5!`O^v>wqzoGekO7k<wvDR<NwHwhNQ?y@`uSB8w!>BBlCn&9qFy5B(hl
zS=-m#AR-%N=GxM{YHY3{#Y^}-_^m^d1->36_$9MTd1b<c?z$fZ*h5wlUf|_a$FIU+
zjf)@L0nI@gk7x>7PcYqD+nl?pG96-3EG3(gXv){Q;_uWkzk<MrwZ!?kuau5|#=-O_
zB^=(7NAXqI*x@BT_qLSI(p4;e0#{5w7PjytmXrvcFQ1NUq>o6=ueOu~5I?>?@|JN;
zziLlm_R%26e5$|bGBnn)n^Z*1RNm+@X5h^FwQ`tCDa7NPYWEuhY-EPVa_DXxEKz5w
zS%T?GHsmGPX^qHauIEGQ1vIvA;}yMtC3Wn4sX&WyTpGT1jN+O5D`jom8ickTm`Htv
z*p9?-V#*=hUIUZ|b^e8(c^4IDALyTN1yDZ;SFry1cM?@ie>7kSa-JcTY$d?&=Eh1O
zXFp1!33R$SoL!Ltdz9Vm&qAgUzNTl=fMHXNsjsJr>_Q$D^^rI6C~d#%pS2<8)o8sr
z(Oora2c!8d8MYbJP3xa!lDyOL0n}8Z2f9P$9J&liMprr4pi=#ok^a!|f0emXA3L+h
z3_<g_U45rd6kJ+56EVyV!q=egzU)FiAPlB(6sH(+n$GH9U!h+Sb4M~1U5G8^%BQBZ
z>t!e64^p0q6JxoZ{*KrZ2bu*55vMHDn8K<>pQ)$$NtwdBs~z^EIgSZ(vy-_=-m?Zl
z{weNUFrF%$l^&s?#QNkgbIvIX{f?)|Y(7<(&qggdGan-Vu$yY#2eT|HE+b5YKl@Dt
z=6A6L+q_51U&T<hg-msz;0k&;n16apjW>vwKv7|3)ga9cSvlJ@X!o+8@F{BRhF6>&
z?2siBp1-`A`+~G>FYRV&`S#DGKH58@Bs-lZ%T@97=@y6Lm|7!l0OUMG8-Vo~p@8}I
zqFDxmAfK>}t8tBq5a15$^G<w{e<rF<@M=+;JN;NT9Qxzu_4-B>7(+~EA%UjYi8Hxn
zn3GPO^MgS@<JjM@0-%H9kUnydu2LK)&Q5X5N#5fb+ta94(EG~t8qQ$;!_s}`ia2)6
zPgK1?U1r#;{u&a=$%MZd92+4tw_s{I$UX3O>-7otMgg6-{MX`n1Q&zHnCnQnKE5CM
z5FLR^d&l4>&D|#J=X0TDO3<Q`<TpFRG@5PpPLIFW!@I9F(bQsm(+{AVw{t56kdTm=
zz~g>5%bQ^G>XAnVI2LcqW~t!4vyHY-7>7Zfd9H9CisNh5u<w`ZnxYrEI00oy50RAz
z#4-n&)V48|#4(=v!;o6#Ac|4)7pyDG#A^-+u5|Yql-)#OCWox}j8R?WaS9yyZvH+!
zp8Wdv2TeIG1QKZX2g6JGdTRtZ+Ydn>GhGtletzuox04no?<ZAK4#NlH^lryJ0}h51
zWNv{getp;d<}sEd!oJ4{wXMycFF|<W0~gfZ-{i*Yg$n4sC!fTG1cc0mK<udPHz3)p
zG0WOpj(*t4(J(BghC(ng6lOSx1?%dMT0ePq`kD~1Wf?TgW+KWQ%CrznN}a2>&{!(x
zPPadj{;HlWE#@(DfMQn8$5NK}&xb;D?-4X9PJCU`<bMNnG_8-B5ebX!Rw7~M?~mf@
zx(|~Yycg$<C)b#<ZDR;X4N4g}U08$tRLvM?d4;Y}t*;%k^WRtWAT*MDYJ}UKK$(27
zQ6=P=9*kN#DkkdFG$|AAQOP8Hx~iAfy3imfu*wK!!J7sd76;oskC)7&nnTu|U;x5l
zAzh7biim7xsQxC;p@2^vXXvn^_0+vZcDzG=U50&I1zGw9bmx047#SkEpn(R&L)Qm1
z+~P|N5o2uH2fdnlEBCwO#qYqr*%hY)tt16^+2atprL{4Mhk7J_2vgY4plyP*y0)!G
z#J+~zma0>&>gjgAdHBEHWxee7_jmgTJiNdEKJIx~C1z6E?f<?j{+6`8|JU8!{?+}#
z?|(CfSZHbIKEAv!Z9~j9t_j*Mc`TZ$&9E3zSJa-q!tbQ18js=I0G~DuHVMnYY&)PN
zSGWO$Vh*x0&16&lS6*Mw=gq+f@~%Ozk04*)+y3t;-BbP$lh93otc7aMa!55~8$36i
zRogCk&OED9=RS|p>pSB#8&mm4K;zq-8Qp;&QLauyKyvf;1k6pt!1dlhUJPV{(co`B
z3MUJutL34H6cHjhGr$9-GZjQ9c_dJJ)9={mspMn}+gC(_OcuSIynU*2C0%_)-fE^c
zIlJE~h5P)>yQ}1lb%%<jA#VQD`?4#dyLM*gDFM%lUn~T-0Ki1O$MM2RaI?J^2<?dO
zBwe{3cRcFJ@Xq`K`v9a{@jJB9<ahPOsd`mm6Xgd6IlF&eSmXnR1-$3af&EkHM?hg`
zR7xLvR?yFqJe*)}7wkXJNgA{D$Tc|NVB!fa6}VQ&k+6ujxBc_tOfM(UhInIbDd(8t
z$n|bqpyI6<pf)7&1@vhfP5!xGw$<hZ`N_`Y)WSvkL>2efFC{Iuz&pDAjZezgcf?hw
z9CO)vYqV_Q-nJ>f0_C>%z$g^L@%Vi2MJ|>u5YE$+kjnyMW9j+$vd7_h9RRBfU-#?Z
z5szytG24E>Nw;UMvdE8?83etqh}e;4S)xLP@pxLlrb2bc&k3$ooWczP&ufmRj79$a
zGsh|hPkM6KgRLm-@@&hY^d4m)SFuVGSNje(ncC>l^k+kc6b!d=1Qmu<wLzfDBci4Q
zKaDbf%Mvw=fu=h+(*UyWWja%|sV7EioLtb1MPhG8Y)Hm?>4nSL{HCnGWs?<X{VNZ*
z>UrOq>xN&B612J`yQ8+b>&Ub9C^U;lh;{y`5xp15qoYGTR37f!u$B+#>t-`JR!E(Q
zY@Y{;rV7}`WR_M#gHtpy9+w&JJIKquxPfB`Bn~!uxifk`H%?79fN_*EFUI2T(m&7D
z?B(m0cX2O-g~Cdmr?6BYPBfbgJ2Y=TozhCZWwsv_Yr)qTv}YYleSF!~EL`_EqCy$*
zqs`y8fgNjEsUBT=f4B%;F<-0xiBPELx%iz;>5l><u-`Sbp(%fa^s!y^`1d&{>g!OA
zNF{m^@M5XAMiAZA|M7nB&Z&pqiAuF>DR1rY^}zX<F?4}wnO1q?;?Rq~ak#83FN5)~
zi1xeVel&}_%;CNrYzTn0Ux4V>kAyB2b;dg~(0d!2?#^IUDP*nwgUGTFT&^h>m76Xu
z^<njqJs<JqbjDfEIqHz}%`gk<PCfwF@Gt24!oA!w+^|^tiBp9lxkj$Gxv|nWk_=@3
zzWG;@ykw455tgIjVzf7z^B5Fj#-+R2G>)$|4q~zXwCZs8u2}t+pVU{KN;g&tgAK%t
z>G*!1)&s?{DPd-8C!_h9r17o2NyjXnnF$8<Gex(NsH|_<<vcrazc;*v*GDIPQztmC
z`L0}0o@EYoke_l`IeGe?3%m#*Z|2fe%o>)^?*|IEM}e~s=&!fHr-qAxEvF>$M5u1v
z0NIS6ab;f5jqI$cbRt={Fi+*yXR<`z-lS8ERb%NKY^gD)0*$9AJTvrx9?%WnjSFOD
z$O6-g=&qml$8lLT4PC!hq4iXT%}2@{5o3)04nDvu9i>~pM9wwkv7Z)XkDasmi3BsT
z{lx9gSifzHv2dj02J7nlyfFy=?6B|ZQ*%5ji(l6(hc_DFr0+%ukl<k7xFNUhqxLz-
zi%JLwLa&&4@mu&>?hiJmU6{sC=p34ks#3)>wKM`u(Z8MX^fWW<pl-J9u-M`JRd<k{
zwM{F+HFF^}7l){l6PPQ1*~{@K*UuKajzc8z>E{}*3+>lF;u{98Y-^$>fyXNtzk7n<
zVE^sBS|vVVrC&u6et);MkP}<1Zls!-++?So+3e}14?ec0IOPzf#!qiI9fEwb_K^{+
zjR);GpwfpBt*UvFbLisRWXjK^Z@a#*ziR%HbLivCtyuRhYv0Yg<llakau5K#){cy}
z+ocG6OL;`9SN!V4sUtUEoxBEx%LMsVML^Bg?KVVS@Pk_<I=#yqWEWNu4VPEeMRg%f
zh*x|-hh+uxbR!X0;zynsu|e-OHeM^)^8DPhjh_s$yja%$T^(T?nU<bPew<C{WOs-8
zJU61F6Kr1vReoU<y4&XaJ18eJKKYO1FqRV;4cGygsnsWOe`!zgs0<}dJd7qsRSI}E
zq+$gh9TX(AH?WhFISIHE2#@J44q;TgiK;ru+`V$mm2W%AJnq!d-G%U2YxwGx$N36U
z<+c_niiOA=edHR4C~VW}Y$T7qcv~ZarV9{X0$0YtW35Qz!6ePVRvB$r3^ED)s<Wj(
z>wEQ^HvcxQ0F%GR&2`1AH2@?QB(Yc=d*b)-&nGATHTt-qM=H>dL-e&E-RmG+vx~o$
z0|z>0Kz;$CHKTi=-_yaXq!sW3Z5DkKh+-zxu--5{LEZM8kiD3@6z~7Mn(Tl~)nvOc
z*_bwKJbr2Km_J?D($!`^h`zaXHE6`y#w*HJjWZr_Xu4Ujw&TfeR>n1m|HhE7b6iB^
z#NK1Z;8*dQ4xgjn4E+!`wW4roaFTC%-N8b8&PNg|m<^a33vZ#IdSR!^L$yzc#4(m-
zU}4n6=fM=5lz6JflU#$&Y#eJ`3q(0v@+^ioa7+XfI$!re<!9wT7JmM<oi)D(*5+TK
z!}ex&3uv(wLViqK2n>NYM>r?^T+!c9DI@7))%welqu^JAzg&*;<NP;fm_I$YfVoQz
zIkb{V%&#zTAzNP77pzJ+eq6NswC&(nI0_L>W1a4BR|Og{-)ie&DxZTM^2iDV_187V
z@Lp_#D4bhd@?Asyd~8coUQ+0&kBulq4$umfr-4D2kc5sb`xLC9MXidjK@3tceEMt@
z_7c)-p4DMxP7A1nbrJRbtrU1KCD+Hm)u~4VXYxmX#4+3@1y_Szm=pc6!C3Pc7&0zP
zuf_nIB!?fzt(={o<|}X`YqiRQhkIBY-;PnvcVKY(3WP`y+=Rv8$+Sq2so+l87B-ex
zdW_U1y1VjiGb>@~F;p<>FN#e}++K?13M`WJx%gZ!t;wFvn&!(4s#Bj4jP+|244qJ1
zgRZb%_Mq{ZmxJV>dk$2G1_n^Q;U2@65;pSp*wc7N8RW-Q;jP%^=B47AdmNGBy(0+@
zS7|7=>qJB!L^s;Tz^|4Nq@HPVlaX($st~<kQ}nSkbaN9q<iN?1VYX0b9{SEpL0&7{
znf0#%d3pBEQ%f$96S3RD#H)a9#{|-&lkK-2bXUAT5}}0Dt0G4G&SxeOCAZ*O>(snS
zz+H{p11#s%8xeb$8aoo@xFIH6QO^W^D$LGgZF8B`n|5}dI)KkB+VG$I68(tyo@d-O
zABbK1qAS?`*4BN~)<H-&Rx*x6%*F1B<dhiqi?_dE<`hcNY*k{|@ei47XantI5MJ=!
z*wI6O;Ph?YcaAi5DTTkE2AHHC4uyf&!+|LGs421jtqzIb{`W@h(}jZ<kTE;PMH>+G
z<nQu~!}THP={?{eNMuwI(rek23k#Zi$9W4N)>x%Ov|lu#rD&B~%^kTt6t{rGgUZ2i
zz9I*&AnnZWl+|L>Dvpsl?M+tm@Ekz(0U80Q?=orRpTKifiBoc^5*-=YSZo|zcDGsm
zB9d^S{cB@C=FY>5+7GN~$S~|JT?NoH=sk3{OiRmS>4dC-zL9~iKy%pPIW9pDtD+3h
z@L><IMH7dur@wNmIFZ<AyLC;ELh%&ddp>_Vz`_g+@c%f8S+6*5vd)z68HnEgP&|&e
zj|d)<=q#)IEz)tfAUp!*N_DGsV6URJccx-Yd&yg<AyjdvZtD(t*0(wZ_F%f?b{=8-
zK-Y;GclX1xM$uhH=2jJM1^zMNs|#i6q|FiZ!>F4ID2zqA{1d2T?k-JT8D~*w3Z;z?
z4DxTp0JZ=xiY9@dk_FVuKxUJvQx0&5<OkR~(DoO#tAHkZ^vZs{HiV_qHhYrFUITZ_
z&>4j}0Bqp4Whfov+MITynC^s?9=O;V;m-(Qyw1>+uF<)hy<}(f^;RDiN+To<&R>eD
zpBLFWrS5`JOT5X9P#QrRQw2r8ZKM#R7(n5(m^foXkRv#lyJb0ZT^-H{(Z@q^Mm~?6
zQFM{+A-a#b9Cwskrm;;NMnT$L&Z(hi%8a!97oa6~c8~Xiy7F#<a`w*)HWsIV{9$2b
zTXbKg2q1Q^z^sp`$xq<mUl(j3P_m%n2q=zY))e7SMOp+aUibs$&T-`!Mt<R!Z5U<>
z3Ckp9lX2S!whUAw-$R)@$jnGzqpMc=ss-5Da01^Wzsn(fG=7bAJ0mtoAfMr}9)2IJ
zE(Kyy>L7a`-=wV`G4};hTYi??pfj5!YewU>#Iaa7LN23y*X8ZU3-;-yrEdG<L-;_x
zY=e#I<)278a{L4bz4v_AM`XGjfj~IP)P8!Y!{CSkri*1fY=FQaL1oB^8t8ouOU6A5
zZJ{Rn27{u)kQRqaF%W=(!cg>JZAr<_z!k!kK9uRB)Fn8Nj>{!4iMlAcFlkD($*VD4
zb)a4g|M-onmy#_Bt6}WBKR*?uFS;XVZEgPA>%ul5CO;gMLwa4n{LV2Mq<nHH%l4~n
zGN>WZ@VenBh(B<BB*;JIl=gT4Wz_%2Tf_g*^&NIu&4{@5kE}Q5e`LKm{Ua+Gct^EE
zM@-<qFdmqHr4<!O{Sg4V?vycCI|&{I{pkYOOO@C$if57{$J=Ht8Bk;UlCAEMSn$r@
zUAVE?{KH~GnYK^^TaIh|VGtUbtz0PpWpkP_6@3k0L7i7HGkhXr6+DT#BZur}cz6_P
z>tjTJ0#Oe9e49Q$E-7AkeX0n9?Eaqpb!=!<bEco$f*W_UGPs|Edpg2dsg8;xf+<Y~
z$@_Jl(<{W!5X%0DV#{bbxx(Uq@}%yB1GdYbm9;R{nf?4OwCk}&u9{LnzmM~>;f97q
z2q7{kQBWVqPBQ@8`<pjhXz0zJd^f3O9Dorji9)14y6VQd&4RhoQF6QT7)+|CpX?;P
zo1#8CXzpT?{zQoZM>LdZ=CyX0jv5zYe&t5Y;p5)j09F_*HwI9FACRi7HYuW`O=sm`
zo2v-*Man2eVDbp}^g)GHVy8S!L>|uuBg~BkDPhA!jwfg}FQi?mGU$Sl*(kzU#vwnI
zXK=kEjPUKT&oc`gW6%ODVJ+&V+@p4ljIJN$;rX%_qvCf__+O9xy*}$XW=@t>M#$C}
zBD&&4j>orl5x@$U!K6`&#iKHOJA7rcjo(I%GXbQkNvb7a@<gk%dXGfyDJXK(sFSVJ
zYr`2i4!_~UjG87uD(uDCvSt+ROw^B5K)IGSQxwJYu1d@RbZ5X@`)6@6o3_1B$1$|4
zn`2{>S;I{8XRJ2&$r)r%q#lf+x~rcvli}6s)(x22wZ$PnXI=9bDPSWMv~9?s&YgG&
zgmxz!h7NGZUi?yMg-&5}9VNoRjGkZ%Ut4_xl9;CU0KF~L+_)zh&&2<}Fs$JeT|3k8
zY>Z<0LF)^T4DM+7XOT2MRVzGeS@{aroKHPt96qU1tejkwXipCwE%mgslL0wXYlZ|#
z6hq2Oady`7p>ao27YDNiurS-*IZu&mfWhzsk(T?<H6jbSQ1{A@ZPy+hF-aDh>%}z$
zev7QCvEvG#9w8iz@_~1aYg>BeW<YO)>isXYYO5AY$_Qf~ui(Ni8o{7u`tc#L`C)a@
z<7>ZaQ-+_%U|4X8(?kz3%$?gk;}OQP$iGcT7sACP@|GY<=*!t@-E{_H>`aT02^?r8
zz@Xp>DY-x2o-`V6g@#1Mz7pLIH<qB0@qI`>`A=dcsdON~xvy#=kZ!o@>`}<9P+-z5
z;^_<!K?ZPq_M^=<D6QY58%#m^#nAE2Sk35;bsu=iosj6W6k`@UnKv!iB=h=Hgn+pi
zWM#ID$O$ri_d4L3QJD`1&QsSO#W%6uSUrQ4VE3;{{GyO1LgF~F7yC7UZW0PFgh&}>
z6PV;Yj`4u#=zMH~b_7XMGI5;Kb$D(<9_nOClKRpu@snBU(KUl%T}V<1^hk>dX*Z*U
zesXQT{^qEUgw4|ys#?b)3tDM8AqIca$ID^Wkm<3@e-me80QuG?dA*utzbB{Beaci`
zxd_kD656?)O!0!e%hqXgeX$z;<@kHnzDHp5(^O|s{CY@~2LdZGxoS%qkZPSSk44c;
zm`bpyb_C#xoo}UsOrKldMvT1e0;E_=@v^+Ejyb-S+K+rvX~^`vvRL(fGsFjg_IBv&
zGfQxo#!l818GbbGiU=wwi@Et!lHy9BMn}taiPh=eftB5OcZ6n#7|Men!TONj0`BSR
zswjJ7M|{F%bD@2pZ1qsr%Z2aGYpwBnk*=c*4+VXdToo&(R7099vKjRXtSB<zn78qC
zgy;0q9=ToLBd2vpwtOv^{TK0iNyoX;_vz*M)H{dn)|pG6&@O0qa&PlgkG9PhF4J}(
z)t|&IqBBJN5>&m(DzY(B%C@pobs9@>B*~@N3Yz*mX7z6Hyw%e`7CG|%K9|J6_!*}_
zVodxZuEBWSHox!K*93_Q^8w9!qC(i$>GMg$GNU>+(71w8gC=hQbzDNrZ|scN>X&4y
zsCN5ilCpF(5(lgQ+PazX21SUE*5b#JH#6sZJP3c#pLbVHKY;n`q%TnvIEIlMCND)>
zvo^EskhJr8C@IzE+2w}KM*UupYs}J|;+T`@7>_%T^L<Vg$BX0)Q8*4E8Xic7h(wHQ
zX^G2RTbo?OC^qiT_n>`d?s3+cRI=40(I3KOV8?Kyjd8({r9(yn=F!7$l-K1pa$4;F
zqmC5!(EmbW|DSG9PoZvNe?jg~C_?R|L$_>NdK6A=FEMTZ;iLb6;r_>pBc@-ABlk;W
z<k8)fsD)~GwF`R2>?1VcFT>=2PVC_b_Pa|0cRp>N*1}Rp4;qo!+apFt+w<gtRIRJb
zXs30Wk7T>%834&v?r5Hl;HrDw1uhkbG`^-Z1tdd4#Hmi$k_dbUu0_&WEnJn)%)Tqd
zvS8atCwnw!y0@Pf+m+BaKU6W?_Y1m*4Uz-pCew8`B-2VI_riQML@lirq(RZq<dr4W
zPQov0R=IB*m>eqpS5*+d7s{^KY&+y(9HVJW=C#(j7_QKt8#zAvQbewrC(gBjLV;JZ
zO`y)4Y~6~bYbVdD{~7fFJJRk4_~Rh%fG5F6CRl>kd&+`BueQ+h>+K7{onVv@BpaM4
zdg!M!SlIorjQv+_PJ7LqB#OxCTzt-`lLmy2YX@bWg=Tkev+LfNhJj9QL&RlH8YoPP
z#WWTke_z~TqbgR9idZd0Y18Fq+<2k1h;C4s{&sx*&bI&S^L7uu`Q$|Rjv|;Q52=ww
z{;HmNLZ?eihvoyLw_r4e9z&~?H&}qH0lj_!3!hgYIO#JH5A7W2RH-{1pbV*F2Idr_
z$4V7uGJVGYMuv6SIL^LDLh#!#M71F9oLAoZS4g`B8@&O?#84f&%SEO<F8f#HrH5fn
zL(TOp(@et^_mi*X^Qyre!d*UcI0m@ZHu1u54m@Yo?z^7w_r8Nj&^CCg2s6z5pMLm1
z5^wFhGJ~ZonED-5GdiexZGT`27Yj5A+(+O{>JMjP<H)wPugu(dA?_}Net!G6dbx3l
z)j3&jgUPS+EQ(1QglJif2|;kXyEsAfWrRAHWzXQ8@zcGnyH?H~Ie{o)=$Etl8O>56
zZ<BJwl9-X{BdR3g@*JCs(ab>MK=NyqX`5%tyGF$|#oM@ZS4zG=8+^Z~LVfu2S=dTA
z3T)drv)=+}E<wq~SZn+nli;Fj{8g;a&$LXclFR(K%ci5jz(IPFl!Fy-uyv2i5qQPm
zl*2MH(dG>XtHj$1d|FaQ5+8_Xq&RDSq~{Y5MIzk#<mD3tEk<GeJFp54BIu_9zFQIl
z`Goj<_rLjsgqXg4F*{wj8J{Q;9zEvB0Ezh@P-|n`hR>h^Utov7alfTTuIWt`&W`hW
zCc>3SPizbl#ITkcQxxxyEC$7#my>>Td$6`ZS(=yZZ?bJ8=G^~5j8(xOKU%@$6ae^V
z<^Gu;&p<BBRG!#Uu*gsb3+m2P$6HUCV3wdO6Az{?&OkeIwfyPr)uH-|kx(PW7Z#wF
z12bH(HgV<Ir)GKeW00vB!}e$A$%2WN)5|>CVPvYoY1Znbxi3B$!3L>x=7-3-QU5QX
zmw7k&BBObZN*cZA3_{#g53gEm!*W0n_Ir8s8#|gnUiyo@GdYCIG)o24`@Dvf=5lI+
zK1wVW$WI+9)<u%JprRPE(w<O-(Qc(RaK)DJuaw7nW+kWo$ux5pNlAu9Vcd+C@6E+a
zpw1U6f$X~$!ogbo1H#!5KJNAxZL)j*tNy)e3X%W1_)qSXvkgOr?j#=`2l4ZG;)GF3
z8m=sSUXez7+I}%QDWWfbp^Z8F_pf{C8L+AtKk+~zVpPVyB(RuDIKHo;Cp`J49=m9%
zvB3&gHc*d5bqXjCF6-wen6k11;liZ590VKq{Pnc;Z7VWM7aOlebsVV4^gKNZe0K2a
z(uHL<0eO|PtH{DLF%B~h)@ewy)gW7+oH`7!SDnsbXZ$9*-e*H$5t0?Y+D>iTBmwNa
z!NCRG^fbg?EW3i7sVCU?T6H)_^OV7=8E-^<g_tM)z7zA)yvPc%jY7G}&l{#LoG)+1
z0|7;GqPP*f_nq0Lc~;`iG=?#66?WQHj}=nHYCY>5>PRcu5sM`ak6BLLL;ZbrY&-}m
zy?!)N36gk7S=C<wnr48dU+~$KTP-iKmWbux5R@oO+uMEH23ON5N^IhSc`XIEH#c8S
z@X>wWd4TmnM;ZVRiWo9Tx;OkEm9<LNT-SZ**1qc-Q`=pMNvH@T*#2z;Zr3N6-#d5q
z^|{-Qp;6UmSoFwF{#=b+tBETwD;Xx9JIejvw#u~awkn`62F9UvD9LVu;)-r~C_grS
zl|~(@;*r3G$M9;Y8ar5>-#4m>jz0Ix0*YmKm-S;T74Rh!)QitG+3$6KChP1dxY%kp
zS02Vs)wCh0P?MJQI9o!=x9PK#v}~;@CRz`9dDW1*wJ&<%qOV3uc`eV1MUD8q-`wEk
zyaiU{n0*9M)a(C`fDSdrf?PJ#Ksqh?+e-4w>kdG=#B;ESQCE_kSUEStS?^m)0bn1Y
zhCf9_@YzxZ8FJE}KSg2n_@2q^wb7!e5IN(uG+f(_h26(>dfu?@!Mu)ga@uJS3@M45
z|0kajc|R-NWkE*$R`t4yM-_LS4(0NX8u#pLkBd#3nV<Ka?K=kO*>57zdNPX<xBY}r
zK@iUk%`;Q|iw_E+ooXGEd~?R{hrb3{6C0I`Bs$JdmD$H%RDfnI#fUeORPU^Kt)ddN
zw!45m;RR$&xLI@MxPbF!zNmu_8M4~P>DgrjKRk7CszX7*!ArG;gKX4Lv>Bu58pP{A
zj4^@x`I^&<%yl*rOSQ|{ZN*@=dBIJzUew-}c2=W#4Z=WTa{6xxm-)^*rauD<HJd|_
z9$7L#_%W^C`rIpk><gJ4%T%5{*&=()Ri%5NmScesRvVrYL2vxp&Xx{ee#QHf;sm{R
zNsP_ba<)cmuwY_jCoB#As+Kq^2dk5u@{he6-rQaBE}nCY{(?c|8qAbWSV7tn4!yJK
zc07zaf`=948kUgDzM0s+Hogjhrs*h;-SPAtpIvEZ7k8mI{~I3Pfol_=nHv}x*8t~>
z4m6TSS1w<p?Zm8)bMlxl$RorRj7_NLn>4OU@Obc=dzUcIvrze?zyUEr(WV$*`Fi<j
zkwpz;gr0)=y_LZjG3H!~s>R0>ijFaz&Fu$0j$u{unYvDd&ej7CMr0+khz_#hK~HO?
z<hbtSYML8$*m4C6CKlwz2aPHWcUT?r3@4VqDW^R7IZ=H~uUUVJC-rP48<fg^J5_c2
z$v<t##Ko086K$)0cxkA5M)Y_qLk6*Si|RLSCpVQ9XtP~*E09YX5^Qjrj}lo=krgZq
zud+9Jql+Pnqe-=q?iyz)TS|4}SogA(gkJz&ZghEi<-aIG{rg@}K`+O|@H1E1Z%x<+
zKe<A-{rsO~2N<&|xNq|UD)xT;JqTE0N-E_Nrgg;e4zriv|82zF;<tyiEP>9@gSAOm
ze6;i2dVyzTE*59WAT`St-Jz0BgXR8!S3;s8F>Z<h4;3(k^Mc`YLz8mIs@9LEk#NRw
za=wyr28Aox)!dN?%(m1yXaTG$mnz>xNEXFQT4vB72@g*0c(rnZ6Mx$KRn4$I2~{Fc
zXq_5suWx!<_JbPPdX6|`zr`t&s%PsAZkKots%M+_!gqPTQ%sVB--2{UHfsLyaW^ZB
zSgK;ZeeYBEQV)4Ue%Kz^Ckwi(H#+p+a9`J{&A)@@AnrU7vN@W++bdGuU5Ceda(4UZ
z>GLd)oo`IL9&+j3QEGE$<7`%<0ce0pv)nfm(V(57ib>m6_VlT92><iDF1_yYN5IUI
zQU%aYb~Ut(11*l>+0tZd;T2h|zcBkjug@v0vpiV?N)hY{Q@t`Jibg#`aclETD)H2p
zvj@=Y@d~Ef;MGKvPsb2hr$0-LXO)8tBH!D12KgpEJi-juE-#Ko_G=Ecisw?L(&#Yb
zyas>fhqZZ*4)XDvo}{uS0|h^cLspT)n&FOv;n|aIg99|!#8xu5t!WgF+|@!J6xWy3
zhGh#VNc`S%;a_M|)Re-&TA+za#j=Cn6e%crDr218s-Mw#w`-aceoI6)*SG#+Pg$JC
z7<BUgtr}af^4O0_F`Tokd1tdW$bH-YGTd2T7=HwkU)5na!kNoHGCkxt1Z7vn)le_f
zvkOZopZxbqBXjJ$`(X3iZwWI!t{VmY?W|2-I<~1T1<xr{*t`148eP2ZqC$7tlyN*j
z&F;(mQu}NIK%TWAsR4J6jHN8MTCEt<@%66u4iY<S_nkCqOKqZh_E4BVTFl4k(b-qm
z`lMW=siQ%WNqY=d$C>cgEty-ZD;R+e26LmCUAUhzXclmQ;C3q!Gj#}xy@lZxuI?I9
zMy5YTutW;?MD2n)n6h9!3Q1q;N_y%p!v3Q`*21al<xoFcV5!83_b$y_h@xWWuT7}?
zqmBe;I-Ql6+waq>u7>utlY8}XSTmgh0r0om`$s5n*gmM?BzTH`LZ^QTkBBc(AHTyG
zQ~o5NaD_yv{PJT0m3IVsR>zpOcaEP$pv)*_Bz8Ibfa$}|njj7q{DlRv@>(S-+ulC?
ziX~RaPJkl8BDpHDx!rq3{{1^kTKol=<`hicfaIZSpdoYBjY82DuXuDpm?4&(U!=91
z2v}Sh#ngSCuF+!7EwR9#DIM>Sfqr^E`NEcggnX{gk&#b>35ABwP*>Lb{8!sZ)t<?l
zym3z)AlFVVny{*DkCm*ZV#AQt3aJxB%Lo06bc%*<DWFdiDJj7-D)bRc(#pr5Dht3E
z7u*1Mi*=`x9~4?HB3OHO?f&t}T!dem)t1K|2&bBCMIaC=&|y>!xl>>WoPB9%_%UmQ
z{!c{)Ec^3b`>Db3)$}a<nrSdQS#7+Z^fOQ>YMw-KgBswCk;ncpCEYA4mU5DZoBtJ!
z#d>A84-(+xd-yombw~Aj@_NgfJI|Xnfv$E-R6ftLi{Z0OS7}dM4r7VNl#}tr7!1X2
z%)dy_wM}yWV$jz$pg>m}MrjJU-~3X@ww3x%m5yqyW^h2N1(Reh4!MNp<nSx25&xfr
zJ5{Psjirz&Kdp@+N%BaT4L~n6L~wWn&vOfI*l>G9=s4W8toXVulQIFZR9Y3YnZaMG
zCTNuIMDv_urhx^wtUVrNU)Btp<L_9sncWG*w>^+xeR&JoObxRx6;*`mhT^X77~{~2
zdtJYLOUow0+>o1(<mvF7b<2Z2nmfg1e9zvyWxAqN$sG8~NSxFY);bWwxwFh0cB;2h
z<ABsVeyJbycuV0-*&8%+&#WLSY!;TIu3vrrlko@hk+?CQ(g{YsA%<zUWyhX_Cz+;c
zB-oi0XVg~)j|@;5+aLC-dj&?Li_a-*HdsRv<nw<Q4L&Lx+@kOkC|wUKBrqgQnmd!O
zhgNMYgffj@hkJb~*NEXCDU<z9cPQsL#kXNa^t~^QQ+Q{XPSpghwN|j7qYYX*iA$Mq
z{9C!-?MW>bQE**9E;7&T8l6$WRhYC!g^qhWc^%0bYZ+?kx?V{tDh#)XpMi4>VG&)~
zt}f&pf&y5)VTD=dgMPFg9L4W6nG?JZq8ljl13#=^$B)T|rtF2NkMektd9m|u(Who~
z!lcKtn{*oo2IeD~ZaL&2g#17w12MU^M%GqQG@-s>IT9~h=*-UiZCmB)A+S|utQ%+j
zBH3Nyp44Qqn54t-jpfgJls^?6!nG!emk1)S2ekA*b4+pbbJNE?&c#($=2NRJ2k=un
z5{WTX5xxi2WsnEy`KsaKsxF@s84*<>qa7W0>=E*FbGbEkb3;<X!e@2%Q{c!D7QzMt
zc+#4{6T*!0M;&?~;&Aow!WzJK1$F=}G7Qaqq}fx}%Fv(M;w&fJf2DRcXYO5sJ(okd
zLYTQ2kHH#iX`G~U*d75k(;GUPgp}Y1^i=xskFazKp|FW$w5=*WB&GFJ_H52`y*T;(
zb@(IDb1h$lTum#*K!3l=5M<>rS2AUhCIxUsv%-cyI*Tr0`7^^rt-KogQ0uXBj&C*Z
z6qy(p%2$01M5=^j(bpE;?tiL}_>v#H1W`E3KuHtqQT_n#gW-(7qNe9_!TGc18bDuG
zGoux$ulrKi@J(|15YsV*N$tY0JXw6E7{@rkZTfnpKZHDtCT(O(r`#!VIlFLpxkBhp
zK7Fo#n1GRI*(HkLq#FE4Yud1=9f}?#OMm~of3)=CHbiRiWk#EGeGi}SKa!F$7>syP
zFUc`Uk?G*+NSA^84e4tYZ*UQ>JJc^yu}Ph=AYh5AQK2%77WtPJ|9*5e!3gUozF%X9
zEL{3l5(d?aBz7T9SxC~vJAuSgMlW)}5wn$81V)_tiI79-%QUP_TFQC7rO@gp@s!0{
z^{PI8Dz|I(xS&R8T-7n8LcN4CHJ_m|nvu-*1*1sDE9F?ah#jYV+!fM;0IGtDLKVuH
zpA;wCB<pHQ9(%<A+u%@JHW~Zs<=h?WPqBbQCJ634Dny&g4bO&m3&FNpr7iqTEzuMc
zvbam$GA{%~q4r(M!W>52sN*t+(Go`HNf(<o%DTJb1Uh|vrQqGqlh-p;c(K(W(X@x@
z`yej$@&FlY_BNf5W2k*CWxNY)tRP6YT_Gksp^v}!racWeU8ak9)!yQ&uZyZ5%M^o>
zaT8ykkCe=@KG-vJSsVtFUO<db+n8-|wdfY!$bfJAnhCZ5qh&KUVM0E?Uz*ev+AH|=
zh%Mnk=oXtwgAJKzRv%iGK6Z`u3E0O&wyX@$y9ADLe@1k<c%p<gHdam@f}EvUA?|<S
z)#KU;CMOw<Vcr{Q`3y<L%KHU5_BQ_Nc#5$6UM&|8p_F41{oN9wc~e&f_uY6bMtq=1
zj{)Io|LHGO&2H=YlkapC6FU?mU9^-Q?Q=wdK~oT#c#uJ0cs&y@>0gen5?(JHK#B;n
z<KhvwSkJO8G*!J`8>f5-vY4m#?e$II2z&r<tGjOJkXyf{uj`xpU6EH9lts<;xf5=$
z?r8uy@t;UFpj{0N@OJ*Jt^s~g7F5&%2}g0_7z?XFyxC)g3}EkWP2%MVzyqN69CW}1
z=1j|Ayq(KsC}P?6Y8<c%E0DakI(z81wlQxU*F%*UwzgHZ`6p9H`2P}Se(3#f$X~%L
ziQK`~4oy^6Gt%VV6FLtJh7~i!<hy58)pN;h>P<fxZSJtM3^3%Vom!imHq1aEvarTu
zT0zl7*3vwN{jHukVw{(s5d3bTrFA(1$~-f|QR)Sy$i6&NfcAFuSKH>V)LX3~=^7fI
zLM+UQYY&-vkxEmg0s{}@RMk1i0mi1H@9f4I%HTAKOVtAs4*LN`(lr+*J!dT=?XNj@
ze0e8PG@shLy;7X}94U4LhP&f4agclB!_<5=lhRI;STzMoP1uHD2|FZHr0tF|R3kl+
z+jQ-iR$T&vtVP&qa*FKapU<#wnmGXYw=7$hay*hl_i6GDrJwKkSjVs-ki+QZ+0g>s
zh;%ya7LF|SE711cs*0+j=SoJSYyt+T*kwF)BvB;2dLg-)vIulKkz#9P4%{k@v{O?C
zuL0O1r(ukaepw4!&yhzQvij}{ZHLAc^*JT<t{N2CWs!Dc)UhGMj)?uG56OAm9R4On
zU|g#EtP7B7oy)p&zr?PD>F@$$1Gq!cjfo11sIiYB!bXf%C`QW=X&LWya`8J<RR*e(
z`0AK8v8A~i?Pfx)XN|=hiaM*}e_S2gg*w*d28VQ}E+u0=ZxFVgluw?1xxT4k_mZ$%
zNfkP04lAOnAFBn2V^#E_JsyY^*&P>`9;m^GMwZ+V?^P7&)SA$ZJcs9;ViHHnMW_+*
zd2>S)X=MI%@v4nO1z9oxRj@0Rfm2CQtKHoZ9((;Gi3F3whK*riDO&d9O~f=Nc{Z{`
zMT;lQC1a``e5qmmclCreNZZE`I@PqfcSZFb;cQTzV7aQkGmrBX9m(eK3jb}*kaJ2=
zJ3n#(Z^+h>o%UO-f~^g*+{|xO$!V)u;dakANi3tZf`;q-+A(BRY>Uk+Jl&qwOZe!$
zfU(kr{+MgEIws_Ge&arISP^ncP8Jt@qJ_O<WrW_uDRhK#8`6Tw5ZS2=6PN`NdJ4P|
z@<sLQHvdmVX#P`klywO(c(zrf6Fyi5v%r*x$X>~_G>&68s@h<i)gAY?WUlr`whJm2
z$H^LHA+emvIxg@{Y*AT{$O-0WHvNP;e`8>vin28gx~kBmG0j9+>o1d~Jv}`k7#LT?
zm{CyHVx;2Pu7-K>jpgECd#Sk53-aTZ^o5-zw+c)T)MORcr42dU%SvK>)%sN6I*i-=
zfG{!S;_`=8SiZf2rmE28VrFf-K^&f)8X$dkMOJabN*rP<N3EA(Kqo8`pH%?~eUL}*
zG0q+9I@~Oc1sqqg7zGSzdBbAxyLJDMlwXE}2cMtCc>$-_=mx)g7(e(_m{9YZj%1>C
z0?@z^%`;fPgo^3IfHPvQK<j=7!=_%BzfObR)e6!+8OG>3>o&dIG2OG=>mZG4J2v5b
zsr&GTET*Ga?fR0*Mmzt<wyu~5eEP*oYW1ce{mTMs4Ptc0j&8XD^F%xC?gTZ>M5<K|
zYeN^9YJ{x+lNioB%2={;fTP~A@gE2-*zP((zW@zMgiKqF{yxm)H6$q^SZap)+Fjm7
zKl}we-=u#U7kXWOk`CEz;mhSiT`=zcc@5LY0m?NScx9EywKu!j@Rqy?i}TXUZ8FT-
zriDtmg5z$h*AVmea%>%qxQ=A2izJi?^xj4T<?9POp!1ryDc4QUusMjVqi=V*GBA@#
zh{Am;^|V7!sdtrND;BxifT;*`2HrplYG$6sgtdz^msESXq>siN?t!dBP<Ui>2Suxi
z7HdtCtJcMX(DN*k&F*-yd&m^if!<np5X?DFk&40fZ_SThrC`JE*I&A2XHRKZstEqk
zFge1k&wps?{^h6ER&#?u{~cvpItJ$-fJ<qHnWmmxVe&rUh&5+wH_oZQ+zp_;v58r0
z_rz7^Q%xQ395aN>(-!q6q}ZUPW9mR0;hKLzQ+4aN4!j@`SUP@F7fJgA;^&a0sJjF5
zi#vp!*2F=!*7HYiuQHZydD~Z!({O&uG$y#YxM!68*nRRcdRyk@Tf&XAVl8c(k<5l5
zL)6hvgCC7bRd3J<-yRxiMsi4_8DQ4UPOF8BlMmaCfBc@-<@%PC!RCd9QYN?v*aQDo
z{VSrSRzq1d;V9o+NW@)qR6Y7|OEb(2rK%BiPJ*|`!fpV8{Zsrsc#1zq>ZL^-+M<qC
zZ8+#pnrdLBAawvMVSIE10dOL<A>!Mi=CiTVbAcJxHw|=uH%SG=csJ~DKZ=yEu_v^u
zGMz5lJfV_ZPdN6CU#q)BT3rY>w*vHx0*Wh<8qKm^yPg^NdD0^<D|nYN-TpjtcYo0}
za((u(zFB>VhMsFeN3olrhfx(T^g$;L`#!-`5!DY7T4`lHyt^(rJEQ?v*QJm^gtxZh
z<=DMSmUj;#9X5CzZm(Zxp@8WCKs-0~om10Sn(KO}Zs|<tQ7n1MHCm0CHi7;oH3a#{
zT1??3J69gk_)CM+yZPgHxl(pa<m|YfmQ%9<?m>6s>T^$x0X>uAVAV~Q8Tdpcz@a~=
zhkWys-F~+_Ur%1Jnjboi08202?lHG<p9y6sauJ=4<SIn!B>YOTG`xB)xjgYIp^7Z)
z*3q!ANDT{JiczLJvM|u=?Ieg7t&1eyEClHuHS!gPmHmi3@owHvAtJ6N6ItJ}b*{<8
z1a<P+8GX!4MF`(mC*YLPoOIfs5tHuMCUx%a8C^HaUX_3)5y%fe?i4z~zjNQro5zJp
z{x`*l>59?nEa+$CA#!tpJw*ec-<M6>2dfS&+j%Y|j>Sr}OBRT@7{uGhQUc#p>Xr`D
z0&?6vA51eliCiABAaIL3w{*wFL>1)ObmgMStaF4oO_j>?>Js>cwxk6v)5GjldY;Y`
zy$YQs(l(YdWkXmGhf-yGRMA#ht#68m{t*}&dms#CW1n3STM#i%4BD(Gp!%$&h&q@O
z7Eo+*2yvF7(yiO9&>YE?a;G*_9_J#F8P=X2fD-Q^%$^EamJi!E5)J1IB?Wf|Sagdr
zpF0ITKeQFVK+!U_Q`ohIO!YX&N_KKA#?x-m3tKHxw=dx|Mb}VVmcXGn7X>c1+P1Cu
zhI!rPYyeigp>6QU$e1*1K((H_Vo5lGJ7zz*la4LeulJFt5*0kGlf`MRJgvz`l?-!T
z$>WNZhybt%5Jix3Wc%N9uAU``w>^lrdA>A?ytvqW5zqDfCt~xmQeCzT)yhJemF`dL
z)xS#30J%@tBa1R#Vt9TlTw+o3_C2FLkU6b<=^kEUUev91*I7Q)Fg5~(OAslVM(NYN
z%3SxtI)4KmKR5ASq*rTERj(^N`+6oz2n?Ey$dvswl7+T2`b{aozHFaDU*>SYQr(t+
zK6u_#IJy~$Cr@F9yT9>JKKA%=S)xw2xk1~l&S9g+XNNMuB{iQG<-OQg*!8>E)hj&$
z`2Y4B1>C+_02{5kKkWkJgNzEd*NpJ}!jX2If6t{M!1e$7_PeCi9OJ<u==Wc*R08V1
z*5ae(9H@23V8JSKM`yxeqgN-cL&~*zZb8a<gs2)6sbkYDvpD}N{tr$M>Rt<DQm%$i
zhhwh#w}60^1qKZNL;s9!k*fbR{4;f_HX-F83;qM&uW$dwYXtp2&Hv0c#hgn~G&bih
zZSV$NKZpKfgZiE87RDar9`{Lu?qjBH*DOce)0Hy4o8D+X=ASchl@DaL{{O5wTmJt8
zFM6Ye2tofJlv8K~*YvOUzyAMgW{!IrN`zEAko|*!AN*TBsLO@_>F)pcl<(O3_nrmD
zEcD9-Mz8bC{|v$6#r=ORTg8`8Zn?Vk|F~!s{%2%eJ?LPwK_&df{|)`$sKGY(|8n+U
z`VK4qm%|l1Y?>$fIKi|3%hS6CO3i->`!6}R0DEj2Oz;1|i;jWc|AN2H|8L0u&~0*_
z$=$dZ_0sX>SXjg@Nh<(tnP-=dm%PxWhy8#huhQ1e$w1wSos8i-jkmMT#rPse=tkL&
zR0k4p$`Zp&V`N`wY#Sd{nMB(<!Y<S{<cREhIe2}o3-w-xPT!8ZhqiwyvBMt0F3LPS
zG0c%d%ROocy(L`$@g83~M}Tfw64>}><lkLV?IZ-4*8vTz11CIg=~QKh$Wm=J7%a~M
zfqxf4qp2KSC%2tNty8Bf$JEN{u8mj0^Sj|ktJ;6DQ;;B#^F<2~HdNxVkIeiNF;_^2
zVf0X$Oo@tB%U}w!-w@V37DPww$--)}FyT%8>~c=EC&KHznK>R-J=)L8t8>LL>a8n3
zQzpFKqkt(s(W7e`j5Z{6xwk(B=sqk<%`otusE;WaYBDJ9iHalm*ehhjo?n#yZ5#vz
zdWq2-vww~|oWb=|h6(HSDzaC1X8u$n`7vK3*;p8pZmzKG&~Wzch3|#@r573XC0H>|
zJTJV;e(itI=}}*tz>V{25(=?jc+@UE|70HzjJpCx{w96nMzT_$@o!bw&x;lORtOEe
zo%wg9-kBYjPmGON0^PmkFEr<24MiH<&HHcX0ww6*$nnV=@1}+zt_Zt|Rz3g@0k`cP
z#Pn3^3RX8(7XtkHetA{eJn^N<z?IOK<mLW_WmY1R1bo+8v|8}|Lf94RXkf3-Mkg$n
zI{{!4IwC5jT9Hm>PIe^zpdY~{{Ol5;&7r^)%o0R%a{f^6hF3%POTSb0vznrVTn=D6
zOG9ov=p*fdYNbZH&V5%XGo@%bh*|NU8N(@oz%tCb;Mfd5kG71LV6V0|&mQ6(kot3p
zQY{oFPg2H;e}wDU5_mHsG@L(}(r0BxzsTZe9R&14Yhg%<OOHV*4n=08H2cMH_M7b8
z!Rcoyi^4Dxxs5wC@RhrZ(<17~D+unuX6j^a_jU}ezJ4JFOS7cjYAZRY8!7OyE1QN}
zvLSOVF#}9|Wa9&-7Wa6>M>y=);f99J-+tFJQn91oM8xM1E&U&>+BxgVMer0T7g1Ae
zBvd-;?!>c2)skZsZDLChF&J(k=o|SeRndFn5B*7j(d*$SG4l}E79r&aEIm#XT^*%Y
zLzsk3YTgDZv>}5JM|Cuh!9M~JQD+_9hdA@HLEmZ){jTgkd4ewaO&#8(8-<r55%Xo4
zeo`d$5i<SEtO&oIG=wn>5W~6**(r#!xOks3jH1>AkECR=I3)!@=Wy0_4|sNpWEFAS
zZ4i-|3-jjdMEGdMZ!Ds3qw<yMhtFZSfGg6C3mTmLf1TY`R2^%BCSWuPPLSYEaCZsr
z65QS0-QC?axU+G0cbDJ<cejnh9?m)a&)?lMt7omLi(0F8RbA}5DS5v4{m|)M?$nM@
zdk>@+<Y;rvmn+nyTYdWcZZJ~1r7b3h!wDMi+Up3kOle?Y^IF102^v(?n<Y}<VRNbZ
zAogRaRotu#^A!(#W<xS?xBTy^zUiij26NNxpw0;qntTM{cHXfh{9W|D1>c{W@y?P5
z=`v7!Ur!YA|5bVL5s}T+nARyY=nU;@f$&ykW&TL-xwYh)*PUa&d@RFaVppKIx3_&z
zw;S+eLG`oP=g^PAwH>Rz?vD%a+r5zm7#|%7vKlKPvQ-Gmy63((YU7bF$v*;n^$smD
zOzZ`TTj=k33C$bR7z)OYcpkX72DNe5_(IYXzCB$p$dw<5Do52W*VPL#UjzojOmcWK
zNP|5i{wx2-?FKdFU~S|vIK$vM#UIoBD!@vC!ID7wPY7_S><#vD9Tmk!iTQe4Ddnwu
zTe+|CN$LuSQ}y%wv1$S-90FthN1g?+lV>fyL3p2Lv=Q9j_agQwrt_EGpIgW?ij3NZ
zF!>ZL)RKZo0$r^oA06T*YP$1AeiXZgT#Je5d<y|OQQ^Z~|D3Ijk0`t{FhnSLZbBz~
z1S!x0e9y4sE^1&z_;5BMfwKg?Ti_0-SC;zE*yssMC!b&*Ct&8j2D?4Lo;%ugx+*x$
zvATEWYll1TZ}l_3C{-k_{Fv)JaOEQCY&(oT<QDznh9wSRg^6?~;aYJSXpq=!^Zh$7
zzgsFaG#$KRiggG#awRdPHuB&Z1t~`Idk6QnCN-ozV?23Ws^mv!#Lw1ia@qv*3^<!_
zo?H1n!>xa!I@3Oeg_S%x@hh|JhKP`<TE&`pfhl6xK_kpRTJBF3Zy>D4Q)5u$7Ny|T
zn2w5s75IfpTZ5ZTuWNU9brJa-$>H+!b-v1_YU+Ux4Gz>_=rNX;hsSwJKbHS0zO^5V
zt}<dv5OPpSOSqva4jB}3AR58?sqP@k`f`Q?);Hb*;ZjfgrG(i`uH4gLrABw0e7;T}
zxcq~lRGo|`*C;$BC3bU$t7OqC4R$!CB1!g6rVfK-rwl^@z$jHHLUGLEMzfVNGt%@<
zraqkY?cMg{VQ~Uzws8q)eBJEr1*CqKdfj}Vz1ANFd50fTK6P^qsaX-_gg<ExPL>$H
zmJ9euN$Ua^VEa`w=TYiay&v2$J7bVe9&=-mELH+a_5#bD^qBF@f=iR8o3xNUM|ylu
z3>tJot(%uvtHo+~+c76&w{W$i4u+>YT_$%0#a&$(iJCj%JW<G53{s$5&uLeX;ewgX
zzM@iIc9iG5Tneh-Tz060mvv$;tcx)o5S%T_l)&r-WDo_Z1wA%uLR!pdRYO_O?8o})
zZRC$MDaj}j967We-Bq4XqG!^jT!{awiX9bUU>6~BRb@B*lDB(5R@ydSU^#Q@a4SEK
zb(CbulC3w!Xd#{gkX|KuIy2bOdNrw7M{%(17`6dq=CYHChh%0mlnd8t+U$<$oL{wm
zs#i(GnXkNVXMk5L%}zll-~UY)NM{W!xW#7vwQ>JGY+Zdxn_EPn86S6mfbk?m?SX-h
z0e$fPwT5PL!a&?Es66n~GmYIJQRXw|WXEDCY+bn2pDXl#SWG1k6z_Jf$uP;08jEf0
za9|!y*U%-XKR%Q(HHG3MU&aQli0rmT(=tt57eXhdCh0ghmOgh;2rQB-3&s4#6sk8R
z6}DJ5cl)k1lSmf-^=HK1XEU(Yv^ea%8>6xF1G1T5!yN&w+pu6`$h;a$mktzu0K_#i
z@QOkaKOUl^aRs6cVWjiBZX?EaeT++*fOR*dAv$<vk;HKJnp{r4qzPecEksVPkDkmR
z{Bsb5gqr?Fm?N-MM_5Gufk_|txmM$vU;jdwJ&bJH3BM3uDRB*-x&Cc!!x6*c(}DLl
zRPJ3q6q_$g21`jzg^j6<y^xud=IXIyLnKzzpSxpR_q~KvOCq6u^s)-N(K66s`bQQU
zjnfpV_bEi`ig(1bD47C4nCtW(9UBSIPki4h(hVT(o~b74NZM&9zNgWZx+Rq$&~$iv
z#e44!Yt#BtLWFdEv!Dr}gjGdjYf6X124`;{?b}?jshjbGvo8Gt-eUX-VRm1NP25v^
zNv$P<nKN4+<Nd5&HuQCF7#{dXTKEWAtp?5}a+bgSiM4r3sC|;zvr@5ITkd7pnrNy!
zDat8_Tu8mWpze#}4!9r7Yd$AnizF+P*@$aN|K2>E0SxI|Xr`sYwoxq!d*D!1g|To#
zCl?$gIO<XRsFGI@&uI*A4T86UoNNkXIV^_K7j%-r3dva1&01GNI`vb5#K`lx>zB)_
z6YCie>#481=)65~LA$KtdsQ>2`^S$T6{o&PI-RS0M|a)2JMNNiw$O&W1>3$b^f@xu
zo{U`HFO}zR5~rH4UHLb(C3S_Dv^q{>8!{_vl%Bo|V;eh<wuQ&&QbvVdO$)agqw{@M
z$wKDavStSRb0JJ%mYCTlKChMzw->K}V2aC8+!JOPZ#*f{ImNSCV*Jl>5^~b`Kw(sc
zBf)u}=JmcUR?~8($$uq}`Uow8`VGhhzpJ+-u@I%N$`<%X+8$(;3BbeKPsgSV+C3Av
z$(aylelf~Wr;91?@o9IrRc_OV+&2H&azG-I7&h!L=bv&sK%-AaYSk#3EMOBn&niax
zYE8FJ34`!F!aN5RTSLKFnmxbI4(&nLS>vbuT!t82l$vb({tYVm;)zDK{S`xkaeH1C
z9c<~@w_EKRwBq|zo(Sq1xcz;TGn_U}1E%uz*8F=9^ART@#7<-`{E-PNG6cz{CONc=
zf*v{ads`8IA(&>EKe~njujaUaYkWyeB4jI5Pj*vnJEeEew5aqOp>xkky;6Sp2JX(+
zV6;GAhVL)Dc+QdpS~{?v&(vHsMeYJ@)KrA~0mh0%Sx9@98KZJ4Eo^iz*FStoFuEXC
zC$Y{pzu^3t0_CZ_v_5sGiqWe)b{Fi%{FUTXy!FL5<Yfk_icFO3gM9q5Azul)zTEiQ
zuz|nZ9(bNUcE^A|R=Vt<P&7Tb_i90@k4)7&QW`+n##GVyip*m?H{n6vL%q-y<51Jg
zFEg$FIs(C1&IzQsH}K9ZivvoPNcXC{9e#f7ek%yX7=I@S6??%0J$wMk{$CkV>PuDP
zeZ?DZlH>K;@*g>Gj6IjV@G5Sd@SaDH9Wm3Vj~%+qIi|92LqD>uUpZnfGC+o?n{H-O
zETGS3Qx4IL@Ww5ec^bE6;<SP+$t!l0r$$VqhrFo2;`gqWf&0YZNQj7UNW*L92Yqay
z<i=&nxcbOjK&95BVbw7Q3}b#HIN|DaGc;?_*m&uW@n}P({6VWAbu4=fzjSUPd^=6X
z-XFUw87mjrYlcz0UoK_@O@w0>hR4CW=4S_A!I+x=D58g&z`7eD5Znf31{c8$%_dot
z)L2ZktW<ZyR^mZ^i>K2}s#nCmsA{lsjnL26U+dF6%t+-n%@dcVgOWP)@EY3x@p02<
zup>8t$zfJrWUk{wH-5QOD8HK-N?^^DBAhm(s4_OzW=A$~W(>HGy9%?cMsSr^<B@I*
z1+wL7T!O)k-iHMJVyl>UQGHqdem*Zws5gRQ=fa*m@s%<Iwouhi2?<RH9FwSIAIgH+
z<_MeYFy6!6;el6K-x&h)!cbOFD7Arx{NUum1HV5NP~#1U1Y~-zt(@3lu5nC~nA<&c
zLBt=j4x7WKL{6%twdvOWXj?h3C1fEvEbs7!$Xt*3jUg3z`Z7j^3meY?ra!i@@ja7y
zfn=J{-NU<(f9c*)%oXzc(`sLTDb~ok^mmMT5aL~3bj25o4eL*^6Ihzy+7e7W3xRtT
z$sR_9w0?`VoGGyt_;=`Yl#T`N6R`5&*em^bN2rpmN8KOIIUGu{CFm$j8x1D?Wq*jy
zR~S-#r-;Mh?q~v7{qv(R(roA$HuLRf*^an<#Y-O>6km6zZDr`YCm2KW1Sj+vA4#U|
z6W?tHb!+G6-ym{K-f{}C(g9J|FdjWBZ=1cd+t=IU`>)k6FIk{X4EJmWP;(Sxjyw{k
z;8e-{=eDTev;$)aS~bt+d_1j;rG%84XBT-YxX3vn`x5%IyWp&@D~u|7D~U<y^a8e-
zAOXD}N&G=auNt$w0rEgOsH!4lqj)aZ^!NP=l{kh-VFk)!=JD6CGU{3tQqomo;;w9*
zV>G}u^GD9?5Jn}SBKbroLrg7Z_!#~#7+X>J0g|kur3kJ~Y9!PWsuAzop8E_RW`d<G
z_fz}e(|GoC$Cu@Sx<7I%{_Niz2pJ%o<(1<c83#`o<6yz(3MW>W&`cWgruVrny%Q+e
zwvlLt+6<dJrOa(Sg{V(BhQ}?2du6i5LWp6}%UnvgvBx5Et@ak>ls?9O+R0b8P;>lc
zV)DOF?7w5%HGX4Jn=qRyM?W=}0vCEg==t%Z*Fs+Fm!5cc104;L{Mjs{JNi>|S?ua4
zM>R#Q#bV%hryi=)dw8}x$&^A{gR(4`U(1s{{A_^G<(l%1kfN_RH(p7yw0}BI%PPQG
z2F}D|%iPzME?X*~FiQE>Rt?n)?OWN-k<l59fjd-s8ZW{M6hzg(s#N|Oh@w-*71`%)
znUniUl^{o}+*R-0uAX=eQKCh<WqZC@-CDZ9O$YZ0;zPX3xyaXT^KagJS&YGzB()K~
z>jJ7HjH;k~Er&&-DLe;RdjnPZ*HT`q>NMRPEF-Nnp2cVmuFjr@7wNi3c2vvB#g(Oq
znwqj}v~?>J9RioE4PKN0;{c^8*t2iY?GSkae+-_KsLGm@xi(6BtT~#!o_<>nGS$o5
zgBpQ;%~UTsajh;4OA>mMX^>?yk+=Z0FwApu{|=-5dI9_Q%7`z`82cD%u%5S*c188t
zMq?;K`xu_1i%Jx>AMegN^oYUo9Io0=G=bo#D~<i&t5#rN942YuXd{DydBfAmn7K@O
ziSTp4M2#&yD^-DqLx5=eI+CSU!zA3sCWRrclh3JWHMO0Y^<P)zH*;dK&zv8vY7#49
z&aPHyqP08EKP`;1i<^f|lc20U{li)nXhXXH!CIrNfOTABXo;-YpMBEu;j0KAsHN_E
zq(~nXGLe7~cZ_c8_$RCO9`VoCRGNR(sglq%m4k3;o29qJvOoQq1~sUpG>xhAu+d^`
za>hh%I8=4e+Es<nldezoW&b53fkTpeo?GC^@c01XFV>2oZO;E6R7=@0{`#gYXBe1o
zm3dR?6_8KkUaT&^jwg<;^v#8}A985n#Bq)4GdEd{#EkWMt9XO1)X#3>%{Hq+h8u|%
zTsPx4I`~2A^Q9TjAnE;VvvaQr6n9XEZjLSV#249A(y<a>n^6Di)^psziOvCs9+!L(
z9vf*g9=6eZCl-r;OpE-TJ~^*~cy&ud?mv;1{r3_$v-j}zdmr|K=k#hk&}-9S_(MkE
z>FaJsHdy^of5(iek=)*S1i<*q;zSCzt|d-s_4W7n5$kE$>n8RAWvd8imv{tAE$vXe
zwqArLFAY_-ihOJ6b8<B>o7&MJkxy7e<QwGt^jY2bkMwBNYTV{TgFUUc9G<8t+%6Fj
z;YyT%69mFoPM0nn_offe>X`fRETG3uCi72V!j5i~rv`CTrS_+!7_~C3eL=rT5l`Bd
zx70vkZjr(Lro3gcXB|O{kn@9*sa~PMcUfo_clZxESuWg10P{lSNJLpo8L-F+=u&Yj
z{(n*y+ykG(EFC$rt}os+47$BYk$NKTFHL++7A5;?zLM0#b|Svf=lW!iGRA5WUPK>F
z@tPRyX8F))4wF~p=qhOaS1BSqxAN+9lLidZ^1IfQ|AVs%xFfPAup1ZfCtz;2lq7$u
zU7#ClAf1$6RZxJ{enNDHOW>i#7kE)_YVR%|unoQXvTs&xd=@C!s7s++q|sHmw2H+)
zmOdX8xD7afm>sgWa(uA%2BPaNN&&MaU$s0_@Ngyjf%CskB3cb!aPX+;E2|KE#lBjf
zx5eqTE%a_nFAqHK@C_P+i5YZy1Suh5aQx8JUs=%fclYMBXlWXqNaN?n;05;iv9lM<
zP5dzfHn-?!vdOHqt9nQD@)?_u?M}kHYFdE`wb-h@l`+$`?r@s4517G323o!}oMA@R
zqVg@7T5;edT<UJ#jef+iau`q%auS=}4cwZBT(){3|3zBq$-cgvY`IYxD+e#l+;x+D
z{r8n?t&P76+8h~1^=n01M7v>dE+B}kICzL4`|!<-WJWfGB`NCr$zHdE{u^pxN3bPN
zw~w=f#^Xnz_0`^D6Ji+##31Mt3G9PnHw;fqCfl|h3W8%0PHhEh;$Vb7Cr^J;Q`vNf
zQ-@oI4KIP%w%%^PR(8_wVRf4L0ru<OhFIBSC+|(SX`C+yt+8g2Iup4}k8CFNJ52d9
z-I1*y$iu4n(HTdY-4r)W^GFfa*``u<>3;&PGAR3%GKfID)+<HKS^GD-jwbaDfojK=
zh#^+g=|Y<oN<pwr^_7^pi8#q%+JoU}$=;vH^cGPRi2TpASLg~#{*X0c3_H$_t)o@1
zLjmYn6TRrDJ7K4dShiYjSl>fLn0rZ9FVY~f#g&R~SrXfv2;1wmoaz8D)9`qKm$a&9
z*<=zg!tqobK+~#O$FT5l;X~KM^rm~#3T9scfb7PnwQ*#;vSmm$pAXzZes&P-61X&0
z!*c?1Wk@&#V^qWKjklzosNl?zS!(-U)a$i~L(<TR@>=aF{>it%{=SzBxWaQES3m_@
zq~|?*->j)=uCgC=ZxrwNM1(*^+s_Fpj|u#TxA+x}Qzh#w%Y))3KX7Zy`UAHB0Ux;4
zWH<6lz6yIBCM6b~3dWNmV$n}xn2G(AKB6T4B8cU_!a4{sb=f7_6^_N+nd0;!=t9O!
zbB+F126-;ZhbZ}@z<_`U)HL)~+lofbdtP#1pOpEwpER%Spbqf6JFdDzCz0>WejhCL
z8$yoz1^AZL?8xVw`GOr_R7F@gK1`Xn`KO*S(yS_rTdh5$D@|_z%}L%ZiRbhFt0qRZ
z(rvV+qj&!FdicZJiRU!^ODNC$zV5Bz>&x@m(EI8#iPKdGPDr+q(&O91qSRFZ$>+fS
zRC*lXaSmM0ET4V>96HG~dsK?Wl<wZ}*@sARU;LX<EHGRCEmmWE+GhfP16OeB@4wlm
zo7do9-1QfK{rwwl;yFYSgzVp&Z}+Yr=a=*SBRl^gJ-=7Uwk44t;kD=%djN|%nYQk!
z0M{3*@r(X{#OQA+8ftYuPWew_h5aE>6b-BYiKAr2dj8Ya!C|Uk#ee0jkG;lqSs3zL
z$A3fD<~yRRjxg{a-umB1{)@5p2ipG4X)8Sc0c#rbJfLU=OP9ZWYoX*H!@3CSx!pXH
zIr`VB{~T*a`(OU#UzdZ!;_r*l2wa7hd>b=B`WIdOWmD+?KNP5|)@Cf8-$Ax=!@X7<
zjJV{gVQ@NwJG%s*xDim-cMntC>K67KDcH`nt4NJ|pWBST?owr(tIJhu5CdKX+a<Hd
zqsW1Jw+fJ!Moo7xq<PxoRUnx$B@I4E)58Xu^U#rL+4XxE@%QLf)FI2J|G||IY{W`1
z_(`O;?0%C5^U*NaGD_>(51l8$RzNJ9UfvLRHsvpaC*V>}cvbl2OKcbdvFtE)d8-Lq
zwGa2Ek}_!+7P^Q;Ro0J@0`Aw?387M(!#2_{s(L2@2vl1PbAME$4ZJvEJa@^%JBDv#
z%5h4j`RUGNRc3~7Ux~IuC^ObWYyvcy9_vLySqdU7DW9SG_B)(n-lPjj4a;pjMIO4>
zT0D<7H`>oGIe)%~+2m)t?x7B|I3QSeY^)-o{xAiRHuFT_%Nf4v8iCkx5l6f2ISL#O
z0@+{*B+jl)QJlJ6+Mf7_2er;#Tg)(dX7&$m{i}qSzkvUqG#3RjA8iK~T~F)($~3^V
zkZeg|c*7%<3%h!6RazQ_X&`R?^#1U&xyxsrd77?df^3hzzYgXa5)HxgeyaO3M`8`g
z?DewVHC1X56PQJnZkiI<$;u*;9Sl!Hch3GSgJ$Y<bqG;pmZ0>T_FlZB_gsjGgo01*
zZ-2_^q0*oGzx$I`-QWI{wSb{hbcj~*-~0)*`QcBHs~K}?2siM}>U^%I1bsPMBOCR#
z#+B(j4c#D~aP^cCkul*gx!%v|35<H*?)1ODHL=SpV3HYx#<R2q`o3naXVeMZwDUn<
zvzRy@UAh{<sHz?d!#&8Wy0YTPYdUG4J3K@2kVws8t3{POhS|yl3}HhlJW_fbbLb&h
zs}mfJFKvkBDjgCZd==MvU=H)GWb#xdCsfTN6y`m<j+fy*YWG#g@)DmxMfw61GP!h4
zq@f~yWTvP>cBrgCW)&bF`~~WAF;$`>cDw1g%(^mU%X2qi=@n7WE#sJQ#+JCCrEIrr
zq(4K`Y3DoNb_l90W%1K7&ZToHfa2Q6o*MIeU0_6U!S@O32I8eR!DCVMy!oj??O<WZ
zC$Rr?9TFF&P5iW(+KJq87eu21(aEEmHGEn;hcb=|m>f$;*`LB$!t9IKhpB-7Y?0B!
zmK%h{^$u}eHibYfdfpm-@g+-v?ium3Twu=ne6WkmJkbO&#gQfbAzaU~*h2gpvNJnC
zMWHH(A@?cxm@-l0)_zBf7SH$W^Ac8MfC4fdU>2radD#NRBmiY*ESCRvHv&uTqd+XF
zRktCJ?6X^LZ_r?Bk;+R<<YUksa+rDobw-P?s6wv3LQY)wyY**J<65}GegfC7XNTA}
z!_dGm*o-r*6cagZ6MBW(4b&s!vh>-0@xgxRpNYfKwg0u8J2Le%eK!{e7l)Vg-Oj@M
zcz^Z%N42%ig|Encjz?`C`BF%E^*x_^#s1)%WOlD!&21wb90w6;K&J5}B#LPyEOU9(
zhGRFR!TMnBn_(KIITBnKwj}GDoCsDV9XB`2E^k%xOjP~nekj7{s|y^SJqKH#n!wO~
znkCU<Re0;LLwI4caUrE$F#&hc6h=p5V($C8#&dr-UZQPLR&F$zd?(ou0@SKW-4vaU
z?bY8g&c<xwWG!h2Fv<(;_rJvEP|^g?jf-wt`GDL(@asDVpO>Xr49&kXQ!|svh+*(`
zwN$-zoV=fA0kTpxIamGOcn%#imNhrzH;iM?61qa1(~~>b%?m;8E*Vq95WAo4$o?**
z?3d^fIY>joo>3izsY&Ng3hjwxD(dVYkYF?&LmnjNM1Lg^*<9uJ24mGc&}w0jRxd`s
zAX17haS}kQFNo7pdcNf~wylKf8x+pwcOdqzYi8dc+O;E{XTeyfx$lvg9Bz%5yd1Qe
zO5m9+fh^C*Vy9thHSlEFg-mPnv(!ubsH6-9da&EcR%+S!mD6(TF)jwf6u1S`7=xQ#
znmYoYpF<w=gnEB}`F9!RG)Le{Zh4^qBHcDXAz^BmlD#cqLlkjTU0-&jJ`MXD(r7TD
zDU0za*1}o6Em#;LB;4|36Cv*WMy@(=pj5wm4ALw;*TXC&cAnaB<CrO$il95$nYV0(
z?kgg#T3Pm?Hz~a+w180K$VZu0eu7g5^S2sFcBbfViJ@~o?{vN$m>XY4<1#cCA%f{U
z<!qPt%d4ZUN98OKH^&B_$LzJQ?oQdQZ_Fe>9OB6LyU|2k!3*{qK#}S($XuvpCWI{9
zg}A*_6%X35T(*?#fu>fM)3)ZL+}pFF7}*-e7~VgB*_O;pvT*qcdvcm`A%xP*5QjnJ
z47X=Wo^?!2!e$Kt57iwp%u>QI>w2QWm_?Oy)b~9RzFMvC3=h&}@$ZUVhMP;@OC^NN
zJvxGVe;u>_IlLW~;1~n1g3m1V(#6_dz3z+WB)Rh5icc2%+&ea1mWJOCjv+FMtlJYL
z`UdZKSo}7Xff$>Hk^~!YAF<KA-JmSwaq;IYr+Kxuri9ff2uI?d>2k;j&q00YU=~Wt
zI)lBE&e+2WW_K7VFp6%z{%cm<b7GR$O!~RdP@wb?Aio(dQcno66QUM8yO9PE>ovnD
zLW)ApVx@~iwg*OxLzCnNbAu$FY8-5PQtsGa)~Y%8t;QRb?J&NKtD_}59XsHgr<zA3
z<mNUR_lS{~pi8`Ssm{YUQ&sdzpiChz5e&vtpeJAAY72MQL7)yqT@#Y+F&+t*>ib<U
z*K317nPegqnZhg`!Y|Y#nAW7FD(n5?MqJ27MY3vwma5)YT4mQt?oV0~2Ky;WVx5MO
ziC_s<Ois>Y)dXrunFuCYs_wdd>D4>;OMA2!KlVX-q$v-5S4r`hv(e8&qBmCMW)opb
zq$V)++*e`-Y6(g(@$sZ7K?(SKLX>R}1b32Mja@IbQ4RYVwB-2@UK3>-<D~DVmzJ0K
z14Wo4;UbL&B-GU(#U2JE#gCxrja$}|XiHGGY@P)Evx3m-AKkV|9PmUp$sRt2^NX`H
zIejQI3mTQWl|2^+z85^a(I%^LsJRB$2btHnbiJ3OkL7iVQByjsL3!Xi*HWzUOCgRv
z5!%-z3dq(ABe>F>6dzZ1)a^!EUGayyqtpOz8N-Q5(t9i`F?Rs*VJb@iCVQBN9NiEX
z^=w5Rx4v|=b1@FXUYF10cN{Kd$Mj<kU{oSHI!rg82<_b!;rCau{Xz33zNj+tyao<`
z`V%IfSbTiChaYKM$qHXqzP};R04Fa?tebwW>PxRVVmGr+mH1*#C%CCL`A#c|#Jco-
zx0lW*m4<$&R`C)|zL?2$7VCevT5ffwc42ODPd&PuY-KvqK&fijkfq-J?6E$U&))_~
zHdDi*EF5BUWzO;r_QidP&FcA=^~qv4_T@KQzPK00+H7PCxoIS%7>|`3*pU>5Vs$hN
z6ZaeVpJ6vYi;{ww%6~jSb;kRA9h-`4K0^gDbUF+RvD=Z?Z<ijj(FJ**AdlFjF|Xg+
z*L6YR%_W45sH>U~s$Q_A<yUDm;vFcRybLL~Ar$*Y7Olh^@vM=W8*}lJ&!H}TGNRKW
z%qJukBn<B~x}mhujUVlC26SfCch(HV6Ow^0)sk#RDvP!@1#q4K8h%ZCNRGCu-lj#8
z1}78dXEYSP@Msc(VCad3%CsYteuJcCVB@@fbl;g;0Syv=9NG%Lswa17i!4qV5G6bE
z5xX9dOke>y{s{DZBG(uiA#Vzj$_glE>=fc@>SYl{P4TY4oqH-3>lSxhM>~t#3@w$S
z2xd_8^G2EF9{5e@Za=%nizq+*a6;^Z72l2*`3suxzC%H$pI3S=6@P=|T(?oNckL^j
zJ=Bd(_Y%sfYV|C&*hu%i*cNZHFA&LMs`{P7kM(@dfmAcOC2z=)wT(A8T@XOYAY&-+
z{NPZjpC(dk5vqEE?rG9dw{JCgExOl6A=Nt!H=v%;qps^`(LqP9dPvr<+(@Gno?S9`
zC~NW~+FXK@7jkoS8_BS3XB2x_-72JvkW8DqE4B5vBd$+8lLD6ua$=p-s1Es&binL#
z7IgO$La`9uC@zJOlhj6Sc-EZA9E`t+kXz%9I=WJoUQyDqM`tZw_whj1Q^AHbuRVoJ
z86mIc2z!S7OOSbfdvL<A*<IN#bp5;8kMVG43Nl~)j61AL<EzZ;_)jCXY@sYHJ}p_Z
zhSvb7cr|Q{qmxzJ8c1%)YVI*<0b4ho_7f+*mi~>rq<Ng2Apo^9T4U(AQjM5%ampeU
z+8~`W97REd<VG_IcbW`@tJiPDnXhDtAj>ey?o-zMTD01^Cy!{md_Y=iE;^@uT^+Hx
z-eD)ZNB}B#oww`O8`te?t|O}*xnVP(3px7+gWWIzcc4&hXfF@XavBZiS4(=CFPqz?
z`ds(dv04jrEy=-^@wOvTF8mZ^M)Ew4N!xp@EADI<Vv$yRPwhFgDYd0`Rk@4OCw@+m
zM<|0dWMTYUxxrpd{Mk7VssJ#=CFwX0DL47NXTb(J*XZ5ku?pjJa;L`D`?4eks9ehq
zKtOalqV3T;I@e%pQb&F)iI)rRWTcEZ#;YR$BEOD=2edo=ZpKmy_nUcM)eF=FJlIKH
zbU*EQJII$D#7D1r>1B>yh9#rGe183&mB<jjXS>4;Wj3gDJ#$Nz5NYCVyEXNx;MCIA
z42VHLTgJju?k1jI7Bx=XJ<<a|f}xJ*8pr3_roDu8c0`eV(fT&!gxu1f&36+bz|e;E
zGeCy@O0>V=vAtwyiYpEJEF`?J0NEVP0P81@uPf0?joitL-2H1TMq=4z>`-sKrkyL}
z?0&7Massh!(-2IcBK(;Xl4Rg4aNzAIrgN)V!u70ec-E#z1@(AtcFzaJK@gi#1^;g7
z96kWYm7?{SL*GfrE~!FW&eYQ>YSC45s*p-OQ7IQef&*a?zvA`!Xc56?{djK?VMxdI
z1`W!alQhZ=@W~5mi3zs*{<Q?2N|)Ot&1V=#n#+3$M<=?tKYN`cft*|nVRe`V#Z98a
zZEDVq$TiwR$O#R$!2AlHBWi9BnKb(#1cUQQvVw@(r!>QKo2^sW7IeA(F=fmwUU)b%
zuj%dBS8fN@N}3w39}yv2F{@dmKtISJ`#rb)<K%)d+bJp6JZU&F9+d5uV$+l~QA+Y&
zjSK=B4Xyl0l<2Dfwh6l|(ltwk7p@5v_tvM(g|#U1)T6hjmxp8=1!FDZt0~Ki+b(l_
zY}SaQj!yl^2A_3)dpqI7n76K9V-ztLwAP_xLRTy{o0RS4=(Sgo&bV)WhVHqTUknUA
zMOXC^3n;T|W9s|Yx6RMg2smv>CECP96MlR4iNpHA(uBRVXqZ}M)~yq`8GoZ+s3Z6h
z4Xq){5hD?#5Ra~0Cd_zO<-|rEb0>iWiKuifobWjh1+aL?B!o$L44zFXnwQsj^bRKS
zR6FFR##so_tAKtT(2P-hegy;+a2u%(_jr9D+rmR$abcv{7MI;oH*%yMOOW3n0Cvf$
z@r`#k@07P|<9Y13wr#q<dH}YyrV+XN^SF;DJKp8hyrw%4W9(T9#)swaO`EeuK_J?=
z4ZUkqNe;T>)dPylUWNCsSerBmk>X4rIbN+4dv-=biDfnsxtD=~ZZ!Dplj_LQ3d5gq
zE6LfvyBU<++u2U#4;i!SF$@Bk9Pt(DV<8%kXiY(|=g_UL+sd4BIif}b?Z_iF6@p~y
zmPgB~Jcl4DxLCZNTMs=F_jNoC2cCPS6&;1;I@_rYqZJ*ydw4DXt{8aM!~T;Bvqs7@
z@zSDGdBjHkhen`~vq~ctk+R0pt!IkyW-8mWiq-ijOK?0=un*7JY`+j=rf&({wQNPw
z+h#`vu-hx9|B&)6_%!}j_j1a&t@JnO{bSyNKT>a(u`T#zph?c{y*+sM6FJO2^%Yvv
zucMBZqGoxe{odaB7Ci@cWZy>-57MSjusb_Cb9oVqMKSBck}TZ8iGGn;4jp$Z4gcOD
zRqyOsigN9N(R2rt`Y9BR#5wq(bfHVkq|gpnDl?QJe#Xji^mEj3ld9&FYTiM4^C`FN
zw6MqjytM}cYe7|Hpbop5kGX2S-hq{I!TllAsGpYjAP0b?M;i%<K&E1?BYDWK#unQe
zjJXPetz*m>=Q^S<a7=(S70eL$^svVIt#T}Aim)DHRO1)fgnC?1sTyZw@5*3gv<?hz
zi13#`LIx75W`WJaUv)dlbv-}9_U|+<w0_0;85&m$aT5HsSB{s<2reJs7M*Wp9#{$6
zXN8cTZCvt9<V&M8e<gRg;7kIxn;4y7xqrb}UJut|u0rV(!rL1P2iC~y#E`1Q3JWt~
zTP8;xiUFh1Ie(8V$<xM~iKQ%VyI;`fw!jkiXkz*&Qo^_Yp4yhfFwrQB%&G-jONUSg
z6@RT_pI*~Q+JPlMdP4b1e2M_)+kB8cc(N}IdMWosStX!lkf{auYRN2m0uVq(P$7gX
z$Ktc7qPdt<U85z^QrenOU872REy0Fw`@{4t9ke^C^(>%V%BBMNgFX-!@zZuWd*OL<
zt8*v2A?=h2BW^&-*}^?XYja#<1*L?TdKMC)@V*`ere;;-`FTyXUGm0TYF#*WOj>AO
zlOnvJz~~oU+-O8xY~qrvmOmJ_q0wZBT189@KY^^wyENxQ053NhSTI<7b0wTHb<kB~
zEi(&wSR%q&d~g*61LD^jOaVO6GNv9f<`}J!18wEi^v{(G;dO8?TwT^0hNdI3d8q8t
ze>kGsWezLjtXGM4gTiSL*R#c}HdKaNS9!h_XP#BKQg-Z7NI9bNRKKMTPCKq$y1iY)
zH}&_9?Wap8NL!YQbmZHSMeMD>1~vr?;O~~sosAkqNXfD2cxQ^>?@~-#iX#b%Y1gM;
z`nx6I&9Jr>wEZRyF6i008JLw#Em0mSd`in9-RQlwDpW!RcN)3EI<#%$nidHJHMu@J
zcwdfVgUVX=HnCwmNZ%db4@%gRAE(=IBb({3a|rB}i?ry*sUQjjVmiZOQcw3iT6L;?
UkAOLUO=bqtHz5)Rqk;tcU)kQJ2><{9

literal 0
HcmV?d00001

diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/Chart.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/Chart.yaml
new file mode 100755
index 0000000..6513763
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+appVersion: v3.20.1
+description: Install Canal Network Plugin.
+home: https://www.projectcalico.org/
+keywords:
+- canal
+maintainers:
+- email: charts@rancher.com
+  name: Rancher Labs
+name: rke2-canal
+sources:
+- https://github.com/rancher/rke2-charts
+version: v3.20.1-build2021100601
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/NOTES.txt b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/NOTES.txt
new file mode 100755
index 0000000..12a30ff
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/NOTES.txt
@@ -0,0 +1,3 @@
+Canal network plugin has been installed.
+
+NOTE: It may take few minutes until Canal image install CNI files and node become in ready state.
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/_helpers.tpl b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/_helpers.tpl
new file mode 100755
index 0000000..b647c75
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/_helpers.tpl
@@ -0,0 +1,7 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/config.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/config.yaml
new file mode 100755
index 0000000..1a005ca
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/config.yaml
@@ -0,0 +1,71 @@
+---
+# Source: calico/templates/calico-config.yaml
+# This ConfigMap is used to configure a self-hosted Canal installation.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-config
+  namespace: kube-system
+data:
+  # Typha is disabled.
+  typha_service_name: {{ .Values.calico.typhaServiceName | quote }}
+  # The interface used by canal for host <-> host communication.
+  # If left blank, then the interface is chosen using the node's
+  # default route.
+  canal_iface: {{ .Values.flannel.iface | quote }}
+
+  # Whether or not to masquerade traffic to destinations not within
+  # the pod network.
+  masquerade: {{ .Values.calico.masquerade | quote }}
+
+  # Configure the MTU to use
+  veth_mtu: {{ .Values.calico.vethuMTU | quote }}
+
+  # The CNI network configuration to install on each node.  The special
+  # values in this config will be automatically populated.
+  cni_network_config: |-
+    {
+      "name": "k8s-pod-network",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "calico",
+          "log_level": "info",
+          "datastore_type": "kubernetes",
+          "nodename": "__KUBERNETES_NODE_NAME__",
+          "mtu": __CNI_MTU__,
+          "ipam": {
+              "type": "host-local",
+              "subnet": "usePodCidr"
+          },
+          "policy": {
+              "type": "k8s"
+          },
+          "kubernetes": {
+              "kubeconfig": "__KUBECONFIG_FILEPATH__"
+          }
+        },
+        {
+          "type": "portmap",
+          "snat": true,
+          "capabilities": {"portMappings": true}
+        },
+        {
+          "type": "bandwidth",
+          "capabilities": {"bandwidth": true}
+        }
+      ]
+    }
+
+  # Flannel network configuration. Mounted into the flannel container.
+  net-conf.json: |
+    {
+      "Network": {{ coalesce .Values.global.clusterCIDRv4 .Values.podCidr | quote }},
+{{- if coalesce .Values.global.clusterCIDRv6 .Values.podCidrv6 }}
+      "IPv6Network": {{ coalesce .Values.global.clusterCIDRv6 .Values.podCidrv6 | quote }},
+      "EnableIPv6": true,
+{{- end }}
+      "Backend": {
+        "Type": {{ .Values.flannel.backend | quote }}
+      }
+    }
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/bgpconfigurations.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/bgpconfigurations.crd.yaml
new file mode 100755
index 0000000..589c3a2
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/bgpconfigurations.crd.yaml
@@ -0,0 +1,144 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_bgpconfigurations.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: bgpconfigurations.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: BGPConfiguration
+    listKind: BGPConfigurationList
+    plural: bgpconfigurations
+    singular: bgpconfiguration
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: BGPConfiguration contains the configuration for any BGP routing.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BGPConfigurationSpec contains the values of the BGP configuration.
+            properties:
+              asNumber:
+                description: 'ASNumber is the default AS number used by a node. [Default:
+                  64512]'
+                format: int32
+                type: integer
+              communities:
+                description: Communities is a list of BGP community values and their
+                  arbitrary names for tagging routes.
+                items:
+                  description: Community contains standard or large community value
+                    and its name.
+                  properties:
+                    name:
+                      description: Name given to community value.
+                      type: string
+                    value:
+                      description: Value must be of format `aa:nn` or `aa:nn:mm`.
+                        For standard community use `aa:nn` format, where `aa` and
+                        `nn` are 16 bit number. For large community use `aa:nn:mm`
+                        format, where `aa`, `nn` and `mm` are 32 bit number. Where,
+                        `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
+                      pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
+                      type: string
+                  type: object
+                type: array
+              listenPort:
+                description: ListenPort is the port where BGP protocol should listen.
+                  Defaults to 179
+                maximum: 65535
+                minimum: 1
+                type: integer
+              logSeverityScreen:
+                description: 'LogSeverityScreen is the log severity above which logs
+                  are sent to the stdout. [Default: INFO]'
+                type: string
+              nodeToNodeMeshEnabled:
+                description: 'NodeToNodeMeshEnabled sets whether full node to node
+                  BGP mesh is enabled. [Default: true]'
+                type: boolean
+              prefixAdvertisements:
+                description: PrefixAdvertisements contains per-prefix advertisement
+                  configuration.
+                items:
+                  description: PrefixAdvertisement configures advertisement properties
+                    for the specified CIDR.
+                  properties:
+                    cidr:
+                      description: CIDR for which properties should be advertised.
+                      type: string
+                    communities:
+                      description: Communities can be list of either community names
+                        already defined in `Specs.Communities` or community value
+                        of format `aa:nn` or `aa:nn:mm`. For standard community use
+                        `aa:nn` format, where `aa` and `nn` are 16 bit number. For
+                        large community use `aa:nn:mm` format, where `aa`, `nn` and
+                        `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
+                        `mm` are per-AS identifier.
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              serviceClusterIPs:
+                description: ServiceClusterIPs are the CIDR blocks from which service
+                  cluster IPs are allocated. If specified, Calico will advertise these
+                  blocks, as well as any cluster IPs within them.
+                items:
+                  description: ServiceClusterIPBlock represents a single allowed ClusterIP
+                    CIDR block.
+                  properties:
+                    cidr:
+                      type: string
+                  type: object
+                type: array
+              serviceExternalIPs:
+                description: ServiceExternalIPs are the CIDR blocks for Kubernetes
+                  Service External IPs. Kubernetes Service ExternalIPs will only be
+                  advertised if they are within one of these blocks.
+                items:
+                  description: ServiceExternalIPBlock represents a single allowed
+                    External IP CIDR block.
+                  properties:
+                    cidr:
+                      type: string
+                  type: object
+                type: array
+              serviceLoadBalancerIPs:
+                description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
+                  Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
+                  IPs will only be advertised if they are within one of these blocks.
+                items:
+                  description: ServiceLoadBalancerIPBlock represents a single allowed
+                    LoadBalancer IP CIDR block.
+                  properties:
+                    cidr:
+                      type: string
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/bgppeers.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/bgppeers.crd.yaml
new file mode 100755
index 0000000..bdbd2ee
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/bgppeers.crd.yaml
@@ -0,0 +1,115 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_bgppeers.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: bgppeers.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: BGPPeer
+    listKind: BGPPeerList
+    plural: bgppeers
+    singular: bgppeer
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BGPPeerSpec contains the specification for a BGPPeer resource.
+            properties:
+              asNumber:
+                description: The AS Number of the peer.
+                format: int32
+                type: integer
+              keepOriginalNextHop:
+                description: Option to keep the original nexthop field when routes
+                  are sent to a BGP Peer. Setting "true" configures the selected BGP
+                  Peers node to use the "next hop keep;" instead of "next hop self;"(default)
+                  in the specific branch of the Node on "bird.cfg".
+                type: boolean
+              maxRestartTime:
+                description: Time to allow for software restart.  When specified, this
+                  is configured as the graceful restart timeout.  When not specified,
+                  the BIRD default of 120s is used.
+                type: string
+              node:
+                description: The node name identifying the Calico node instance that
+                  is targeted by this peer. If this is not set, and no nodeSelector
+                  is specified, then this BGP peer selects all nodes in the cluster.
+                type: string
+              nodeSelector:
+                description: Selector for the nodes that should have this peering.  When
+                  this is set, the Node field must be empty.
+                type: string
+              password:
+                description: Optional BGP password for the peerings generated by this
+                  BGPPeer resource.
+                properties:
+                  secretKeyRef:
+                    description: Selects a key of a secret in the node pod's namespace.
+                    properties:
+                      key:
+                        description: The key of the secret to select from.  Must be
+                          a valid secret key.
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?'
+                        type: string
+                      optional:
+                        description: Specify whether the Secret or its key must be
+                          defined
+                        type: boolean
+                    required:
+                    - key
+                    type: object
+                type: object
+              peerIP:
+                description: The IP address of the peer followed by an optional port
+                  number to peer with. If port number is given, format should be `[<IPv6>]:port`
+                  or `<IPv4>:<port>` for IPv4. If optional port number is not set,
+                  and this peer IP and ASNumber belongs to a calico/node with ListenPort
+                  set in BGPConfiguration, then we use that port to peer.
+                type: string
+              peerSelector:
+                description: Selector for the remote nodes to peer with.  When this
+                  is set, the PeerIP and ASNumber fields must be empty.  For each
+                  peering between the local node and selected remote nodes, we configure
+                  an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
+                  and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified.  The
+                  remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
+                  or the global default if that is not set.
+                type: string
+              sourceAddress:
+                description: Specifies whether and how to configure a source address
+                  for the peerings generated by this BGPPeer resource.  Default value
+                  "UseNodeIP" means to configure the node IP as the source address.  "None"
+                  means not to configure a source address.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/blockaffinities.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/blockaffinities.crd.yaml
new file mode 100755
index 0000000..dbaaebc
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/blockaffinities.crd.yaml
@@ -0,0 +1,62 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_blockaffinities.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: blockaffinities.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: BlockAffinity
+    listKind: BlockAffinityList
+    plural: blockaffinities
+    singular: blockaffinity
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BlockAffinitySpec contains the specification for a BlockAffinity
+              resource.
+            properties:
+              cidr:
+                type: string
+              deleted:
+                description: Deleted indicates that this block affinity is being deleted.
+                  This field is a string for compatibility with older releases that
+                  mistakenly treat this field as a string.
+                type: string
+              node:
+                type: string
+              state:
+                type: string
+            required:
+            - cidr
+            - deleted
+            - node
+            - state
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/clusterinformations.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/clusterinformations.crd.yaml
new file mode 100755
index 0000000..2f25897
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/clusterinformations.crd.yaml
@@ -0,0 +1,65 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_clusterinformations.yaml 
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterinformations.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: ClusterInformation
+    listKind: ClusterInformationList
+    plural: clusterinformations
+    singular: clusterinformation
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ClusterInformation contains the cluster specific information.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterInformationSpec contains the values of describing
+              the cluster.
+            properties:
+              calicoVersion:
+                description: CalicoVersion is the version of Calico that the cluster
+                  is running
+                type: string
+              clusterGUID:
+                description: ClusterGUID is the GUID of the cluster
+                type: string
+              clusterType:
+                description: ClusterType describes the type of the cluster
+                type: string
+              datastoreReady:
+                description: DatastoreReady is used during significant datastore migrations
+                  to signal to components such as Felix that it should wait before
+                  accessing the datastore.
+                type: boolean
+              variant:
+                description: Variant declares which variant of Calico should be active.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/felixconfigurations.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/felixconfigurations.crd.yaml
new file mode 100755
index 0000000..a1c3d6d
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/felixconfigurations.crd.yaml
@@ -0,0 +1,565 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_felixconfigurations.yaml 
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: felixconfigurations.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: FelixConfiguration
+    listKind: FelixConfigurationList
+    plural: felixconfigurations
+    singular: felixconfiguration
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Felix Configuration contains the configuration for Felix.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: FelixConfigurationSpec contains the values of the Felix configuration.
+            properties:
+              allowIPIPPacketsFromWorkloads:
+                description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
+                  will add a rule to drop IPIP encapsulated traffic from workloads
+                  [Default: false]'
+                type: boolean
+              allowVXLANPacketsFromWorkloads:
+                description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
+                  will add a rule to drop VXLAN encapsulated traffic from workloads
+                  [Default: false]'
+                type: boolean
+              awsSrcDstCheck:
+                description: 'Set source-destination-check on AWS EC2 instances. Accepted
+                  value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
+                  DoNothing]'
+                enum:
+                - DoNothing
+                - Enable
+                - Disable
+                type: string
+              bpfConnectTimeLoadBalancingEnabled:
+                description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
+                  controls whether Felix installs the connection-time load balancer.  The
+                  connect-time load balancer is required for the host to be able to
+                  reach Kubernetes services and it improves the performance of pod-to-service
+                  connections.  The only reason to disable it is for debugging purposes.  [Default:
+                  true]'
+                type: boolean
+              bpfDataIfacePattern:
+                description: BPFDataIfacePattern is a regular expression that controls
+                  which interfaces Felix should attach BPF programs to in order to
+                  catch traffic to/from the network.  This needs to match the interfaces
+                  that Calico workload traffic flows over as well as any interfaces
+                  that handle incoming traffic to nodeports and services from outside
+                  the cluster.  It should not match the workload interfaces (usually
+                  named cali...).
+                type: string
+              bpfDisableUnprivileged:
+                description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
+                  sysctl to disable unprivileged use of BPF.  This ensures that unprivileged
+                  users cannot access Calico''s BPF maps and cannot insert their own
+                  BPF programs to interfere with Calico''s. [Default: true]'
+                type: boolean
+              bpfEnabled:
+                description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
+                  [Default: false]'
+                type: boolean
+              bpfExternalServiceMode:
+                description: 'BPFExternalServiceMode in BPF mode, controls how connections
+                  from outside the cluster to services (node ports and cluster IPs)
+                  are forwarded to remote workloads.  If set to "Tunnel" then both
+                  request and response traffic is tunneled to the remote node.  If
+                  set to "DSR", the request traffic is tunneled but the response traffic
+                  is sent directly from the remote node.  In "DSR" mode, the remote
+                  node appears to use the IP of the ingress node; this requires a
+                  permissive L2 network.  [Default: Tunnel]'
+                type: string
+              bpfExtToServiceConnmark:
+                description: 'BPFExtToServiceConnmark in BPF mode, controls a
+                  32bit mark that is set on connections from an external client to
+                  a local service. This mark allows us to control how packets of
+                  that connection are routed within the host and how is routing
+                  intepreted by RPF check. [Default: 0]'
+                type: integer
+
+              bpfKubeProxyEndpointSlicesEnabled:
+                description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
+                  whether Felix's embedded kube-proxy accepts EndpointSlices or not.
+                type: boolean
+              bpfKubeProxyIptablesCleanupEnabled:
+                description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
+                  mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
+                  iptables chains.  Should only be enabled if kube-proxy is not running.  [Default:
+                  true]'
+                type: boolean
+              bpfKubeProxyMinSyncPeriod:
+                description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
+                  minimum time between updates to the dataplane for Felix''s embedded
+                  kube-proxy.  Lower values give reduced set-up latency.  Higher values
+                  reduce Felix CPU usage by batching up more work.  [Default: 1s]'
+                type: string
+              bpfLogLevel:
+                description: 'BPFLogLevel controls the log level of the BPF programs
+                  when in BPF dataplane mode.  One of "Off", "Info", or "Debug".  The
+                  logs are emitted to the BPF trace pipe, accessible with the command
+                  `tc exec bpf debug`. [Default: Off].'
+                type: string
+              chainInsertMode:
+                description: 'ChainInsertMode controls whether Felix hooks the kernel''s
+                  top-level iptables chains by inserting a rule at the top of the
+                  chain or by appending a rule at the bottom. insert is the safe default
+                  since it prevents Calico''s rules from being bypassed. If you switch
+                  to append mode, be sure that the other rules in the chains signal
+                  acceptance by falling through to the Calico rules, otherwise the
+                  Calico policy will be bypassed. [Default: insert]'
+                type: string
+              dataplaneDriver:
+                type: string
+              debugDisableLogDropping:
+                type: boolean
+              debugMemoryProfilePath:
+                type: string
+              debugSimulateCalcGraphHangAfter:
+                type: string
+              debugSimulateDataplaneHangAfter:
+                type: string
+              defaultEndpointToHostAction:
+                description: 'DefaultEndpointToHostAction controls what happens to
+                  traffic that goes from a workload endpoint to the host itself (after
+                  the traffic hits the endpoint egress policy). By default Calico
+                  blocks traffic from workload endpoints to the host itself with an
+                  iptables "DROP" action. If you want to allow some or all traffic
+                  from endpoint to host, set this parameter to RETURN or ACCEPT. Use
+                  RETURN if you have your own rules in the iptables "INPUT" chain;
+                  Calico will insert its rules at the top of that chain, then "RETURN"
+                  packets to the "INPUT" chain once it has completed processing workload
+                  endpoint egress policy. Use ACCEPT to unconditionally accept packets
+                  from workloads after processing workload endpoint egress policy.
+                  [Default: Drop]'
+                type: string
+              deviceRouteProtocol:
+                description: This defines the route protocol added to programmed device
+                  routes, by default this will be RTPROT_BOOT when left blank.
+                type: integer
+              deviceRouteSourceAddress:
+                description: This is the source address to use on programmed device
+                  routes. By default the source address is left blank, leaving the
+                  kernel to choose the source address used.
+                type: string
+              disableConntrackInvalidCheck:
+                type: boolean
+              endpointReportingDelay:
+                type: string
+              endpointReportingEnabled:
+                type: boolean
+              externalNodesList:
+                description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
+                  which may source tunnel traffic and have the tunneled traffic be
+                  accepted at calico nodes.
+                items:
+                  type: string
+                type: array
+              failsafeInboundHostPorts:
+                description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
+                  and CIDRs that Felix will allow incoming traffic to host endpoints
+                  on irrespective of the security policy. This is useful to avoid
+                  accidentally cutting off a host with incorrect configuration. For
+                  back-compatibility, if the protocol is not specified, it defaults
+                  to "tcp". If a CIDR is not specified, it will allow traffic from
+                  all addresses. To disable all inbound host ports, use the value
+                  none. The default value allows ssh access and DHCP. [Default: tcp:22,
+                  udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
+                items:
+                  description: ProtoPort is combination of protocol, port, and CIDR.
+                    Protocol and port must be specified.
+                  properties:
+                    net:
+                      type: string
+                    port:
+                      type: integer
+                    protocol:
+                      type: string
+                  required:
+                  - port
+                  - protocol
+                  type: object
+                type: array
+              failsafeOutboundHostPorts:
+                description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
+                  and CIDRs that Felix will allow outgoing traffic from host endpoints
+                  to irrespective of the security policy. This is useful to avoid
+                  accidentally cutting off a host with incorrect configuration. For
+                  back-compatibility, if the protocol is not specified, it defaults
+                  to "tcp". If a CIDR is not specified, it will allow traffic from
+                  all addresses. To disable all outbound host ports, use the value
+                  none. The default value opens etcd''s standard ports to ensure that
+                  Felix does not get cut off from etcd as well as allowing DHCP and
+                  DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
+                  tcp:6667, udp:53, udp:67]'
+                items:
+                  description: ProtoPort is combination of protocol, port, and CIDR.
+                    Protocol and port must be specified.
+                  properties:
+                    net:
+                      type: string
+                    port:
+                      type: integer
+                    protocol:
+                      type: string
+                  required:
+                  - port
+                  - protocol
+                  type: object
+                type: array
+              featureDetectOverride:
+                description: FeatureDetectOverride is used to override the feature
+                  detection. Values are specified in a comma separated list with no
+                  spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
+                  "true" or "false" will force the feature, empty or omitted values
+                  are auto-detected.
+                type: string
+              genericXDPEnabled:
+                description: 'GenericXDPEnabled enables Generic XDP so network cards
+                  that don''t support XDP offload or driver modes can use XDP. This
+                  is not recommended since it doesn''t provide better performance
+                  than iptables. [Default: false]'
+                type: boolean
+              healthEnabled:
+                type: boolean
+              healthHost:
+                type: string
+              healthPort:
+                type: integer
+              interfaceExclude:
+                description: 'InterfaceExclude is a comma-separated list of interfaces
+                  that Felix should exclude when monitoring for host endpoints. The
+                  default value ensures that Felix ignores Kubernetes'' IPVS dummy
+                  interface, which is used internally by kube-proxy. If you want to
+                  exclude multiple interface names using a single value, the list
+                  supports regular expressions. For regular expressions you must wrap
+                  the value with ''/''. For example having values ''/^kube/,veth1''
+                  will exclude all interfaces that begin with ''kube'' and also the
+                  interface ''veth1''. [Default: kube-ipvs0]'
+                type: string
+              interfacePrefix:
+                description: 'InterfacePrefix is the interface name prefix that identifies
+                  workload endpoints and so distinguishes them from host endpoint
+                  interfaces. Note: in environments other than bare metal, the orchestrators
+                  configure this appropriately. For example our Kubernetes and Docker
+                  integrations set the ''cali'' value, and our OpenStack integration
+                  sets the ''tap'' value. [Default: cali]'
+                type: string
+              interfaceRefreshInterval:
+                description: InterfaceRefreshInterval is the period at which Felix
+                  rescans local interfaces to verify their state. The rescan can be
+                  disabled by setting the interval to 0.
+                type: string
+              ipipEnabled:
+                type: boolean
+              ipipMTU:
+                description: 'IPIPMTU is the MTU to set on the tunnel device. See
+                  Configuring MTU [Default: 1440]'
+                type: integer
+              ipsetsRefreshInterval:
+                description: 'IpsetsRefreshInterval is the period at which Felix re-checks
+                  all iptables state to ensure that no other process has accidentally
+                  broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
+                  90s]'
+                type: string
+              iptablesBackend:
+                description: IptablesBackend specifies which backend of iptables will
+                  be used. The default is legacy.
+                type: string
+              iptablesFilterAllowAction:
+                type: string
+              iptablesLockFilePath:
+                description: 'IptablesLockFilePath is the location of the iptables
+                  lock file. You may need to change this if the lock file is not in
+                  its standard location (for example if you have mapped it into Felix''s
+                  container at a different path). [Default: /run/xtables.lock]'
+                type: string
+              iptablesLockProbeInterval:
+                description: 'IptablesLockProbeInterval is the time that Felix will
+                  wait between attempts to acquire the iptables lock if it is not
+                  available. Lower values make Felix more responsive when the lock
+                  is contended, but use more CPU. [Default: 50ms]'
+                type: string
+              iptablesLockTimeout:
+                description: 'IptablesLockTimeout is the time that Felix will wait
+                  for the iptables lock, or 0, to disable. To use this feature, Felix
+                  must share the iptables lock file with all other processes that
+                  also take the lock. When running Felix inside a container, this
+                  requires the /run directory of the host to be mounted into the calico/node
+                  or calico/felix container. [Default: 0s disabled]'
+                type: string
+              iptablesMangleAllowAction:
+                type: string
+              iptablesMarkMask:
+                description: 'IptablesMarkMask is the mask that Felix selects its
+                  IPTables Mark bits from. Should be a 32 bit hexadecimal number with
+                  at least 8 bits set, none of which clash with any other mark bits
+                  in use on the system. [Default: 0xff000000]'
+                format: int32
+                type: integer
+              iptablesNATOutgoingInterfaceFilter:
+                type: string
+              iptablesPostWriteCheckInterval:
+                description: 'IptablesPostWriteCheckInterval is the period after Felix
+                  has done a write to the dataplane that it schedules an extra read
+                  back in order to check the write was not clobbered by another process.
+                  This should only occur if another application on the system doesn''t
+                  respect the iptables lock. [Default: 1s]'
+                type: string
+              iptablesRefreshInterval:
+                description: 'IptablesRefreshInterval is the period at which Felix
+                  re-checks the IP sets in the dataplane to ensure that no other process
+                  has accidentally broken Calico''s rules. Set to 0 to disable IP
+                  sets refresh. Note: the default for this value is lower than the
+                  other refresh intervals as a workaround for a Linux kernel bug that
+                  was fixed in kernel version 4.11. If you are using v4.11 or greater
+                  you may want to set this to, a higher value to reduce Felix CPU
+                  usage. [Default: 10s]'
+                type: string
+              ipv6Support:
+                type: boolean
+              kubeNodePortRanges:
+                description: 'KubeNodePortRanges holds list of port ranges used for
+                  service node ports. Only used if felix detects kube-proxy running
+                  in ipvs mode. Felix uses these ranges to separate host and workload
+                  traffic. [Default: 30000:32767].'
+                items:
+                  anyOf:
+                  - type: integer
+                  - type: string
+                  pattern: ^.*
+                  x-kubernetes-int-or-string: true
+                type: array
+              logFilePath:
+                description: 'LogFilePath is the full path to the Felix log. Set to
+                  none to disable file logging. [Default: /var/log/calico/felix.log]'
+                type: string
+              logPrefix:
+                description: 'LogPrefix is the log prefix that Felix uses when rendering
+                  LOG rules. [Default: calico-packet]'
+                type: string
+              logSeverityFile:
+                description: 'LogSeverityFile is the log severity above which logs
+                  are sent to the log file. [Default: Info]'
+                type: string
+              logSeverityScreen:
+                description: 'LogSeverityScreen is the log severity above which logs
+                  are sent to the stdout. [Default: Info]'
+                type: string
+              logSeveritySys:
+                description: 'LogSeveritySys is the log severity above which logs
+                  are sent to the syslog. Set to None for no logging to syslog. [Default:
+                  Info]'
+                type: string
+              maxIpsetSize:
+                type: integer
+              metadataAddr:
+                description: 'MetadataAddr is the IP address or domain name of the
+                  server that can answer VM queries for cloud-init metadata. In OpenStack,
+                  this corresponds to the machine running nova-api (or in Ubuntu,
+                  nova-api-metadata). A value of none (case insensitive) means that
+                  Felix should not set up any NAT rule for the metadata path. [Default:
+                  127.0.0.1]'
+                type: string
+              metadataPort:
+                description: 'MetadataPort is the port of the metadata server. This,
+                  combined with global.MetadataAddr (if not ''None''), is used to
+                  set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
+                  In most cases this should not need to be changed [Default: 8775].'
+                type: integer
+              mtuIfacePattern:
+                description: MTUIfacePattern is a regular expression that controls
+                  which interfaces Felix should scan in order to calculate the host's
+                  MTU. This should not match workload interfaces (usually named cali...).
+                type: string
+              natOutgoingAddress:
+                description: NATOutgoingAddress specifies an address to use when performing
+                  source NAT for traffic in a natOutgoing pool that is leaving the
+                  network. By default the address used is an address on the interface
+                  the traffic is leaving on (ie it uses the iptables MASQUERADE target)
+                type: string
+              natPortRange:
+                anyOf:
+                - type: integer
+                - type: string
+                description: NATPortRange specifies the range of ports that is used
+                  for port mapping when doing outgoing NAT. When unset the default
+                  behavior of the network stack is used.
+                pattern: ^.*
+                x-kubernetes-int-or-string: true
+              netlinkTimeout:
+                type: string
+              openstackRegion:
+                description: 'OpenstackRegion is the name of the region that a particular
+                  Felix belongs to. In a multi-region Calico/OpenStack deployment,
+                  this must be configured somehow for each Felix (here in the datamodel,
+                  or in felix.cfg or the environment on each compute node), and must
+                  match the [calico] openstack_region value configured in neutron.conf
+                  on each node. [Default: Empty]'
+                type: string
+              policySyncPathPrefix:
+                description: 'PolicySyncPathPrefix is used to by Felix to communicate
+                  policy changes to external services, like Application layer policy.
+                  [Default: Empty]'
+                type: string
+              prometheusGoMetricsEnabled:
+                description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
+                  collection, which the Prometheus client does by default, when set
+                  to false. This reduces the number of metrics reported, reducing
+                  Prometheus load. [Default: true]'
+                type: boolean
+              prometheusMetricsEnabled:
+                description: 'PrometheusMetricsEnabled enables the Prometheus metrics
+                  server in Felix if set to true. [Default: false]'
+                type: boolean
+              prometheusMetricsHost:
+                description: 'PrometheusMetricsHost is the host that the Prometheus
+                  metrics server should bind to. [Default: empty]'
+                type: string
+              prometheusMetricsPort:
+                description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+                  metrics server should bind to. [Default: 9091]'
+                type: integer
+              prometheusProcessMetricsEnabled:
+                description: 'PrometheusProcessMetricsEnabled disables process metrics
+                  collection, which the Prometheus client does by default, when set
+                  to false. This reduces the number of metrics reported, reducing
+                  Prometheus load. [Default: true]'
+                type: boolean
+              removeExternalRoutes:
+                description: Whether or not to remove device routes that have not
+                  been programmed by Felix. Disabling this will allow external applications
+                  to also add device routes. This is enabled by default which means
+                  we will remove externally added routes.
+                type: boolean
+              reportingInterval:
+                description: 'ReportingInterval is the interval at which Felix reports
+                  its status into the datastore or 0 to disable. Must be non-zero
+                  in OpenStack deployments. [Default: 30s]'
+                type: string
+              reportingTTL:
+                description: 'ReportingTTL is the time-to-live setting for process-wide
+                  status reports. [Default: 90s]'
+                type: string
+              routeRefreshInterval:
+                description: 'RouteRefreshInterval is the period at which Felix re-checks
+                  the routes in the dataplane to ensure that no other process has
+                  accidentally broken Calico''s rules. Set to 0 to disable route refresh.
+                  [Default: 90s]'
+                type: string
+              routeSource:
+                description: 'RouteSource configures where Felix gets its routing
+                  information. - WorkloadIPs: use workload endpoints to construct
+                  routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
+                type: string
+              routeTableRange:
+                description: Calico programs additional Linux route tables for various
+                  purposes.  RouteTableRange specifies the indices of the route tables
+                  that Calico should use.
+                properties:
+                  max:
+                    type: integer
+                  min:
+                    type: integer
+                required:
+                - max
+                - min
+                type: object
+              serviceLoopPrevention:
+                description: 'When service IP advertisement is enabled, prevent routing
+                  loops to service IPs that are not in use, by dropping or rejecting
+                  packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
+                  in which case such routing loops continue to be allowed. [Default:
+                  Drop]'
+                type: string
+              sidecarAccelerationEnabled:
+                description: 'SidecarAccelerationEnabled enables experimental sidecar
+                  acceleration [Default: false]'
+                type: boolean
+              usageReportingEnabled:
+                description: 'UsageReportingEnabled reports anonymous Calico version
+                  number and cluster size to projectcalico.org. Logs warnings returned
+                  by the usage server. For example, if a significant security vulnerability
+                  has been discovered in the version of Calico being used. [Default:
+                  true]'
+                type: boolean
+              usageReportingInitialDelay:
+                description: 'UsageReportingInitialDelay controls the minimum delay
+                  before Felix makes a report. [Default: 300s]'
+                type: string
+              usageReportingInterval:
+                description: 'UsageReportingInterval controls the interval at which
+                  Felix makes reports. [Default: 86400s]'
+                type: string
+              useInternalDataplaneDriver:
+                type: boolean
+              vxlanEnabled:
+                type: boolean
+              vxlanMTU:
+                description: 'VXLANMTU is the MTU to set on the tunnel device. See
+                  Configuring MTU [Default: 1440]'
+                type: integer
+              vxlanPort:
+                type: integer
+              vxlanVNI:
+                type: integer
+              wireguardEnabled:
+                description: 'WireguardEnabled controls whether Wireguard is enabled.
+                  [Default: false]'
+                type: boolean
+              wireguardInterfaceName:
+                description: 'WireguardInterfaceName specifies the name to use for
+                  the Wireguard interface. [Default: wg.calico]'
+                type: string
+              wireguardListeningPort:
+                description: 'WireguardListeningPort controls the listening port used
+                  by Wireguard. [Default: 51820]'
+                type: integer
+              wireguardMTU:
+                description: 'WireguardMTU controls the MTU on the Wireguard interface.
+                  See Configuring MTU [Default: 1420]'
+                type: integer
+              wireguardRoutingRulePriority:
+                description: 'WireguardRoutingRulePriority controls the priority value
+                  to use for the Wireguard routing rule. [Default: 99]'
+                type: integer
+              xdpEnabled:
+                description: 'XDPEnabled enables XDP acceleration for suitable untracked
+                  incoming deny rules. [Default: true]'
+                type: boolean
+              xdpRefreshInterval:
+                description: 'XDPRefreshInterval is the period at which Felix re-checks
+                  all XDP state to ensure that no other process has accidentally broken
+                  Calico''s BPF maps or attached programs. Set to 0 to disable XDP
+                  refresh. [Default: 90s]'
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/globalnetworkpolicies.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/globalnetworkpolicies.crd.yaml
new file mode 100755
index 0000000..1cf624f
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/globalnetworkpolicies.crd.yaml
@@ -0,0 +1,856 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_globalnetworkpolicies.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: globalnetworkpolicies.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: GlobalNetworkPolicy
+    listKind: GlobalNetworkPolicyList
+    plural: globalnetworkpolicies
+    singular: globalnetworkpolicy
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              applyOnForward:
+                description: ApplyOnForward indicates to apply the rules in this policy
+                  on forward traffic.
+                type: boolean
+              doNotTrack:
+                description: DoNotTrack indicates whether packets matched by the rules
+                  in this policy should go through the data plane's connection tracking,
+                  such as Linux conntrack.  If True, the rules in this policy are
+                  applied before any data plane connection tracking, and packets allowed
+                  by this policy are marked as not to be tracked.
+                type: boolean
+              egress:
+                description: The ordered set of egress rules.  Each rule contains
+                  a set of packet match criteria and a corresponding action to apply.
+                items:
+                  description: "A Rule encapsulates a set of match criteria and an
+                    action.  Both selector-based security Policy and security Profiles
+                    reference rules - separated out as a list of rules for both ingress
+                    and egress packet matching. \n Each positive match criteria has
+                    a negated version, prefixed with \"Not\". All the match criteria
+                    within a rule must be satisfied for a packet to match. A single
+                    rule can contain the positive and negative version of a match
+                    and both must be satisfied for the rule to match."
+                  properties:
+                    action:
+                      type: string
+                    destination:
+                      description: Destination contains the match criteria that apply
+                        to destination entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                    http:
+                      description: HTTP contains match criteria that apply to HTTP
+                        requests.
+                      properties:
+                        methods:
+                          description: Methods is an optional field that restricts
+                            the rule to apply only to HTTP requests that use one of
+                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+                            methods are OR'd together.
+                          items:
+                            type: string
+                          type: array
+                        paths:
+                          description: 'Paths is an optional field that restricts
+                            the rule to apply to HTTP requests that use one of the
+                            listed HTTP Paths. Multiple paths are OR''d together.
+                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+                            ONLY specify either a `exact` or a `prefix` match. The
+                            validator will check for it.'
+                          items:
+                            description: 'HTTPPath specifies an HTTP path to match.
+                              It may be either of the form: exact: <path>: which matches
+                              the path exactly or prefix: <path-prefix>: which matches
+                              the path prefix'
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    icmp:
+                      description: ICMP is an optional field that restricts the rule
+                        to apply to a specific type and code of ICMP traffic.  This
+                        should only be specified if the Protocol field is set to "ICMP"
+                        or "ICMPv6".
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    ipVersion:
+                      description: IPVersion is an optional field that restricts the
+                        rule to only match a specific IP version.
+                      type: integer
+                    metadata:
+                      description: Metadata contains additional information for this
+                        rule
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          description: Annotations is a set of key value pairs that
+                            give extra information about the rule
+                          type: object
+                      type: object
+                    notICMP:
+                      description: NotICMP is the negated version of the ICMP field.
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    notProtocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: NotProtocol is the negated version of the Protocol
+                        field.
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: "Protocol is an optional field that restricts the
+                        rule to only apply to traffic of a specific IP protocol. Required
+                        if any of the EntityRules contain Ports (because ports only
+                        apply to certain protocols). \n Must be one of these string
+                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+                        \"UDPLite\" or an integer in the range 1-255."
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    source:
+                      description: Source contains the match criteria that apply to
+                        source entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                  required:
+                  - action
+                  type: object
+                type: array
+              ingress:
+                description: The ordered set of ingress rules.  Each rule contains
+                  a set of packet match criteria and a corresponding action to apply.
+                items:
+                  description: "A Rule encapsulates a set of match criteria and an
+                    action.  Both selector-based security Policy and security Profiles
+                    reference rules - separated out as a list of rules for both ingress
+                    and egress packet matching. \n Each positive match criteria has
+                    a negated version, prefixed with \"Not\". All the match criteria
+                    within a rule must be satisfied for a packet to match. A single
+                    rule can contain the positive and negative version of a match
+                    and both must be satisfied for the rule to match."
+                  properties:
+                    action:
+                      type: string
+                    destination:
+                      description: Destination contains the match criteria that apply
+                        to destination entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                    http:
+                      description: HTTP contains match criteria that apply to HTTP
+                        requests.
+                      properties:
+                        methods:
+                          description: Methods is an optional field that restricts
+                            the rule to apply only to HTTP requests that use one of
+                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+                            methods are OR'd together.
+                          items:
+                            type: string
+                          type: array
+                        paths:
+                          description: 'Paths is an optional field that restricts
+                            the rule to apply to HTTP requests that use one of the
+                            listed HTTP Paths. Multiple paths are OR''d together.
+                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+                            ONLY specify either a `exact` or a `prefix` match. The
+                            validator will check for it.'
+                          items:
+                            description: 'HTTPPath specifies an HTTP path to match.
+                              It may be either of the form: exact: <path>: which matches
+                              the path exactly or prefix: <path-prefix>: which matches
+                              the path prefix'
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    icmp:
+                      description: ICMP is an optional field that restricts the rule
+                        to apply to a specific type and code of ICMP traffic.  This
+                        should only be specified if the Protocol field is set to "ICMP"
+                        or "ICMPv6".
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    ipVersion:
+                      description: IPVersion is an optional field that restricts the
+                        rule to only match a specific IP version.
+                      type: integer
+                    metadata:
+                      description: Metadata contains additional information for this
+                        rule
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          description: Annotations is a set of key value pairs that
+                            give extra information about the rule
+                          type: object
+                      type: object
+                    notICMP:
+                      description: NotICMP is the negated version of the ICMP field.
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    notProtocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: NotProtocol is the negated version of the Protocol
+                        field.
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: "Protocol is an optional field that restricts the
+                        rule to only apply to traffic of a specific IP protocol. Required
+                        if any of the EntityRules contain Ports (because ports only
+                        apply to certain protocols). \n Must be one of these string
+                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+                        \"UDPLite\" or an integer in the range 1-255."
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    source:
+                      description: Source contains the match criteria that apply to
+                        source entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                  required:
+                  - action
+                  type: object
+                type: array
+              namespaceSelector:
+                description: NamespaceSelector is an optional field for an expression
+                  used to select a pod based on namespaces.
+                type: string
+              order:
+                description: Order is an optional field that specifies the order in
+                  which the policy is applied. Policies with higher "order" are applied
+                  after those with lower order.  If the order is omitted, it may be
+                  considered to be "infinite" - i.e. the policy will be applied last.  Policies
+                  with identical order will be applied in alphanumerical order based
+                  on the Policy "Name".
+                type: number
+              preDNAT:
+                description: PreDNAT indicates to apply the rules in this policy before
+                  any DNAT.
+                type: boolean
+              selector:
+                description: "The selector is an expression used to pick pick out
+                  the endpoints that the policy should be applied to. \n Selector
+                  expressions follow this syntax: \n \tlabel == \"string_literal\"
+                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
+                  \  ->  not equal; also matches if label is not present \tlabel in
+                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
+                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
+                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
+                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
+                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
+                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+                  or the empty selector -> matches all endpoints. \n Label names are
+                  allowed to contain alphanumerics, -, _ and /. String literals are
+                  more permissive but they do not support escape characters. \n Examples
+                  (with made-up labels): \n \ttype == \"webserver\" && deployment
+                  == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
+                  \"dev\" \t! has(label_name)"
+                type: string
+              serviceAccountSelector:
+                description: ServiceAccountSelector is an optional field for an expression
+                  used to select a pod based on service accounts.
+                type: string
+              types:
+                description: "Types indicates whether this policy applies to ingress,
+                  or to egress, or to both.  When not explicitly specified (and so
+                  the value on creation is empty or nil), Calico defaults Types according
+                  to what Ingress and Egress rules are present in the policy.  The
+                  default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
+                  (including the case where there are   also no Ingress rules) \n
+                  - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
+                  rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
+                  both Ingress and Egress rules. \n When the policy is read back again,
+                  Types will always be one of these values, never empty or nil."
+                items:
+                  description: PolicyType enumerates the possible values of the PolicySpec
+                    Types field.
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/globalnetworksets.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/globalnetworksets.crd.yaml
new file mode 100755
index 0000000..6024037
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/globalnetworksets.crd.yaml
@@ -0,0 +1,55 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_globalnetworksets.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: globalnetworksets.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: GlobalNetworkSet
+    listKind: GlobalNetworkSetList
+    plural: globalnetworksets
+    singular: globalnetworkset
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
+          that share labels to allow rules to refer to them via selectors.  The labels
+          of GlobalNetworkSet are not namespaced.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GlobalNetworkSetSpec contains the specification for a NetworkSet
+              resource.
+            properties:
+              nets:
+                description: The list of IP networks that belong to this set.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/hostendpoints.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/hostendpoints.crd.yaml
new file mode 100755
index 0000000..797801d
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/hostendpoints.crd.yaml
@@ -0,0 +1,109 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_hostendpoints.yaml 
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: hostendpoints.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: HostEndpoint
+    listKind: HostEndpointList
+    plural: hostendpoints
+    singular: hostendpoint
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HostEndpointSpec contains the specification for a HostEndpoint
+              resource.
+            properties:
+              expectedIPs:
+                description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
+                  If \"InterfaceName\" is not present, Calico will look for an interface
+                  matching any of the IPs in the list and apply policy to that. Note:
+                  \tWhen using the selector match criteria in an ingress or egress
+                  security Policy \tor Profile, Calico converts the selector into
+                  a set of IP addresses. For host \tendpoints, the ExpectedIPs field
+                  is used for that purpose. (If only the interface \tname is specified,
+                  Calico does not learn the IPs of the interface for use in match
+                  \tcriteria.)"
+                items:
+                  type: string
+                type: array
+              interfaceName:
+                description: "Either \"*\", or the name of a specific Linux interface
+                  to apply policy to; or empty.  \"*\" indicates that this HostEndpoint
+                  governs all traffic to, from or through the default network namespace
+                  of the host named by the \"Node\" field; entering and leaving that
+                  namespace via any interface, including those from/to non-host-networked
+                  local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
+                  only governs traffic that enters or leaves the host through the
+                  specific interface named by InterfaceName, or - when InterfaceName
+                  is empty - through the specific interface that has one of the IPs
+                  in ExpectedIPs. Therefore, when InterfaceName is empty, at least
+                  one expected IP must be specified.  Only external interfaces (such
+                  as \"eth0\") are supported here; it isn't possible for a HostEndpoint
+                  to protect traffic through a specific local workload interface.
+                  \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
+                  initially just pre-DNAT policy.  Please check Calico documentation
+                  for the latest position."
+                type: string
+              node:
+                description: The node name identifying the Calico node instance.
+                type: string
+              ports:
+                description: Ports contains the endpoint's named ports, which may
+                  be referenced in security policy rules.
+                items:
+                  properties:
+                    name:
+                      type: string
+                    port:
+                      type: integer
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                  required:
+                  - name
+                  - port
+                  - protocol
+                  type: object
+                type: array
+              profiles:
+                description: A list of identifiers of security Profile objects that
+                  apply to this endpoint. Each profile is applied in the order that
+                  they appear in this list.  Profile rules are applied after the selector-based
+                  security policy.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamblocks.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamblocks.crd.yaml
new file mode 100755
index 0000000..efc9f1f
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamblocks.crd.yaml
@@ -0,0 +1,82 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ipamblocks.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamblocks.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPAMBlock
+    listKind: IPAMBlockList
+    plural: ipamblocks
+    singular: ipamblock
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPAMBlockSpec contains the specification for an IPAMBlock
+              resource.
+            properties:
+              affinity:
+                type: string
+              allocations:
+                items:
+                  type: integer
+                  # TODO: This nullable is manually added in. We should update controller-gen
+                  # to handle []*int properly itself.
+                  nullable: true
+                type: array
+              attributes:
+                items:
+                  properties:
+                    handle_id:
+                      type: string
+                    secondary:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
+                type: array
+              cidr:
+                type: string
+              deleted:
+                type: boolean
+              strictAffinity:
+                type: boolean
+              unallocated:
+                items:
+                  type: integer
+                type: array
+            required:
+            - allocations
+            - attributes
+            - cidr
+            - strictAffinity
+            - unallocated
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamconfigs.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamconfigs.crd.yaml
new file mode 100755
index 0000000..b03a308
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamconfigs.crd.yaml
@@ -0,0 +1,57 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ipamconfigs.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamconfigs.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPAMConfig
+    listKind: IPAMConfigList
+    plural: ipamconfigs
+    singular: ipamconfig
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPAMConfigSpec contains the specification for an IPAMConfig
+              resource.
+            properties:
+              autoAllocateBlocks:
+                type: boolean
+              maxBlocksPerHost:
+                description: MaxBlocksPerHost, if non-zero, is the max number of blocks
+                  that can be affine to each host.
+                type: integer
+              strictAffinity:
+                type: boolean
+            required:
+            - autoAllocateBlocks
+            - strictAffinity
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamhandles.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamhandles.crd.yaml
new file mode 100755
index 0000000..06a6306
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ipamhandles.crd.yaml
@@ -0,0 +1,57 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ipamhandles.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamhandles.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPAMHandle
+    listKind: IPAMHandleList
+    plural: ipamhandles
+    singular: ipamhandle
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPAMHandleSpec contains the specification for an IPAMHandle
+              resource.
+            properties:
+              block:
+                additionalProperties:
+                  type: integer
+                type: object
+              deleted:
+                type: boolean
+              handleID:
+                type: string
+            required:
+            - block
+            - handleID
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ippools.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ippools.crd.yaml
new file mode 100755
index 0000000..6b8c9d1
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/ippools.crd.yaml
@@ -0,0 +1,100 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ippools.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ippools.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPPool
+    listKind: IPPoolList
+    plural: ippools
+    singular: ippool
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPPoolSpec contains the specification for an IPPool resource.
+            properties:
+              blockSize:
+                description: The block size to use for IP address assignments from
+                  this pool. Defaults to 26 for IPv4 and 112 for IPv6.
+                type: integer
+              cidr:
+                description: The pool CIDR.
+                type: string
+              disabled:
+                description: When disabled is true, Calico IPAM will not assign addresses
+                  from this pool.
+                type: boolean
+              ipip:
+                description: 'Deprecated: this field is only used for APIv1 backwards
+                  compatibility. Setting this field is not allowed, this field is
+                  for internal use only.'
+                properties:
+                  enabled:
+                    description: When enabled is true, ipip tunneling will be used
+                      to deliver packets to destinations within this pool.
+                    type: boolean
+                  mode:
+                    description: The IPIP mode.  This can be one of "always" or "cross-subnet".  A
+                      mode of "always" will also use IPIP tunneling for routing to
+                      destination IP addresses within this pool.  A mode of "cross-subnet"
+                      will only use IPIP tunneling when the destination node is on
+                      a different subnet to the originating node.  The default value
+                      (if not specified) is "always".
+                    type: string
+                type: object
+              ipipMode:
+                description: Contains configuration for IPIP tunneling for this pool.
+                  If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
+                  is disabled).
+                type: string
+              nat-outgoing:
+                description: 'Deprecated: this field is only used for APIv1 backwards
+                  compatibility. Setting this field is not allowed, this field is
+                  for internal use only.'
+                type: boolean
+              natOutgoing:
+                description: When nat-outgoing is true, packets sent from Calico networked
+                  containers in this pool to destinations outside of this pool will
+                  be masqueraded.
+                type: boolean
+              nodeSelector:
+                description: Allows IPPool to allocate for a specific node by label
+                  selector.
+                type: string
+              vxlanMode:
+                description: Contains configuration for VXLAN tunneling for this pool.
+                  If not specified, then this is defaulted to "Never" (i.e. VXLAN
+                  tunneling is disabled).
+                type: string
+            required:
+            - cidr
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/networkpolicies.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/networkpolicies.crd.yaml
new file mode 100755
index 0000000..f729b6e
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/networkpolicies.crd.yaml
@@ -0,0 +1,838 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_networkpolicies.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: networkpolicies.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: NetworkPolicy
+    listKind: NetworkPolicyList
+    plural: networkpolicies
+    singular: networkpolicy
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              egress:
+                description: The ordered set of egress rules.  Each rule contains
+                  a set of packet match criteria and a corresponding action to apply.
+                items:
+                  description: "A Rule encapsulates a set of match criteria and an
+                    action.  Both selector-based security Policy and security Profiles
+                    reference rules - separated out as a list of rules for both ingress
+                    and egress packet matching. \n Each positive match criteria has
+                    a negated version, prefixed with \"Not\". All the match criteria
+                    within a rule must be satisfied for a packet to match. A single
+                    rule can contain the positive and negative version of a match
+                    and both must be satisfied for the rule to match."
+                  properties:
+                    action:
+                      type: string
+                    destination:
+                      description: Destination contains the match criteria that apply
+                        to destination entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                    http:
+                      description: HTTP contains match criteria that apply to HTTP
+                        requests.
+                      properties:
+                        methods:
+                          description: Methods is an optional field that restricts
+                            the rule to apply only to HTTP requests that use one of
+                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+                            methods are OR'd together.
+                          items:
+                            type: string
+                          type: array
+                        paths:
+                          description: 'Paths is an optional field that restricts
+                            the rule to apply to HTTP requests that use one of the
+                            listed HTTP Paths. Multiple paths are OR''d together.
+                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+                            ONLY specify either a `exact` or a `prefix` match. The
+                            validator will check for it.'
+                          items:
+                            description: 'HTTPPath specifies an HTTP path to match.
+                              It may be either of the form: exact: <path>: which matches
+                              the path exactly or prefix: <path-prefix>: which matches
+                              the path prefix'
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    icmp:
+                      description: ICMP is an optional field that restricts the rule
+                        to apply to a specific type and code of ICMP traffic.  This
+                        should only be specified if the Protocol field is set to "ICMP"
+                        or "ICMPv6".
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    ipVersion:
+                      description: IPVersion is an optional field that restricts the
+                        rule to only match a specific IP version.
+                      type: integer
+                    metadata:
+                      description: Metadata contains additional information for this
+                        rule
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          description: Annotations is a set of key value pairs that
+                            give extra information about the rule
+                          type: object
+                      type: object
+                    notICMP:
+                      description: NotICMP is the negated version of the ICMP field.
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    notProtocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: NotProtocol is the negated version of the Protocol
+                        field.
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: "Protocol is an optional field that restricts the
+                        rule to only apply to traffic of a specific IP protocol. Required
+                        if any of the EntityRules contain Ports (because ports only
+                        apply to certain protocols). \n Must be one of these string
+                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+                        \"UDPLite\" or an integer in the range 1-255."
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    source:
+                      description: Source contains the match criteria that apply to
+                        source entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                  required:
+                  - action
+                  type: object
+                type: array
+              ingress:
+                description: The ordered set of ingress rules.  Each rule contains
+                  a set of packet match criteria and a corresponding action to apply.
+                items:
+                  description: "A Rule encapsulates a set of match criteria and an
+                    action.  Both selector-based security Policy and security Profiles
+                    reference rules - separated out as a list of rules for both ingress
+                    and egress packet matching. \n Each positive match criteria has
+                    a negated version, prefixed with \"Not\". All the match criteria
+                    within a rule must be satisfied for a packet to match. A single
+                    rule can contain the positive and negative version of a match
+                    and both must be satisfied for the rule to match."
+                  properties:
+                    action:
+                      type: string
+                    destination:
+                      description: Destination contains the match criteria that apply
+                        to destination entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                    http:
+                      description: HTTP contains match criteria that apply to HTTP
+                        requests.
+                      properties:
+                        methods:
+                          description: Methods is an optional field that restricts
+                            the rule to apply only to HTTP requests that use one of
+                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+                            methods are OR'd together.
+                          items:
+                            type: string
+                          type: array
+                        paths:
+                          description: 'Paths is an optional field that restricts
+                            the rule to apply to HTTP requests that use one of the
+                            listed HTTP Paths. Multiple paths are OR''d together.
+                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+                            ONLY specify either a `exact` or a `prefix` match. The
+                            validator will check for it.'
+                          items:
+                            description: 'HTTPPath specifies an HTTP path to match.
+                              It may be either of the form: exact: <path>: which matches
+                              the path exactly or prefix: <path-prefix>: which matches
+                              the path prefix'
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    icmp:
+                      description: ICMP is an optional field that restricts the rule
+                        to apply to a specific type and code of ICMP traffic.  This
+                        should only be specified if the Protocol field is set to "ICMP"
+                        or "ICMPv6".
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    ipVersion:
+                      description: IPVersion is an optional field that restricts the
+                        rule to only match a specific IP version.
+                      type: integer
+                    metadata:
+                      description: Metadata contains additional information for this
+                        rule
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          description: Annotations is a set of key value pairs that
+                            give extra information about the rule
+                          type: object
+                      type: object
+                    notICMP:
+                      description: NotICMP is the negated version of the ICMP field.
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    notProtocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: NotProtocol is the negated version of the Protocol
+                        field.
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: "Protocol is an optional field that restricts the
+                        rule to only apply to traffic of a specific IP protocol. Required
+                        if any of the EntityRules contain Ports (because ports only
+                        apply to certain protocols). \n Must be one of these string
+                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+                        \"UDPLite\" or an integer in the range 1-255."
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    source:
+                      description: Source contains the match criteria that apply to
+                        source entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                  required:
+                  - action
+                  type: object
+                type: array
+              order:
+                description: Order is an optional field that specifies the order in
+                  which the policy is applied. Policies with higher "order" are applied
+                  after those with lower order.  If the order is omitted, it may be
+                  considered to be "infinite" - i.e. the policy will be applied last.  Policies
+                  with identical order will be applied in alphanumerical order based
+                  on the Policy "Name".
+                type: number
+              selector:
+                description: "The selector is an expression used to pick pick out
+                  the endpoints that the policy should be applied to. \n Selector
+                  expressions follow this syntax: \n \tlabel == \"string_literal\"
+                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
+                  \  ->  not equal; also matches if label is not present \tlabel in
+                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
+                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
+                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
+                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
+                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
+                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+                  or the empty selector -> matches all endpoints. \n Label names are
+                  allowed to contain alphanumerics, -, _ and /. String literals are
+                  more permissive but they do not support escape characters. \n Examples
+                  (with made-up labels): \n \ttype == \"webserver\" && deployment
+                  == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
+                  \"dev\" \t! has(label_name)"
+                type: string
+              serviceAccountSelector:
+                description: ServiceAccountSelector is an optional field for an expression
+                  used to select a pod based on service accounts.
+                type: string
+              types:
+                description: "Types indicates whether this policy applies to ingress,
+                  or to egress, or to both.  When not explicitly specified (and so
+                  the value on creation is empty or nil), Calico defaults Types according
+                  to what Ingress and Egress are present in the policy.  The default
+                  is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
+                  the case where there are   also no Ingress rules) \n - [ PolicyTypeEgress
+                  ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
+                  PolicyTypeEgress ], if there are both Ingress and Egress rules.
+                  \n When the policy is read back again, Types will always be one
+                  of these values, never empty or nil."
+                items:
+                  description: PolicyType enumerates the possible values of the PolicySpec
+                    Types field.
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/networksets.crd.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/networksets.crd.yaml
new file mode 100755
index 0000000..2e545a1
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/crds/networksets.crd.yaml
@@ -0,0 +1,52 @@
+---
+# Source:  calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_networksets.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: networksets.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: NetworkSet
+    listKind: NetworkSetList
+    plural: networksets
+    singular: networkset
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: NetworkSetSpec contains the specification for a NetworkSet
+              resource.
+            properties:
+              nets:
+                description: The list of IP networks that belong to this set.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/daemonset.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/daemonset.yaml
new file mode 100755
index 0000000..8ee8512
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/daemonset.yaml
@@ -0,0 +1,266 @@
+---
+# Source: calico/templates/calico-node.yaml
+# This manifest installs the canal container, as well
+# as the CNI plugins and network config on
+# each master and worker node in a Kubernetes cluster.
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: {{ .Release.Name | quote }}
+  namespace: kube-system
+  labels:
+    k8s-app: canal
+spec:
+  selector:
+    matchLabels:
+      k8s-app: canal
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        k8s-app: canal
+      annotations:
+        # This, along with the CriticalAddonsOnly toleration below,
+        # marks the pod as a critical add-on, ensuring it gets
+        # priority scheduling and that its resources are reserved
+        # if it ever gets evicted.
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      hostNetwork: true
+      tolerations:
+        # Make sure canal gets scheduled on all nodes.
+        - effect: NoSchedule
+          operator: Exists
+        # Mark the pod as a critical add-on for rescheduling.
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      serviceAccountName: canal
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 0
+      priorityClassName: system-node-critical
+      initContainers:
+        # This container installs the CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+          image: {{ template "system_default_registry" . }}{{ .Values.calico.cniImage.repository }}:{{ .Values.calico.cniImage.tag }}
+          command: ["/opt/cni/bin/install"]
+          env:
+            # Name of the CNI config file to create.
+            - name: CNI_CONF_NAME
+              value: "10-canal.conflist"
+            # The CNI network config to install on each node.
+            - name: CNI_NETWORK_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Release.Name }}-config
+                  key: cni_network_config
+            # Set the hostname based on the k8s node name.
+            - name: KUBERNETES_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # CNI MTU Config variable
+            - name: CNI_MTU
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Release.Name }}-config
+                  key: veth_mtu
+            # Prevents the container from sleeping forever.
+            - name: SLEEP
+              value: "false"
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+          securityContext:
+            privileged: true
+        # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
+        # to communicate with Felix over the Policy Sync API.
+        - name: flexvol-driver
+          image: {{ template "system_default_registry" . }}{{ .Values.calico.flexvolImage.repository }}:{{ .Values.calico.flexvolImage.tag }}
+          command: ['/usr/local/bin/flexvol.sh', '-s', '/usr/local/bin/flexvol', '-i', 'flexvoldriver']
+          volumeMounts:
+          - name: flexvol-driver-host
+            mountPath: /host/driver
+          securityContext:
+            privileged: true
+      containers:
+        # Runs canal container on each Kubernetes node.  This
+        # container programs network policy and routes on each
+        # host.
+        - name: calico-node
+          command:
+          - "start_runit"
+          image: {{ template "system_default_registry" . }}{{ .Values.calico.nodeImage.repository }}:{{ .Values.calico.nodeImage.tag }}
+          env:
+            # Use Kubernetes API as the backing datastore.
+            - name: DATASTORE_TYPE
+              value: {{ .Values.calico.datastoreType | quote }}
+            # Configure route aggregation based on pod CIDR.
+            - name: USE_POD_CIDR
+              value: {{ .Values.calico.usePodCIDR | quote }}
+            # Wait for the datastore.
+            - name: WAIT_FOR_DATASTORE
+              value: {{ .Values.calico.waitForDatastore | quote }}
+            # Set based on the k8s node name.
+            - name: NODENAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # Don't enable BGP.
+            - name: CALICO_NETWORKING_BACKEND
+              value: {{ .Values.calico.networkingBackend | quote }}
+            # Cluster type to identify the deployment type
+            - name: CLUSTER_TYPE
+              value: {{ .Values.calico.clusterType | quote}}
+            # Period, in seconds, at which felix re-applies all iptables state
+            - name: FELIX_IPTABLESREFRESHINTERVAL
+              value: {{ .Values.calico.felixIptablesRefreshInterval | quote}}
+            - name: FELIX_IPTABLESBACKEND
+              value: {{ .Values.calico.felixIptablesBackend | quote}}
+            # No IP address needed.
+            - name: IP
+              value: ""
+            # The default IPv4 pool to create on startup if none exists. Pod IPs will be
+            # chosen from this range. Changing this value after installation will have
+            # no effect. This should fall within `--cluster-cidr`.
+            # - name: CALICO_IPV4POOL_CIDR
+            #   value: "192.168.0.0/16"
+            # Disable file logging so `kubectl logs` works.
+            - name: CALICO_DISABLE_FILE_LOGGING
+              value: "true"
+            # Set Felix endpoint to host default action to ACCEPT.
+            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+              value: {{ .Values.calico.felixDefaultEndpointToHostAction | quote }}
+            # Disable IPv6 on Kubernetes.
+            - name: FELIX_IPV6SUPPORT
+              value: {{ .Values.calico.felixIpv6Support | quote }}
+            # Set Felix logging to "info"
+            - name: FELIX_LOGSEVERITYSCREEN
+              value: {{ .Values.calico.felixLogSeverityScreen | quote }}
+            - name: FELIX_HEALTHENABLED
+              value: {{ .Values.calico.felixHealthEnabled | quote }}
+            # enable promentheus metrics
+            - name: FELIX_PROMETHEUSMETRICSENABLED
+              value: {{ .Values.calico.felixPrometheusMetricsEnabled | quote }}
+            - name: FELIX_XDPENABLED
+              value: {{ .Values.calico.felixXDPEnabled | quote }}
+            - name: FELIX_FAILSAFEINBOUNDHOSTPORTS
+              value: {{ .Values.calico.felixFailsafeInboundHostPorts | quote }}
+            - name: FELIX_FAILSAFEOUTBOUNDHOSTPORTS
+              value: {{ .Values.calico.felixFailsafeOutboundHostPorts | quote }}
+          securityContext:
+            privileged: true
+          resources:
+            requests:
+              cpu: 250m
+          livenessProbe:
+            exec:
+              command:
+              - /bin/calico-node
+              - -felix-live
+            periodSeconds: 10
+            initialDelaySeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 9099
+              host: localhost
+            periodSeconds: 10
+          volumeMounts:
+            - mountPath: /lib/modules
+              name: lib-modules
+              readOnly: true
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+              readOnly: false
+            - mountPath: /var/run/calico
+              name: var-run-calico
+              readOnly: false
+            - mountPath: /var/lib/calico
+              name: var-lib-calico
+              readOnly: false
+            - name: policysync
+              mountPath: /var/run/nodeagent
+        # This container runs flannel using the kube-subnet-mgr backend
+        # for allocating subnets.
+        - name: kube-flannel
+          image: {{ template "system_default_registry" . }}{{ .Values.flannel.image.repository }}:{{ .Values.flannel.image.tag }}
+          command:
+          - "/opt/bin/flanneld"
+          {{- range .Values.flannel.args }}
+          - {{ . | quote }}
+          {{- end }}
+          securityContext:
+            privileged: true
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: FLANNELD_IFACE
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Release.Name }}-config
+                  key: canal_iface
+            - name: FLANNELD_IP_MASQ
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Release.Name }}-config
+                  key: masquerade
+          volumeMounts:
+          - mountPath: /run/xtables.lock
+            name: xtables-lock
+            readOnly: false
+          - name: flannel-cfg
+            mountPath: /etc/kube-flannel/
+      volumes:
+        # Used by canal.
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: var-run-calico
+          hostPath:
+            path: /var/run/calico
+        - name: var-lib-calico
+          hostPath:
+            path: /var/lib/calico
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+        # Used by flannel.
+        - name: flannel-cfg
+          configMap:
+            name: {{ .Release.Name }}-config
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: /opt/cni/bin
+        - name: cni-net-dir
+          hostPath:
+            path: /etc/cni/net.d
+        # Used to create per-pod Unix Domain Sockets
+        - name: policysync
+          hostPath:
+            type: DirectoryOrCreate
+            path: /var/run/nodeagent
+        # Used to install Flex Volume Driver
+        - name: flexvol-driver-host
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.calico.flexVolumePluginDir }}/nodeagent~uds
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/rbac.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/rbac.yaml
new file mode 100755
index 0000000..cd39730
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/rbac.yaml
@@ -0,0 +1,163 @@
+---
+# Source: calico/templates/rbac.yaml
+
+# Include a clusterrole for the calico-node DaemonSet,
+# and bind it to the calico-node serviceaccount.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-node
+rules:
+  # The CNI plugin needs to get pods, nodes, and namespaces.
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+      - namespaces
+    verbs:
+      - get
+  - apiGroups: [""]
+    resources:
+      - endpoints
+      - services
+    verbs:
+      # Used to discover service IPs for advertisement.
+      - watch
+      - list
+      # Used to discover Typhas.
+      - get
+  # Pod CIDR auto-detection on kubeadm needs access to config maps.
+  - apiGroups: [""]
+    resources:
+      - configmaps
+    verbs:
+      - get
+  - apiGroups: [""]
+    resources:
+      - nodes/status
+    verbs:
+      # Needed for clearing NodeNetworkUnavailable flag.
+      - patch
+      # Calico stores some configuration information in node annotations.
+      - update
+  # Watch for changes to Kubernetes NetworkPolicies.
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - networkpolicies
+    verbs:
+      - watch
+      - list
+  # Used by Calico for policy information.
+  - apiGroups: [""]
+    resources:
+      - pods
+      - namespaces
+      - serviceaccounts
+    verbs:
+      - list
+      - watch
+  # The CNI plugin patches pods/status.
+  - apiGroups: [""]
+    resources:
+      - pods/status
+    verbs:
+      - patch
+  # Calico monitors various CRDs for config.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - globalfelixconfigs
+      - felixconfigurations
+      - bgppeers
+      - globalbgpconfigs
+      - bgpconfigurations
+      - ippools
+      - ipamblocks
+      - globalnetworkpolicies
+      - globalnetworksets
+      - networkpolicies
+      - networksets
+      - clusterinformations
+      - hostendpoints
+      - blockaffinities
+    verbs:
+      - get
+      - list
+      - watch
+  # Calico must create and update some CRDs on startup.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ippools
+      - felixconfigurations
+      - clusterinformations
+    verbs:
+      - create
+      - update
+  # Calico stores some configuration information on the node.
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  # These permissions are only requried for upgrade from v2.6, and can
+  # be removed after upgrade or on fresh installations.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - bgpconfigurations
+      - bgppeers
+    verbs:
+      - create
+      - update
+
+---
+# Flannel ClusterRole
+# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: flannel
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups: [""]
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+---
+# Bind the flannel ClusterRole to the canal ServiceAccount.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: canal-flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+- kind: ServiceAccount
+  name: canal
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: canal-calico
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-node
+subjects:
+- kind: ServiceAccount
+  name: canal
+  namespace: kube-system
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/serviceaccount.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/serviceaccount.yaml
new file mode 100755
index 0000000..582d55b
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/templates/serviceaccount.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: canal
+  namespace: kube-system
diff --git a/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/values.yaml b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/values.yaml
new file mode 100755
index 0000000..f049271
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.20.1-build2021100601/values.yaml
@@ -0,0 +1,82 @@
+---
+
+# The IPv4 cidr pool to create on startup if none exists. Pod IPs will be
+# chosen from this range.
+podCidr: "10.42.0.0/16"
+
+flannel:
+  # kube-flannel image
+  image:
+    repository: rancher/hardened-flannel
+    tag: v0.14.0-build20211006
+  # The interface used by canal for host <-> host communication.
+  # If left blank, then the interface is chosen using the node's
+  # default route.
+  iface: ""
+  # kube-flannel command arguments 
+  args:
+  - "--ip-masq"
+  - "--kube-subnet-mgr"
+  # Backend for kube-flannel. Backend should not be changed
+  # at runtime.
+  backend: "vxlan"
+          
+calico:
+  # CNI installation image.
+  cniImage:
+    repository: rancher/hardened-calico
+    tag: v3.20.1-build20211006
+  # Canal node image.
+  nodeImage:
+    repository: rancher/hardened-calico
+    tag: v3.20.1-build20211006
+  # Flexvol Image.
+  flexvolImage:
+    repository: rancher/hardened-calico
+    tag: v3.20.1-build20211006
+  # Datastore type for canal. It can be either kuberentes or etcd.
+  datastoreType: kubernetes
+  # Wait for datastore to initialize.
+  waitForDatastore: true
+  # Configure route aggregation based on pod CIDR.
+  usePodCIDR: true
+  # Disable BGP routing.
+  networkingBackend: none
+  # Cluster type to identify the deployment type.
+  clusterType: "k8s,canal"
+  # Disable file logging so `kubectl logs` works.
+  disableFileLogging: true
+  # Disable IPv6 on Kubernetes.
+  felixIpv6Support: false
+  # Period, in seconds, at which felix re-applies all iptables state
+  felixIptablesRefreshInterval: 60
+  # iptables backend to use for felix, defaults to auto but can also be set to nft or legacy
+  felixIptablesBackend: auto
+  # Set Felix logging to "info".
+  felixLogSeverityScreen: info
+  # Enable felix healthcheck.
+  felixHealthEnabled: true
+  # Enable prometheus metrics
+  felixPrometheusMetricsEnabled: true
+  # Disable XDP Acceleration as we do not support it with our ubi7 base image
+  felixXDPEnabled: false
+  # Whether or not to masquerade traffic to destinations not within
+  # the pod network.
+  masquerade: true
+  # Set Felix endpoint to host default action to ACCEPT.
+  felixDefaultEndpointToHostAction: ACCEPT
+  # Configure the MTU to use.
+  vethuMTU: 1450
+  # Typha is disabled.
+  typhaServiceName: none
+  # Kubelet flex-volume-plugin-dir
+  flexVolumePluginDir: /var/lib/kubelet/volumeplugins
+  # calico inbound failsafe ports. Empty string means defaults. Use 'none' to disable failsafe if you have your own rules.
+  felixFailsafeInboundHostPorts: ""
+  # calico outbound failsafe ports. Empty string means defaults. Use 'none' to disable failsafe if you have your own rules.
+  felixFailsafeOutboundHostPorts: ""
+
+global:
+  systemDefaultRegistry: ""
+  clusterCIDRv4: ""
+  clusterCIDRv6: ""
diff --git a/index.yaml b/index.yaml
index ac326e7..8c44daf 100755
--- a/index.yaml
+++ b/index.yaml
@@ -309,6 +309,23 @@ entries:
     - assets/rke2-calico/rke2-calico-crd-v1.0.001.tgz
     version: v1.0.001
   rke2-canal:
+  - apiVersion: v1
+    appVersion: v3.20.1
+    created: "2021-10-07T00:24:13.850866513Z"
+    description: Install Canal Network Plugin.
+    digest: 1082b7683f205d4f42489c2a09b9c4fc72880910dd1634c5794d5fc8acbf4afd
+    home: https://www.projectcalico.org/
+    keywords:
+    - canal
+    maintainers:
+    - email: charts@rancher.com
+      name: Rancher Labs
+    name: rke2-canal
+    sources:
+    - https://github.com/rancher/rke2-charts
+    urls:
+    - assets/rke2-canal/rke2-canal-v3.20.1-build2021100601.tgz
+    version: v3.20.1-build2021100601
   - apiVersion: v1
     appVersion: v3.19.1
     created: "2021-10-06T23:55:46.034454443Z"