From df9bb800bb10f1b55b6dd046d19ec3564060560c Mon Sep 17 00:00:00 2001
From: actions <actions@github.com>
Date: Fri, 4 Feb 2022 13:57:37 +0000
Subject: [PATCH] Merge pull request #217 from manuelbuil/addcrdscanal

Add missing CRDs to canal
---
 .../rke2-canal-v3.21.2-build2022020409.tgz    | Bin 0 -> 29567 bytes
 .../v3.21.2-build2022020409/Chart.yaml        |  13 +
 .../templates/NOTES.txt                       |   3 +
 .../templates/_helpers.tpl                    |   7 +
 .../templates/config.yaml                     |  84 ++
 .../templates/crds/bgpconfigurations.crd.yaml | 144 +++
 .../templates/crds/bgppeers.crd.yaml          | 115 +++
 .../templates/crds/blockaffinities.crd.yaml   |  62 ++
 .../crds/clusterinformations.crd.yaml         |  65 ++
 .../crds/felixconfigurations.crd.yaml         | 565 ++++++++++++
 .../crds/globalnetworkpolicies.crd.yaml       | 856 ++++++++++++++++++
 .../templates/crds/globalnetworksets.crd.yaml |  55 ++
 .../templates/crds/hostendpoints.crd.yaml     | 109 +++
 .../templates/crds/ipamblocks.crd.yaml        |  82 ++
 .../templates/crds/ipamconfigs.crd.yaml       |  57 ++
 .../templates/crds/ipamhandles.crd.yaml       |  57 ++
 .../templates/crds/ippools.crd.yaml           | 100 ++
 .../templates/crds/ipreservations.crd.yaml    |  52 ++
 .../kubecontrollersconfigurations.crd.yaml    | 244 +++++
 .../templates/crds/networkpolicies.crd.yaml   | 838 +++++++++++++++++
 .../templates/crds/networksets.crd.yaml       |  52 ++
 .../templates/daemonset.yaml                  | 266 ++++++
 .../templates/rbac.yaml                       | 170 ++++
 .../templates/serviceaccount.yaml             |   6 +
 .../v3.21.2-build2022020409/values.yaml       |  86 ++
 index.yaml                                    |  17 +
 26 files changed, 4105 insertions(+)
 create mode 100755 assets/rke2-canal/rke2-canal-v3.21.2-build2022020409.tgz
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/Chart.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/NOTES.txt
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/_helpers.tpl
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/config.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/bgpconfigurations.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/bgppeers.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/blockaffinities.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/clusterinformations.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/felixconfigurations.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/globalnetworkpolicies.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/globalnetworksets.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/hostendpoints.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamblocks.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamconfigs.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamhandles.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ippools.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipreservations.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/kubecontrollersconfigurations.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/networkpolicies.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/networksets.crd.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/daemonset.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/rbac.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/serviceaccount.yaml
 create mode 100755 charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/values.yaml

diff --git a/assets/rke2-canal/rke2-canal-v3.21.2-build2022020409.tgz b/assets/rke2-canal/rke2-canal-v3.21.2-build2022020409.tgz
new file mode 100755
index 0000000000000000000000000000000000000000..569c08ae5210ac0484737f706b2ab96b9df62815
GIT binary patch
literal 29567
zcmYg$1CS=cvhHxlwr$(CZQHhu9osf`Y}>ZEW7{+T+k0-Dc(<aXA~WjC?yRpnva2$S
zAQ}=C=zki33W&x?Qkl_2QjT5Li;K;eMV--9h0RJ^g^OK5U7cM{!`9l!-qcG~$$?MO
z%+?O*s>jL)r(=OKYwiaP(#65FFTDia0p(ckW<~NPCU2cNo^<YrS4kh|>X#HQTM&F;
z*)%QSo4*3Yn`i;XY$G$%H6SB#!;&^kxbQ`}?aC5WNhtYy30%#*yKL%61K|_*U+eaK
zf&B?^bgX{|gjme!|6JT{989H4C?MqF<9}c5-<=;EJQ^g1K;%i>O*9u?Xh7uit)3kE
zlOxEzBgk6Ok1%QB@fTTXe?6YRojLkGQJQlr^RnIj?U)ZIhvI6X6rs=PNWMsuO|qRG
zd0P;s-(b?hOuqR0{oU2o<y3V9FiQMwIY`2lX59-oORKppiF&>-MgpGpX)e*loCH_7
zBhgXL!%ZGPEdBwYqAdhhI+3QwLn1B5IsWcT<Z!JbI8Xp57Fc9fK?<q;Qa#zGZLGXD
z*?Vq_C+NqFSI4ozmt)BrmVl7>cR|d-`@f#;^~f1qQRM>A<e1C)fPgKz0CV{Qd)xp8
z1Kj6RfDLc)!r4OcUcx0f$!YQm3-Y~YqUvNQrWEl=g^?(<agb?a${iMxGUFh>ligE>
ztf}lQMb`E`DUr&{83(Dh<P2CQRR^j00GpEP^v0VK^<NeIY7=HoUQ7WVY=Rhs7X$-X
ze7-C)Rme140pcT$BlhgZ#LuuhvfL&KFo44zN|7ct8;5dD{BMDAm?~p(&8xnU@bKCA
zi3>yDH)CH-?wN>)z7VG??+!-U8OveGGA-FMn-XzTax^VTyYYbdpU41F=Z<Nx_=?gX
zle2waab$KD(=0_No_{Wdek)X})bi0X&y3*iLSr@Y!Ql<tiZ=}-lCccg=5PDE$^Htl
z6I{QqjD%8qw4DfT;8SE<LnkL;#*Fpk)>i&*3j%QX)-+Wbnm6arTs`Pu?=T|`eN67e
zKXP~zHIb4FV>6qj{X}s^ALv*|PKF-HWL%(b5hM>>s0fejFOZbnwnvm>oQD2o0|pxU
zZrT$I&iB}sxvFnY)d}5jAlns1ZyXVPF+dPlybSfzo(RqPG%|l18j5!nhg%V+7N6!e
zt2YVEHgUGUGI007<amK@=BdnJltrn8WKpuUK>viVU8CX|6%WP=Z+|5@{>2>|?L>MI
zj3bZo<Dt2QcYM;K`Ys#yTM0`fQikd8qb!rCzVNBb$VvN}iuGI)DrqVc7oR{^v!7X(
zoT)89?czAbhFcEv{iO@)X=ntu6<!OP{$$Uawh0viLY~<!L%3iaYfKiCUuS3|N-Jx;
zg%AG@{|;`81ol_k-WidglOk5YD2g~TSN@hr71_IG5L)K&PniHR4;CEZ$V;8q;I83i
zzws<ZHHQ0hz$7rd=OFUWIj>$%`{bf3wTrAd>%!Y{C>8x*qJv;dbSb3ELOweW7<{@r
zk)rj;GONK%^0eo}$_5iFnG`sh&M^aq4Oylh&Nf#|v1F5nL!i-#KIe$FL58JBo%w<J
zWKuhWg=tCV8N@BiqEa!gnHWC`^U*`?!4p<(hq(OPtZQKLUgPlY@GwtG9I0Qr(?^65
zvp8IR#x!N^S_WcKOir@4pl?5^{eHpp=rQExNOYR6*#TdCU*R){i)HNyDrD)?w3=lT
zNmwH!*8(|54!eiZ*Zg0jKkv4}@<owkvP4BHayOX2$rNQ`Kc(A=Jho{gr%@-$zQ}MR
zzVJhs0KV)K5>)m3W8fi6v}jKjqzzBJCQ+j?m|_+z_!|Z$WpEgbpm228j=F*bFNo_Z
zr}7El3JX$JQX~G1NaaZ|m<aUT0aOc+tCpl(Tzr0P9kW7y;c)sL2zAG=%Gt?~W}voR
zLc~{pcJ=!_&dhnVnVQD`i2~#ib9p4r`gKd-EgWS$rh-E;-}h0KXz}adcW+!o^<y+f
zzaZ}{$&zg+#Hq#!i!*2>G6Mqllvug`USwR=RctD}xdPAy_Qn|QMM`2Mi=Z%6GB>J|
z9z>Ti!>SvvW~<GtS4DBm8ayW|=HCmkl3%kD`FKY7)~OWqeKCB+SD8s*I*nft#Ex<a
zsb!=|4_j<};)ZnA<*)j=H1^9VSRNg6_jovdUcl%K%;Hm~&!daUm{@3;1L68D7CF^r
zZ3qSW$+f>g*(v!ZVt7MNbfenlH<+-d+ZWAQn}%*!m!r!H^<6P97kCp@puZ~hZHCfr
zV09b0)<*T8>fJro)@AIUY45gR-mdp%ZXEc?-skGgvJ{7&enz@3H8e~fCwQkZ?LP90
zhb(X&_L?vt7<}GuZFu8++`Vy0!%T(PGMUMFaU9O?Nup85(g3=PY)nt9yW<|F6Jq9G
z3N*N$HHh0DKRSpIwDG0C(ToBW@*5@T?O=*9W7o#VV*<P*{tE0v<pB_2(n@5{8>9$?
z(U#qR^6`0hIR8cCo~t>4hS$%1e4-gryP;{|+7`qZlds}UFiyfk-_P?n`w<KC4{%GU
zCskYshw(1Inr;Rb*4LhQK>b!a?E)=etRN!@O_v?;;}LRa@eMW?0Ji-ZVil}23usD@
z$o|+nRfx}f`ERIq7)R5Tjmz~_8U=eZQWb_&M0dF+?QUajF~*@(j3rf~e^DyZV#d)@
z&mPHRprisHi?{EHjE}a*x6>?2o1V|W_Rhia`?*J8?lpxf&Wf$!mHc^T;9y!4EiVuf
zJEllTm*|ZkM|unq$9fcDiXl;(wQiw`ObSTqGh1AT`ch4uV0?opSEjESul7BV^TIQb
zfoXu-Swzf!tXv}IBpZw<oe<{p1|L!na4)9ix!BN)uU)p`;hm!fH)7QWiW~#$U80KS
zlq(=;PSN^7JCeE@-4Yc1rKdbZl0|BhG|AdzLFEp8hhTq)@V3JAehSGt2nYlqGuLZ!
z3c4LrrrwXY5WxC{NWO&_XXC}>$00<g%V#oik_R{mpy`Q#Hpv(IgsS}zb;}%mi43aK
zHoyrAX?W$@L<_vhL-#nhl!j#+j71;>cmuAhr=m61>T3CQyLo(`4-Sv6s}TsQ3~1%p
zImrq5bM$ipJbk`@h9V|)@)nQx+Zz)mjjsl<$(W0zN;ND&U&^TkqbQ!X$j909fw9%E
z+T|N&Oc)zN^KzV`NaZr(*2xJ}7m$t^a$9VlL9C`v9@l2n_|LTeCw|UcHvG}>G>*Rj
zeAi8;l`$VIbXuu6^eu#J&dFq8oPnsmIrc)s^7?t)e|&Wz)XnX6XXWSy01iY-A0>i}
zf=|g)Cuyy;NA&3`!U~nJs=x3TQslh`;l{iM*Bq>}oSD{cLT*G9DkE<_ZP7zcgreMa
zNO-9oqKl*Ia#NWk(Z-HyrbBy%IvA199F0<4<#A?hLDTQw0G2*MfF|jsocwX13b*v+
zJKIOn6wCL!fw<*<<BwSv7&ooF+)JF6FUK@qb6dRJpr$lcM^DGtPrUZlp6jx~KvWzb
z1TD&GK(*$r!l@NF$`hyZeUE9d`48Z3BRYMq`U|jdu%r)ob;~0J0D__^Cyb+^_6d%M
zfrg{EI9mg3ecb)lM==pGsdM<`xIRrY=I?%9aQIG~1KiF^gJf|!x=qgp+(yj}lhcR^
z;X)T&Y?R|^_ssjUXfjL3NVmr)5G;qrDt$k9j+(axx~1FM1E72ThgyQjt&*s+z)m0>
z=pOUPRPFi#L?h!&C*yijaWZrRvmPJ&-Rj^QiY*7yp4RaKGMSy2xc~>}YR4AB)V)60
zE-$FMpjvgzL+bX0#ywWKV-#x4W|O-dW2Mm*%`>T=?aUE;JaV?jPx73dI@HlSlaV=G
zuS99oWtog4^r-PUNYs%zo7cD~G(}9MJvcI?BT-Z$sL@BdcYUXRAwgU4(95&7Pf)_?
zXgh&Z1i`D`Qfs12JkS%Ol>(>C61&nP{f2(JFPu+j*QESSyKO)kzFAn6PyV)C*M2jn
zBvnP=9JI`t#-FUmBpIE8&HAH#N;iUMJ(Id{Z)^oEbx$C7ZAK8ZAUZ)w-XcVQih!Ea
z85j)o^iTv?ZAZzUfNw@3I@dv980pQYwYGCOFln@M=tjwMe#_lm+IAj|-hA#cmknSU
z$;wwc%1dcshcJrGf^(J1q~$2j^uGPll)Ov?w{4@NOs<|8g=|@bQ7E*2v3Xq9FQu)@
z)1`<T{4EraMGd2I&g1KTE%GeZn#0`k{<#X(JLrxcF@OIn6@fxSbRVV;q)<NaCtBsv
z{#AB7+F}kN{-?9;*_?bODa*tMHy_`wM@(_Em>WV`%m2$BBCWk4WvPe^A5vzI4i_mL
z-ip_kj))Ovlw%BZy^@L}s)|jY)Y7Kx>>5NGi*NTM3a1rzy52nQ(s-_=khqNc7X@zB
ziLFbm(8i4X9zHG4!1V+x(Jy|-?`6rbRIHFF+gT0S0_l3@mih6LA3`()-yJL8{mcpG
zB|*lc=|bdp$@2z80=nh9xxdE`COf{6UUX`}=f-H6|9&9r_X*o{8Nmhu+LUWAZwvk+
zXe1E~<0&{E+M|q%C;aF`>sqVs9eg2$IO4-cf1Q8-<>RZ0c`dfXT_kL`+H_n0OL&zy
z+Jt|>W@hc`e4Km7IT=()Q97z$Id&9)zc&n+OE!7C1w79^^ldx5io{`eYWqv27G1`A
zywtNWB~lBfQ$s$JJDf@3bNUcX(^X2QvN9+AKIN@HMdX~7rgx8E2xwa|mJ+x(Yvm<p
z$P)<o@cm@Nc>8dqh{~|_T5Cyoqx0bHyAz%L?d|}XJBj9!7xg>Gp%DV?jF=>=Fe39?
zKU>qh%#|eJF?#J5<fzYR>N?k%j=^+#mpQlVyXDUr@e|U*v}IR(!E>J3??)1L<R1df
z_?>IAB^Vfl@Z1y(laa5@5!q5%%pFrBl@ar=B`I4iwOXupk2YF!<hPP`ysL&`c_=y#
zs6S;va)h}I75%o*JPEb4g{~7|@!Xx3TxOp!O@m>ck5*kZ#P|@Hnf*`KK#cT<P78Gc
z(<<tJh<ab2SH@F9%hZhJa)#P0<a7RdIB5V)Dap)Q1<SKj+Kq(5JS;pUc<W+=+K<rd
zf(cbt-%H!Ib7#}%hSRj1U;Mdle3!QC=DsZ7@GNED%el^V?^Uu<Am^`HUw5TT`rNCS
zO}IeCJWXa7c5m6hFEE4x%9*qxF4m#oJv?^>4VBD<fxF9{CrwODMzsLv!%9+dEd)2w
z^RK<m5IP#Bf?e3!@-GykQO1X}%WsW1_LDjz$L(z?PCK%usd8abaMbchqx~owxTY(3
zoiBNuax}KrG4K<fk+B%2@<SZOt&~p040`YMkGvhXKWl%QP!Hi<m5VZ!D<evwqK6q2
zA~qP>#?6u($SJ7J%s#O&mSbvBZ-%nBwz?M381^Eu`l6Goh;%RD#v$;-2TA3r79+N+
zn0RX6cK4+}i8@zY%dU7?L8^u>_#|5UrR#4FiT-7IDG?o7nn5JooESChHx75xnadta
zoQ92VV7rO^D<tY1$ONJ!a^R&fe!}4A1JcLr9$}Z%Fu)h+Q=#~q!Ay2%?<!q@?xn97
zBLV{FCx9WJKVV@C&^!9r{~|D)!C>=3Q~w}T<A-wcM2<$1|IKE)6(VJu{iJ+#1f%)j
zovq{Ga%pD|r*qfO&f#;{CTAy~5F;(_yvMoM3eno8$Dmm#cPGv-W6{c0@wqi^k0rB5
z#eW)1j&YUzu3tvC<elzauJuVLE8PhnX_!APTxL3|g`C_4jxr0mT150q6B$M}dgYh=
zNI$buNTWE?OAr|?Gi@sY7<Y@_nQnS^VW7e<cl}}cY5Dh8P{&s@)>c8fU8}Tde*w>{
zKUoSOJ;lxWe?c;Z%OLvLFx*wC#tkRcc;n0;2VTV4s6x}9mdHYUY1Vj6ovMi;42-v{
zj|YGWT5>XZU{u3$W1!v_>;<L3kqK$)Y4rrT$Wej$G+2$BXzzEBhSFhG-`43w`%d*D
zFmJ(0_VNt!j?Im^NFpR4HY4Dcfy>pO_YT_oN4I3y=MWFhtCxNZTM-Lm(PSgF<`dj=
zY>X?iSVBf^39B4$#yh$wxV-yp%){y1k-U3Bj$p0HJ8JF0T<DJs#TrGykZ@4=)_a@B
z*vp+av2^{JYlNBDr_}B^+reY|wuqQ{BS0`*B0vY^B+h_LA4GzV`f<!RnAt9K(~_0{
zB|WU0o(av0pg>mqlIx~s^pd$yWEU1s!e{v4N^+Z{{$z<oWePMrlVyj2ul18_(jTPN
z1T8r8d6EKk%b9hTM+c_Y$F<9)w2}ts)d}r#E87c8`WQ)zbDM(8o5+sqY_D(fLlvf7
zA2i$^q=CQe3E;V|%i%-mya>p^ZG)g@3r*$_!l-bj>Cls>A%zZU4d~rYp{dZ!-n{6A
zXD#4yL?ba{coVpr0yt(?F@<aQa(j5lDV$_U*PWQ*p3vYU@Y6Xzh#XTzlKw4xc3P=!
zfGE!4MI|)#fP=J8-IZV(X||av`@@EbhZ^15atA8SP7Y)c38vzm(U@;GElf|5e3yha
zP<*YdhTcntz+Lz!nxs=OnVFO2`2_SrVveAcsMXGbopzPQ57*E$_w9jiK@vYTgJ@>v
zv$vtEkH-4GUf)fh590&)S_wjZMN5bY?6NHacz+zWPT~!pgTZha70rT6k-kgOjo132
zCU<~=Adr%`No*&Pt*mJ7oaL>6SYa9uQT<Vcl%Z7Zm$qi~l02rJoR;@Z@#fvT1ZZUf
z<}MW*N?G4)G&h(`LoYI`zL0Z(yw!-p$Nc{)i=L8*7mG<sMPXoOGP{iF77&K=A6y&y
z%ys;I_!EI1$rXaJtt~rq2(iz?oN8`#ED@XD*E7=hZEp-Uyw1+&WKoa^96Ia<qSD}c
z^D&~nh8d1=wpY_|#~(xLx$kw~1{T7nhc)IPY`JQ`#q>pTswZ?SFLxeu6&g4$+FsgX
zRG{N|kZ%m!k>H`@)LKE~_(WNs;y!DUJvYIZYOM$S>z1vlpEn;?x2$lo+u44ExI1}+
z8U+u9xji8`3}mKW03%qtZxzoFpt5!Z*h<1=Jp-U%?JQzl7;l_r0B;@w5DakbhXJ_V
zyl0OB0jZ}#&j1|EN3t0p;3Ho_o51UDFdqYlO|Z$^RyxoXFFR~VX@|9*%mNOSC-dO^
zw#))q7;bEsR!N!rD{Dc>E)mwdd?uL;tLIeyA@$Jc_1PU8U|^lVU?hb>+A8@>G3hlI
z$z0G4W5s8U(JL(OoU&y{NPUB@=}IYBU&<1%1-GgVvbFGC=EOh0m8KQoAqqzb5ejtd
z4^QCOx_psV&0`F4IQ*UWx8K~RDEv~&fp&3!%BRkMy0G$oDtVv3`dBzMCu`F3Q-KS@
z00I7v%@Y8EUeDbzz`uzRy#o+OHEoFuBq1w?<|9zRy0hJw2E$qFcMN4nA*Y>1XxHuU
z(UO2|=X^=<0$rTuYPL(ypEH5Hor<Bq^|#-k4@X}T?Iytk^X1##SG662e@TH>nBK`c
z%r$PWj>UG0*qt8hGUmu8Dv;UoC}koN4Vi=L+<biAe7|dL$wsI7=iRljoUh3J@w27m
zT(q*?TD(mu4p7`a`cWBAe$r#chM@gYQ>t6!oIAp@5QJmRhe<F9qf(2~dhp^Zo*5k`
z^%X<G_{f(A9suEvMptJZ>O`>=nXt?BNZCT+OEzj!MP<sR=$Srk$W~d2qLvraDR@O#
zj~b?xt^iqriAVqWi~Nu#EJ8A*(USa*rA_>^18W8FT`AZ935g;=NCK|a`tf<cIv!B}
zX~UTNc#E%l;4S&W7|dXx0<0LF4NU|%>ampuZQ0k80l>{WhyZqNZ_p0}yTd%kAt4Ih
z8+Ga5Rr9xIeRYJNb|_h`ypEpzx9L#yQb#-QN50I33v?_WElE=ZrJZu5v0GnhFY;OZ
z;ZQW0sQPk@GeBFn$gIPm!br@LJawkhwsWDsBg?QKt4@EPGbw};P|ceqmP0__UT0K5
z1U?Mq@8#%j<50I41n_GXTm~TM-aMs7%{FuC)t|M(!D~!&GSn(nM)gBNb0brYPsD2+
zt(+_2=M;`9x-;!GhaWUmm3a>#z71q{Czub6_%c3OW&8zBjDpo=8}ppcNoKqy1cD}S
zJbvLQKFsdt$q_jt$(f^n_-4(`l_t^zI}j4{<->T4tE}(M?Y2J$7HMrK+>_T&E{zG9
zI2@$Bl%YK04ej6bCK*bP(S#*c$^R^vEnf0NdjnGyo{h=+WD{0{0|l2ZEGkS4;zwI{
zp(HbNtR!ikik5t1R&zdnOGu%bZ}<(#Nd0f)KCUG4lIfefnHn8f0vDwe%jDd<Ner>4
zMA<V{hIJAl%aST>$JB#Fb(^STn>9OIQFzLN-SAsxa4iP+pGyw@L9)Td{eO^OCiEZs
z+k?=@OoSp;gC0ohj1E%;;uwlY*YO%K)2O*LTq_$uAQGv6)x9C+RQ^UUl_ve<k~x@)
z<qQBF(EQU72<59pUxvJ_v(fUlEEuPX4#t}3ku{E{lI<0^`KhajwB?79s0$*armBR*
zY_8b0^lr=J8%j1YZHYfEsIj_>>})?N))hT+VnZ1Oa4KWTA}vgSqLCXW{Ei*_OTp72
zr->_a<j<fyqQPtQD9=iHw~}y|sZh=FbT$Z^H=*O>ob04-4KT`@<$v?$4>CJ%iIY|4
z4>+zPDiWNfh4yYX67E7&v8J{I&9&HUY)5)1sVH&9Y;G%0bY4V#U1d8I){z2p9!K`V
zi1OOthj;(Xka<*o0%S@-l%N0kG`pX4kZj<xcL>C~Uubc^NZXP_p$-<Z${#adr|Oaw
zqZgRjdNEYY_<7Mtt*&VwM}Mf5odA`g%%6!$MGZdK2KK)ydit86Cxd|zLs0=2Yrn0C
zYKTmO(H!Su_nEfneR<jEMhPYZg^kXXMuA3hQbviX&5$ph7yBl!{T;;b*c^)pg-Pq0
zvVCWvksea`2?+u9%rg^Xqk_k4dlYncn?Zw~X^IECUEhSv*}m0WBovt=L@1lZT;<9I
z^yPaPMiOV0UT}Qd69xPREoWIUmQqQ!mQ{!8<)YeY3!O9Sw?UUob@<fs^uAYuC{v~F
zWhr`5GiP1T-JDY{p<-VL<CZ<vv<@eZmM|8u4Mh$4h&8CFieNCa3{KQx!YCdLEfRQC
zB6T7ndeyyOUrGs$gf+-Hr{8|w&lN-q;zV_f&m6$dJbFXCN)1Vr#Yn5hpY`edkY$MW
zzKD;%Y@a`uRo@eoR+>ZkZgp)_WI&b%?MhPj@7v@EAlO|ZY*I5Gd}TG7qKc*y3bOXB
z#OvRPVy%ojs_MBmSD<0o*7y-<xo&L!99dixIUW?^1VfKYpxTkBOtMUoStV`6OM+ce
zF|A~eS}@asrYvY`!+_m$VIf%vb~e1JOW1jk+IV=MnM`oMH=6bS7Q_6+^>pZH*N(Ov
zL`~-r>UlV*5BJU}2t9dF6k(3!MMO$<?$BmC1&7|b*N0*P?Lh~^MR^e4Wja>Vc9HQ!
zi*ABUW{+<~U2Y|Al<PZv6x(I@#M?yZ8TEO{GtHXKECo@SV$^Bnm6=ec?slay{Z_n{
zUECXg$7wYVa=fhRxs#*03n$%D3};|CS3HCsvJgmLg{fe;-}OCBA-*+l8c2YhEvzD-
z7Wo6lU6DG7!ZlVBX*&^1l>yEZrNnAXdQ64m{n>q78zdpt5zql^(fw^nJjmZL4gzhq
zA8!WzWzYV3=}8edG{6fn+X*A$scolUKB6h<rGw5hxI8fK8j8~*L_up$)aH;lRe6!q
z7oAwSwU!WQBhc2xq6Z2}a(E42wusq*>*F-&RcpyTCF2zO#z9Z4C{Pkr(@$2Mpk{k|
z(<<TcbIx6=-L>6elZoUvCdY`mA;}>p!BG}t2@7yd9>Im+44yL$CKMJ(#EytZWoeRK
zQ&*RqM=vyGH}Ir&ZRB?49ag&0CEgQEuVq`sorZBkpQ1%X4C>s<oSWOuJgipaFCR^a
zv10cqy2IfTP(h9YU42ICg)c~Mv!z<`E;@>#uoa#$e)ZD5Cp(K%utN4Lx9oh&i+Z1!
z-nNkItz$vR`FsJ#`Ky&?^WL+30>(MmTI{b5uzFt)Ng6$@hi7T+7#(fRkqJ<?EHt5-
z)@t0B>R6!7OdNAXcee*s-tW|REdM+1V@#PxILMEc?6Bqq%YEovAd%k0Uhy*Lvsx$x
zvIBpzKYqTsfAz3q3Uni{eB^o%*Ey`0;4eKz*3=wLE)~)b@kkvqJ!={XLQa}i5JjJf
zQuQy3)YsQtpPQGH*PEpqKk;dpXTKKrx0$fGU)#LEtP(ljSm+cZ`E?DnM7*!A97~Xv
zw~{SS(|*yJrfNM-w=)WOmI8I_#tgp=F4YS0Jn|{n`Yvxs@Q<q0Ey(FB%e)h&2aqAW
zCn0q7HWch63Q5CrQ`J_jE`|_Lt_VvNPM;Ez>BLT4bDGxq!{THRiiTS$n*q!k8U-jK
zadZ|PtGhSGm=T@Ul{i#GQo^XcB?EZ?KCsnys<Rhghp)%?!IsBuZ6Y1bh4&hi=0T`$
zshj?F0^8vx+3x0S+x|15@>Tsj^a0e<gj=bj*WlUYJ6!0x&why@M18_yr71i2HWx{b
z%2l2;5v_{14?W?CYAjvjIr8(H50tbQ{fPx_Auz;d_=K&S5)BN8{BWfXz3KE5PVH8=
zx<TqzeqO%brbE^9^i`eDKGr@D0Th*ZZKps<L?zok?fK>{^2O@|&aY+q4Ai((*Qgsi
zPOjdjV{H&@w2n7-DYe~<yDEOQub7A7hw)QmY8E6NeM4e3o0{C7HMTu9;IALs#sEKV
zp&AFv9T1rf&Lv?fy&w&XaegokSAPcx?$lt%(hPa5Gal*p4d#luBL^S_RNXQrAA>ql
zgdHN*C_)orT{xw1EY4$Famv|WnBY7brJAPfG-46a4YF3QJXN9}@OnQV!M{Fzxy7tS
z?Rj@9omdDmDDi+ugqf;+>*J9lr+k$x&(AcBDicb5*1~2YK|q1J;uQns@K3alJ7Kwm
zp%p{W(U2GP1}a5b^gWvrN8*}p6)4cE<x}tp@WNnkwQ}(L-pnEC;0=D@0i532U(YkZ
zKhK97P31Rr7!3MH0X?wW?RqkNQY3zO&64!xvwonqNA?U6KzT-S_Xn^6$zLyMOyo}w
z^0;Dy<%o~V>ct7*Y_=sbdEKm<khNb<Z)LL<>O(QE*u7LsI~DW++mr+?X|gxEN<+yL
z9+@2kx!WIiMo^{G)4FL;WOwB?C5z*Es{UlkRCpk~kTofU=`1KCK0c*`<(9f^i&$5e
zi=u=t!|LX3m$@t^9?<SkrHUvcXzB1>-d*u&m}@Cl++FRPq)T0h2lMb;jl5u!KVMWo
zeH2T4nf8QBF<G(=EasY~yEPfg-D<Dj+)r}&j~1k!oK&|P`{Iy?Sw`}3Pa)MYe<sOr
zItWqefJB>8jLU=y0D>rDk{;lhG0zG03a**tSFfgyZcfhM+%ieeWM~b#KLZspaC>>W
z-*pf1`;yGvrif$isilG#yW?js2tg&6!>38<QLy_{z{owBqH8a{3nJ4)RyfiYUlnZh
zLJb|$<4D0~68C7zOb=&s7RhnuOSkL-j_8td+c*!WO;8JqpOguaRRv27x^)exK0e`=
zp}4-(7A%UVl48b+79r*Y(TdvCKmU;W$wYRAEI!O#pR&WW^jGj{&_jlmNi@->D&~Tz
zs_ok07F5o;J8vv{k^gG6Wxa;BpXF)g8&X7p`C&4!97xsMHn%Gjki*tPQID}N<1PbO
zxOO>0T$lSTn)l15wF>hVbfx>^Cs;XEF>CFkDVjY?H1h7VR-W`F-<9>#x7Ue}69^il
zvuRTaW5&JVg|94buG0`Vq&CcY8nTmWxo(mn7wDbS$U{pdN6Z&hofg<NPPKRcl6WA=
zbbC>R#E7H8q*VL-)eW-N`{2{aHyb=+OV~@m!N`yoySqQT_%A2p6j}xNvs!bnFE4;G
z5aWP$V{@l=3~6%s(0NcGvfXVbRCeph6WuppI|m=1j7^S(M)3oUKnI7pSY7_XdJbN_
zbMLn7{ldwvk;$RlxnJzBn+q4aoy^m-IFoAzaMUBMbkzI3FtYV%Ak4KG6;}GcLX*iE
z&zU+Beno;98IPo*YHn$D@?NPXRQ5RhtLvGbS=Wlfl*JZ_SIxUlVR_LhNzyr#ak9~B
zX*h|SA8SWcBquD`ak7MzYSU*dXxU$pORygJ_#7v2ZJl?e{H75p-g>Yo96IFldwqeG
z^Aj+OY53kl(V+jILOqbFW|;DUM#4$=NmKU^&)YPjHST?7^s17qgsSB!wg$g)(w~gO
zrk2NF;k@>gKnEPPXD*Q$+yNFcyUjF7$s|wEEDX3;!=ZO6Yd&^tJ5et~ZELqW3j0UC
z4=*1*5P9DyUuFXb_49Z<Cc_!J4Fzy}MvZ!P*F{Igk5^h<r@JT9bgkFns6MBK@z_ei
zl;MSPLbFU%@3BB2wvx@Fk{(aFJ#bgSW+Nh!5d}wdDA~JsiV9GS#mKRT5*qDgClwWY
zcvojI$6bIl@ito)Y&V$h)0Nc@!Gk78*`3?8p!>(xHg(8fuy9gnVIb>OC#<GPSM}j*
zyiBq}s0O*OLJ|6ZEFU^o`Akr@TKn$Df3?))iW;<9Ll^=>@mTO0nLPB-83?T*;)a-W
zQlH!yJ6e}@x11h(&C~R!xH7%#;?GI9No^qal~_$Oj!R=^c7cRD(1>&xPUewF8}koI
z(~*{%-<SBJT~*6o1vong<vxEaE`fLy9i_OH1G5o))BvZC!|j+w#`foMoN-CTHh@s9
z&O{21D7vW!+8wZ9@ROTH#um^_qHOu<KIiH#>fC-p(#OqG<k#U!+_v%2&TZfUOW8xp
zf2)Ip>dRByPHo+P8G0!k8UlO8vW>V0^?a5<T>$;<ukzhC1n=BO_F|+}l2EiQ+D*C?
zW>NH50UfHvU~PAEESjGpm#Sjz;h&&$UUh%{LXT}&j&z}+2cfUwl#3ox(K(<)aH_}K
zL^&#=FPV(yNe!k-XGY0@Sbwidf$j|blQ_wd@jmX7BR?{vfBH4`J%3EsQnYruc+jT0
z(_7lfws`1U+#}Ie`rSoK)itQcTM;afuS-I|Za==PtU#OTrdE<jtPp>N(`cA)IZfPK
z^1IH$_?|ozKb$niTBLV?zHmCmk!jx3OdM(j=60vW-Lvf}8S>$IR|4!0iH+TQW20Zb
zIm@&I%6iYIM*h>5^S_umyW!yskIS&@bNwJ{{aAb$9>g(Ti^~7?Ox^`?qv*yu&}h@J
zgCu=ptFTpj??v8hIbi%m8{&y0_S;y9qmBw%*(-%syuomuBF0JL{v-~WE0_7WT1hQZ
z-Y(BxFUmeaDTT`C@-5yfi=02(3tY_kSYH!NTFbQc_u(5$_m!Un56j)aoO}8OuF7r5
zq@c4Ke0XV(o%xB)U8%9gc37qW0-A7G=J7V4HHPeOs?n|ln{tIlUgkUa0vkvhw;TzM
zmrR*l?8n+YDK{Ck3;^TaHx7NH!tS$8*32b6Pjm~*57Z1qZHEH(yRENhM)mC#c(iwW
z>i3R5kIRVV`h@#6r~Yku7EdNN7ikKubPx%qmlhl<)DvVO3EJ|G9<_FlV_DQr$@P{k
zG+H{ja;D5wN89ERp!peGYn*hogB-K@2YN5?#TC6-rYnPA8LTyKf=7l}@h|rftokgY
zDtuMd%pQ~moPx$?SS8^&%TaiSxxaF~MMWRI@HcjjVeWBfw~)fMo7>mZ*>QAw;e3*I
zGBw(z$3RhTu{zJ+ikY~KPE**UfKdRN=eL!rY9X$Zk+^bfeVwxS_++CET-fg%4>Zm_
zR5?De95X49#`L}p$9!b2S5`_!pM4?eP^gSOQQ^kuD9E-VYk|baZ{{sdc~i<uX;5Ai
zuG=z5|Gzls%1_-zuXIF2tAAR96=vXjy<T%EM%BJeNhQu?dmgE4*Q2QHSKU##|CDZb
zcN1UxQ@BzKjW%g$5ue(Pw0*x;&`_eg(VIW)+H^#rn$#p>JFp9QRy<pxh}2v}XwP(}
z9`#l>``5euaXX(*ggGyw4ts)tp)9poDH-1K`<D5DLe1Csx@}pJA1s+a72x?T;$~gt
z=%ZtOS*TvySS3lDo&wXnx;#23w5xjz!dyY9YB@Fgb(i)<XA;FS-Gf5L94(>im^_E1
zJaL>B<w)eB7(uz5KkNlImLv{CuSuT@(@{i{<@}&Y?K9PrZ$4;Ri0?O*m_MA%#C0F1
zz*15iPf}H=%7v1J(`&5Y+cH9)Ual;UIrU&lH6DOLv4$ym#zyF`OL#xy>Eik1?90fH
zNpKU%Yadz<#Tx^%>jI_e{Mn`=choc@C(aP+XkK-k0+UYBpL&O@fq2D~5A68za;3Dn
z<-<(-J`lQL31kdENR;&gZ}4UB`}DQ3{tbA;*&m-0!AsXbL++Xd*U}y(cYcn8CYqL?
zueL6qwzBz)O!s+mJaziK(8y-7Xv$L(;{ESP22DvYh>wO?NvRarKuCu)bp@Tj&$quW
zl1?<Pq}+QvKgCvJ!Ke*oC-_l{Dt0!RozUuD<ScOSP{(j676L|;5fV~d!(1;hB;8zG
zi88sDbNoqv4sY&+c)bD_B}8j)MlA}!<?PqF8QEz}elY406GS}W+%<-EP#c8?;PShA
zD!EBxSdq=boX0@^arY>A_N8{Y{?TsQ7lx*<W9=PGx(k-c;x0S6-L;niy^#&u`l+=9
z5iZ6OX{h%Ee*Pb=@&q|h4#9QtfV@U<J*P@urso?YY`90aM2*<s$vEREL-K<n{f#{!
zOGnUFmLAhb_{6^3s+n&yWn(;Aq$#NM9ze=L+EHi;SBaXKm5U)7r8iWpu0TcM27@l1
zaT>XEk14UH7~XidN9l|nt8rw3-Z+mSkfdg$iGV(%q-{1$#-I6|<&>Hekdb>Q*6dH_
zRWb);AE3fZN&2PfV-4>^WLyg&hBD%sZ3D%@cbf(x0$iX38!EbyMr&FY>8OTpHdYM|
zB-uMvU7NbJO0C;b^MX%)Q<g&W1v%UtuwE*kA^EjlZE)2_O>>YcqVN(gS(-o$*3Qz;
z7%6_L^#szdw8Z43Uu=aoW!z#DyAXuZ^qE@qvH=u(%*CF|Oe71tB`-1z^EMB;&D-?r
z+iB~h<6&e_A5cCRe9=N;ul(7l?WY*`%_5}kSz(L|lCEE_Yy20N+Xvz%zjNNHkieBP
zXz`7^?%cGq;*T--S?ctGUp_(nK#z7iJV0Ha6+J)@F?P8#EaIA`-gOZ+Yo5dSjCIgo
zdzQIE;$Ot`=}IiIiAC%Uc98wx(CLi{Cr2jNPjfIh#^^z&RtG1Oq7j_E&qls)_C21N
zH8Y~A&^d&bhWrv)-n@j+yVI2wP$uJzWjc)cC2@#9wnD=R^yrDFr%zmjYcn1bTn66x
z2d<)4JVRx%s=+=#aqO-h<cmf3n=lN|H2hssWBk~R%=YsI|F&~i6Nk^1i_;uSJ0cy&
z{QB%R;Y4ZE6i79_c4ln{b`R}^8M(D4>E8Y-IApX1^c){*U`(BDm&lgE5JVNlrKzHQ
z?qqbkeHA1aKY5f1dqe6kDy3@5>a}=WStd*hx%z#VvAEXO?WOoRh>OP|_ZoLdP)9OK
zB8Yn&$d1CZ!uzXXw_PIBnqOJM_QLwQ1X#@SHjLkd8#WdQ;obSc4P@*M<M`olO??7y
zs=-`<7}#o$gBxlo?Z&ZMoUtrrv@}(4ON$R{$a3bNnW$!fq2P)sTNXD8O6nzUm>v~)
z@pF0UutmieSbXx>8kdRy-ft8^2@0@}MGFFr6Mtom@*BiAmHqw2llz;`lBTL1wh^s#
z`yqWr%9fI{VBJTFw}e*|aVy&OJWg%GmGIofh43utS19WuQJl*JD0Scq!eudsggbqq
z0q9K~98$LYrVoi3_W-L8UJ9B3u}uiNJEPYh+HqD;tDbg=2!1z%AuFj8SvM*yHm-b5
z_8{t$FRyEPBM_2wn>aztBt7}uhE20SgOLNgDIZsdN8Sz$yRc2(49N4&AE67qN8*xt
z17WYK#aTv)l5L!ADU#4b;NBLpdKWR$gS~>~T@<N{yyi%16iUO$;rCQ{UVp1M8C(`(
z{TkaQkSRL|sAO**>G@TpK?zb{a79;AyAk}37%YUtP%lfTeK#d<vr!hwNtX0xeQV$M
zGN<a*YC71-9gcL9d8)uLT&7?$WPcaPyLOI}_9k?$=mbjN%Op?*savO=Y~ZPD5oZ)-
zC=<=U23wn^nbeYW7|REk1&7%%iJ6ye&EMe{3A_EB1?R{iXS1rva<BU`V{7@Nu#K~&
zA(UuD{&?vn<$#6lYuksz&&I<HpDlAaT5Lx@<z$sgW_N$wLanQ-5V-esGScKj3#kVH
zmz(W82K=d%{iG^<UM_o{f<Mqu#J-?F4*+-B<D<vs|2#PKZL7O!H-3z%YA2!kaw`6I
zPulMmJNNg0OTu{XcCk2v>9jrW3V`)*8Mq0e8s5Mi;tyz5v&!tPduZs$j?d*YEKg2m
zxP)5^*Baat+jud#tBxJs_(8MYwf<wX<knCx4LfzfA<=c{)SCu>dN-!Lb<ur|a6=g`
zh_5+>W)chW@B`B!`g6%Fvo7jnbvri;1LLcsXL%7&GX<(zaP*6nSI6>rH>zsigNOb}
zWxGXKh;VE)e~w&Dd`4c?V!QoNI3buh($y=tFXQ)f>*+pUMwo(AXYuIYe_Lb-IQ=kL
zlGi95w~v^4x+Xm#DQXQ`Se1idMch^2uXoxb&_2BF&g$L27`jb8y+0fua$Ewyj4ICV
zebD={&wU8_d_G=xuEjsE3kT7~y+5yOp7@PF9+)Pyt-ggI`_Gggj%59PAx!j+uuoWl
zZDMeDg3&d^`vaN8iQ`j&4sBWincVw+2RFTr9tQ1QMlk$MjvgXL*Q|1@x5GBHuWN&K
zxvJR3;ky``!EuTz2C5wU{OA6GP{R6X+z(93JWkmS-3cd~jcs&I{8Kn-=2yq&b<)4$
znOWgZZ6K>7WU3!Rjp(C|8E0q31-~21r=AZ3F;0!~7kNU;GOaBXe)~Rn{%Q8C@l~%w
zw1t8r7Xx$Y&_kl0uh2{<N6$e&S#||-in`|Ru`qLu+&52XU-p8K#d1m-v(Ju7#nzUA
zW_+3+UDQbs#i!xrqzdmYS^xos@#XqJ4E!2vH$7Fwq_WRAL{<5nI!HsfkQI_4@`~p?
ztbxwRNu*9phas^x;wt<I2}Mp?=O^5oYJMR6Q;IED`D>h0?{WA#nGz5#<|S+hd>=|h
zP8@Gvth_3li4{}*44hr7nyjk$v6S8btMKo53{@QRI1%Kn_<mU_a)>m0A!4iKmK>@r
zJc|p)&pi12yJ2+pKo~1W2oskSG6tT?4d;4g^~qV3?lF{k<pK7?Z)3s+oe+j|UUCY0
zI0MXzz*tq!7}o((`xbQ8dc@E8r0{&>y_S8jj0lRe2{EPt!~68K;r3?oQgHs74ksD3
z=gW_Z#fu_8e^=116WYiZ*wrWKsO-hFVf|k6v(-&-*x}TY@IUn$Hw7ykJG{3T+4-IO
z;F;VkA2Cg&wb2FCdAOvk0@tMl7#JXWR0w2f`8tTpxNZO-f#-E&I29RNg$gg_2O~-~
z&XK|p4-p`3F)D12u}(~2!5zAO)|cNUh-h5zAJ^X@F#$QJfdw)r!9~-=70XoklC($<
z8+Ys%$QF!r$s6W@A8bCFsaP-t?scWaXi#>V635>mSb?Aw&CM7+^xNE1l4*Bj4qMcW
zJ*1X)bzu+;LF{{5Cp&}5I$EYXivmRz?{5=hqx5}~hct_isXfVP@A?<rw%K|jCh6{e
zz(~H3nW|YF4PI5p$3#95e>^CGElWy%k=Onug42h8@3%9}Gh~zlz2AnFHLisfN%*Br
zv_OfU*=b!j^4EcLor@x5oEteKxx<`ML&^~8F*=9ih)y`agv)@*2wb-7rL#JWwIQrj
zsjI)8s!sSG(u&@F6V^5#f=msIx^F$&k*)PG==)PjsIW{{^4>O>hyh^{C_*aM!S0@r
za2$;k8)7(=JCy&lR~*4gBLbumtH!1}9(7J!+DBz3H*HN!P<%qkhQ_Q}Nua$%mkh83
zby5@%zz$Vb{i+a=`$tY)nfKaCrgf{eNZf`x`EY})QtIASv_F??B>FHLo%L#%kxLfr
zuk9|wqE<7CyxbtHDQlQ8B&VuLI@jk?C_(NE_0G8~eAFTzorm}(-sZt9&|^Wot-o#(
zN$cMLj`UDG!nKOuQ~nzAM9sIU-D_T1)uZw>D^c58z&NCX8lT5JrIk3PndiChB~lzk
zEV<S^H}pxK7~Ct}H^Jd*=gYBVsvLrq_Oz9qSgg(rd<_?Zf1YNU?YbzpN_=VZ3Mggp
zZAQCKpe51B?^kS$&dLSDLmyn0C?R;r>*eR|t~M^KrH$)Vw;rxz1BcxiADlRioUFcQ
zGk3QVw9oj2%Ul&$-TBRacl$8^nQa3z4=u0jyowfKoq{bW18MpD9E{{b0X)#JwAUv>
zZ0L~gmdM=UwX_S>=c+-|S^{fEwlIo@1%wx9vnPFbi_Yw{<zmZmTGnm~5VZf*r?2?!
z+3}MwPbHJL4a<9P&(%&w;M%1tNRxxn855IJtTbrsY|=@jxlzo=U<&<6%mFGel0AT_
zv4941MQpR$-UH9$Dwo-EXr*h^8&!tJnr{f)K4Q*--tneJu}dMypyz8?s_gn%5{61b
zKpcFc5cBO66_u$fqrQq07~*M%b#WM!yB9906nfHRW`n`&ge=C4!ow)1v2xps{@N^L
zi_-;5iAN=6mSa%|B2P=v4Uas7ik7|=YOMFv6RMiSaFI_9f#BxFk1>D5-*122AU}lz
z<cYzV46>RwY<)UB<ziN7rk#!8O>q<BssWo2cLjew{*Z8uvNHMnCG62oyo$QXKzfaz
zX5zd{OR-)){}mz*sQNR(Knn3!8hCl5t$J=^WJ7=bZ_n3NiGCGT&>2C#q!~sWR^OX$
z9F~A+v5h>YOjyzvXF_2+W#y**FRP;rj>IaGDcpJ-uX(;z1$HkBjbbU*^=HV6nwJJ$
z>R9x5-WS$^3PPGCZ$*iYVg>j}bWT+|$(KK#V0dX8HwUfAeOQAiDaAc$PLR+mMzy}F
z){m|BEi8d4O+`=;LmDICMZf>9AKz@fU%-gD1>$w}&#g9H?JHu|5}c@}Pvdp%oxN1|
zZ{EFb9_6n<K$Yp>;m(H6z-EO)zvA;EUtb_8^Xqo-%;wRbJU>?$*(8TCSy4a)-qzJo
zgk^TEUN|@nvDf6bzP^0oh5(W>!(zHn-rClGggR_>>69&WohK3(+<&hy(ZaXBKn+MT
zxgVZ>WW=7DJnU3o5@mMx;Uk+D-J?9Lu4LP)hqu#TwS3<=&qc|&I97e0uLmkyqwl;r
zI2dOK1YO%~b*Nt`?Q&%taqbc87Vm||bqPY^%*9Vc)+?|wkC_ILlc|P<v$~lENTYRl
zdVF7C<~C+9TFa%;eLZzWa{#sy$JvZ<VO$g98HXhzGl>YCLgRN$sC9E%JolZ8JL2GA
zqBUD1vITpi56=V5R&v`C!dM?uRV#oT@@;#U)LiZRRlFv7fpT8#$yXlMMLzrN(gS#3
zIwH6!vk@x|$>$|NQVYJ_g#t*v*8I9g>aq<tbDaq73lXT6OWCkcZ+FZn@cUp=t*#>_
zrtCfT-p{wBG|C|h7+W6cRq!vIxPvQ=vB9uFcY=@}q0!vLn(wJF4l~tdd7G-tAj+qs
zLvh?wyu($gZ5zCms!^|kJ>8{t9IW?gN+>}g43UIR=J1ZlCI46qL@^=kM?qPQPZCly
zCny<fHY4&D&BSpP1c|C~8<Z(yz?*9RHdnylin7pc;K>4OszXOm1~2~^79C4sR8q}?
zm}_25o;UvqR?qK&YfWdOqFAzIB08qJ=o7j%)5LRqrq-5p{*A%lH9cl4t4x2=xe&f=
zR&#yI4=2vB(tqfCSe(JXMpsp&Bn;mPyZ5_|b_KY=@BY9tB`fUR^^xp!h1gG(DpOtm
zz0%1jUx-K$CGZ?Ho3S}#r{u5S+Wl;0_#$euQ=y9GZKoMMYHmqN^=1+Dh)I~VMt%*f
zEO%<ARUak3cqhu@debTt9(}!Cv<D2Ul`G}tZRn4@rS_J>qdelGCx0b8acnQ;PPZcW
zd%o>EzxPkg$oB$Ub(rd7rJaXIM|!c$hYHw50qkN#*J4|YXn_Hp!5u!fiJ)^Ww(IWf
z_p;p$4P;VBXaYS!d8offd^v4Vru&WI4EBd_Fp|o=*p1Q)Sjr=RjqM0W?eT|beuv5J
zC)-n=!3%;<S#+N|!`*H5lFg@$UHtq2jy<M#lF$IgdVoXEFf>*~aq;P#&GWedbiSLM
zu!?UL`UG#GRfJ`wBU9l+hF^iI$=JV+fN}*w`Z-9M4fHig`M>&mc|6}4Xz7Pw<z3Rh
zj$iTORN~KngeruTi~kJpD^?jb{=@H||402-(EDe<QvQF25mKz}lnoG)5)!9Iusv7S
zZNBMlou6;=>^A(?%XMy+=w8p$K3%6c+xT~!Z^f2<ke>BLdoYx)mwb@I)VKbt-ikfF
zL$3dSO%?E^8mabw@c$9nWLsZ}p?UwA|HDu19qdL|d_4W<cK=2CbsqnFPQHCdhUULc
zp>6v=E_9XuucTtrc`88JV*Z~YUH=c)sekw%c}QM>kcaU9!T)nP#O8lz{EvYDPIgo2
z^M6RHs$BcWlm)ua{C^nz51G$RgzEog^&iXsD>82ID^lM*{g1lL5D@Xt_+sh*oBVqp
z-@}V^9`#ERuWj%4`Gp)}M7$8@IaVpy35y*%7?0>OO0BIcv=r?a38<ZBaJRPE;Xb8N
z9mqNn>Vds38N(PU46O=`Y@;U2V@I2Z;Q2a69zZ>C`!DWvpx=v`Xj`z3zwg|LZ!-on
z3owkWjI+kcI7am$wk7hwK4MDdaZ${R{T=&9Vqomo17jfH`clyk9k4khk`(PmNexsW
z(cSZS%?Ixy$?cu9cN~Q*ljtkP(_~XO2Wla>-7sQQ?1C&L1u?~45jUJWORZ(mc)B<{
z?1dtsT8VXsd4)@*@p&8Wu<ENzLS#2&e`(QCuMWScbIetyKy5wfSDe;W+b+0iafDIo
zE-Jp0q&}RX14x<>V;ibB=LJ*P_r$zXUS=f6D3>o3qNFs{X{3(ugkjvw<r71%ZV7(=
zEg3vL1xU9U#gen<(R@Y31DZX%WGfG~qlkhy#p=)p{LPh<sMI(@x<3s(Zty?aU=cob
z#FO`m18OZc->01}bwzL-81II_pauoTX99~ZH&6i>8-Um`lLrRe*@~EV%gk*qG@maP
zsE;0=V#$KPzVz<?y2~;6XN{k}1()-%!a!~=+KS(p-fxChZz!0j+yvoSAhqDK0dSD0
zo%cVQXHv(o+KD)zfX{1(`~23K6=7<YsP-sk`#`!;@gRJ_`&{Q-$@K?Qub;6&xhfL{
z_jKyCG7a}OW)^9@NE%(b175EB0}J<uNt`mPl(aX!59#jyOQ9=98Tkw4LE+16h8c8K
zgefa2f#Jxfi8HvR0`BJ8b4N;4;&K#)_9GgJN({25k6zW1ElL?l7BezkMNy&=^ywEg
zUY$tA2PS<GS?mU-j8pbAipLAl4Q$*MUbc2-_=d>m)?QLZ>2F<zOh_c^H$pY$U(><-
zv_*Tc=F-qZqF0Pb;%#^F0f{&&u9E)W5rlc8w&362S+@HZ?75bPY*pT)abHVncf|}N
zq8(J;EyMPIP%){sZ%OLSQ87+;KtSSYG|VPGCsV^A6A^rTOHii6Zwyqd&`pBr69g*+
zO4ERuCOS(#Jz>@8g!ya8ipV8PGGKD%Z(^jyz!dUe{hmao%~@q)$lEDlSkWRj{75Ep
z$;?h`&mwaNtCRj;Z}$`($@lP$KF-7w+jcs(?TL+vJ+Y06ZEIrNnb@{%+vzvIKc4qF
zXPxWQ7qzNZ@9K-X*sIsxpYOM1Vc@eV?cDRAoleWc+*}G!t9JS$hxPHcjLi0iUe2bG
zt;PfbKJu8Yk7XT@$u-X}ejzvVl6&dj3tyk2GV3GVKa$ZYtD8O2@YcdI(fLzzBaQG*
zSJ*D}E$)En25eT?diuqF96OnkAL;@u6%?Fgjx!yQg_ZjeSWC%Vohq9<mS>C%B_Xr{
zszQx^MS0q_sXsr0Ko6$qeM{%l6;K5%cU(;bTBJ46(1h)g8~M$n>TI*<u+apYeIP~&
zQ!1`kCB=@$Kk^aSu>XQzsM2*&MZz}g^bZ;P3CbqO&h&q<#DiV*zNWq(RL9h)W3-z~
zzu&0m+?8m%u!fi9j&vE0p_M(HOVBL79Y@ekyQ;Dj48?^HS+&W!;O}jJeFo~yu7QDp
zffGOh@0Z(yYQ!A;E-&}{`|XpRnQFvn#2kL_8(N2JP1>_(<5k6n^1vwqD@S{Q1T$6~
zzSk(YdQJ-Db<8)y*aj_G4Mmgtt~dPaUH0e;!aWtKi1%kpx`p>X_AkWjeji%24h@Hz
z?(jIm1bWQV^&uY9x~`AU-%I){-GVeF1s<W^41V8jj4(0KL5NhU_qdg<RN|4lQ6DtN
zQ?@sXhJrtHv<S%Ye}jLecw3b(#6Pxw{wwv@Y{nCxT#`wV#!hry{SNRoW~9`4I{nTQ
zj$xfPL^YNemN4>yq)<&GVE28EKIKuG2!>Njk?lbIM<c}%YJUC6u);6k{rh>HS6`m6
zg<-Ym{%@g1kXwMBhxkw9{5x~ac=TfOZlQbJ9tD|=(UnKmP66R6F4~#L8l3hZ`xwis
zY(6-^kzQaPsoNcAN&PY?b~QnZDE^)Zc$qXD?+!x{;8&llMYVlsp$5Pt^k-Zq+~-q=
z-NlEu-?c3)tPWNY-5R_rk(OAplN?%oL9A@z>)mCLT_t?~fGmNC9*uWLx4_Y0&KHPD
zN!vE<L}GyTN?(~+j#&vOe@mZ|P!WT()i7orc(fRmU~&dkpLW9rinrF6K7qOJFAl&;
zlo~>xYdRqBQf(6}XMnG=xTaKBRfQ39qe;a4V&tD6z|ios2i#TgXhe=$lI#<pcF`A~
zd?f_MQ<!l_09+GtU*SOIzFhzp=6)iBrh_!w+b%9h@7OR{(;7z59QHib0$**#O7%p7
z#Y&B(bvDvGT|9weosdYxkezvwayf@=u#rsDD5VGG${ozjJY4BQBKa&yq7x1;#xI!?
z6K&tPioF7;Pdj4gopEQo%`5fF_pP0sv7_I(?^`|fM^m1kUomf_5uhqy@F(1h@c0(H
zEkE9#I^yk`!Ru&s6IRz~CVOh<Z98M%@q?G*6!h1j4}+JCP^Acb!!4ISUx~NfLFil=
z_EY&N!3Do*LvN`Ar|0$AtIh-J==ke+({HuJ%Mj#bcEsYq!r4q|FHUNz8Jp1)f&ftG
z48#D$-7c2DwgMT98*e79{-mznNey_T8GZKHUO1%-GL(F^H;9Gmw*zvaChpa82gN_X
zeLI|pu$DPseeh@Ch>+h}-qfi*@j8j_KRHd+fpApbcW`xg9Q@90TOC=)!`BAYNyGjX
z9rBlN72ks?!Yc?VOq2e@7aucaHaTF|6HZUeG3a^D-Uj1g6kyzP0#hKp-+sVeb-aL>
zW5Hy#&<fbV>W16%3qCc}v{#b7AUU2@<KwPo>N}a(?zV*zu>+-lU%m}uwQCvXXUliJ
zw2w2oyaFBj+SiGJiB@!(7R-UH$}kV{K6DsJ6x_4AtfT%NoN*{TVjZo=y9u$kpEo#<
zU`q-Lv~K6M7?{`=9(<ez-~GsDYB%R?t`!SG&u%cdjqjDQg;d>If*cMhv>uMbF*1LQ
z3X(+NL8uOb^_V653RGvmgCGzcu_zI%WXra0oP+6dQV{f`$7pD<e}`>19ijzokp7PJ
z11W}i0C}WGJB>bfEp%P;R@EJu|IGY1w(27flN!OaR;tr^E5ZZys4>(n7VR|*4%A`d
zlz}8wY!Lln6sLO3tym(aGb74i9$`5;6564>Q=s{+hMCZ*5L+uYQ$1%3Hm`l2sllch
zpqAy6Zztpz{iCd*jAdse48gLB)R;#iJAt7#_p@pT?ICU(w=UT>pbELy%HO`{n+_|v
zwy8xLg|)>ETo^}u$gTCmRp8qILa|gG1#l>UP1PDgUcXh-<!5tnE5sZZdQ6=O0-PP8
zzA@p8z51AbxL;niKTd=}crSf$l+9s)_}>ZJrbpMN3_8|rVO$zv5ZhECIj5Hpgju~M
zbd0Kf*=V!*V1c*uIpXenY7uV^RAg?5!}EZ(pRCg^-G{5Z4H>-k+F2eK0qFv^u=by&
z#)WUp*rVzANn)ueF(8FIm=BteS10S4By%evE0kirAiNrQwpE&82?NpV@Rlrf7|2qO
zr{jMhWOJ`5ly8wAD|lZ2F5ZU;@mY+PjOr>9t3>YC)9}iB4Q=|j7*t9)Gc@52T?yze
zXcqv>mw>m448>uQwgL(-Yqnp36(=W^1t39}*UhbFHShyxO61g62I~$I0f_7N@+*An
zZe(Q5&SnT#YwP`qKFJP{gy3!WnXmr%IJ&8~@>Z|*csSIZP^4}h8@IcnI%P$!09S8=
z_{U!$FDyyMY80e_=_?}hY&ZPSUhg`TS|)8QC0smwMPE8Bcw1->Z@rcJKK%Y7p+fA=
z0MC{VU0?G#7#|3UZr?ln6<E~A;6bJtS^ZN8Gcxak!=~fKcO{GP(;(EdtC=oj4)`~a
z8T^DK*21)vvkdI*;;>WsBm}WnS*GQXPb?vH$Y0Sv<fNa@kb=ybO*~1+HaH=f6y=j0
z^)fLCs`CiDG*Ch#5ie=#<S+w|k3&!6ukE`^aPQ#QEVD06fHcr6u2}OkqA>O5<p|cV
z@^ed}`P~;WoABXw>uc#>>+=rlE*SDJ^H2T?2sc<hXi-5g<V4U7YcOGheb2K$fAwI`
z|NPBqMhitVfCkiv%7mMlaWS#n_S-uUsY5N#QMkBD3GA4m7Imd?8$7H~{ZO?*ya^Q!
zpV>-_7s-kCkP>L^KzqDTaWcTY3$RvG5gdgaD-z}=9A0XO&8zq&r}OyX{;9>_1=p~F
zeXjovcVirwr}6gZrTb_q+xEtH3i00)?gY?1@}>7(9~(fJ416Q-K)m*SCK(2{u0T9@
z2VYel0X;sekAOa#?}SQz_|M%a^win9F9HTtO|4l~r`rr3W4ZB9dLEjEu197(=6+|X
z^(V;)CW)><nf?AxJ_S@@igcP+)18FpKa+f4amFX1ghI~a`#%pT87LC@lHZ~4pNKT_
zBv<G-MSJJ<I0VuS&9c1vpmd&hbmzfeeRStD>6Oj*kmb(1_UwbVfe!S<+;TIQVFmJ-
zPclaV;Kf?7^0e++HMD|CXzO>B7Dv8%k-R84Nk?YjmQo@hczJnm1v-}HSTLJj>?#N3
z{WHJh?&W?jp`%=}R48&KJjjes7kvq}s+#D5rY&9p3cV@mcz9?#$oM+;t>0Q0%ptXc
zwrRVoX$;_%s6_-W4Vg=gkP+-zp5mxnWO&_0LKQEadOwcMYZTRXF_{8OLU}Z+w+yg%
zSo2EL-~z89+GhP@Qr@DYd7*BFIwUOJ2F@<aO7A=~m;{jaov!xm20Nv`rkSJXZ&oU~
z*MQ28so~GWl#4ms(peE)87=k{!R#4Dow3EXD&qcAFR%;Z9poiF+{^qLs8ma&GaKQ?
zO=OIC{74wCQqAIvs@qzb)#5n8zp;?p=e9Iy#7gt%l8m6GI8+^wOv3WvFe;`xb8NDc
zqz{MtmtJMPw-8M0L)k&;3>H7+#}_spctaS~4c{;bPQ~7hl+y-=434Pc3x^cW@pvOM
zzW)Iz5m9MtuluYK;5nb#5wVh*m9=<-WvqwJAK^yezK+u1!Nzfd7>+LVKxzZnh+>G{
zJ)8>#mmVD@T*1j-(tG<#ut&zn$uaMM5FRU{Y7lH!ZT?`6gUN#Gv9byeL|j&-1lSg^
zxz5(n2c%=r-VsitUqPLE9Th+E$6wH|K}rm-cG$|ShzolbK|zu2i`JaAJcWF?hqqIj
zWcL2q?llyOi6=O76Oe})m<+3s-s(9hH2ha+!0RIpN=*GDtUg8JLngxa?4uTW-{ynr
z<+Br?0EL9lsnImc;31&nykF(xR&mCQK9U~q#a?&U=v~cgH|(I-54LR#TmC}!>$+nv
z8EOp=%xQ$=;>JHDDoM7Ua)#B^=WM|OW^#sMXijQaw(-ed(_2L7e9%B_YHKiLCtb4`
z-d!5#H6_jNN4OrK1P$D^i#`hH4I%}SB*DP-U^|)r^po;){?4~~B@w;WvyG(Vd=QcS
z&iAVUt!w!n==pl9IR*6oCnDHw8u=1%ZopH<kLUVaY&|L;@wLWmWWy98C)eyYG{|OM
z6EA1uIazl^=Q(+6HlfKr6J;Y_uS948-tfm^o804vs;J8WhYY@xqT6fUbj9!BviF**
zs@3ozY`Jt9;S{KinfGO-gVv%Z#|fwM;Oq#gg#|UAgUGbGM)eUy;<@rT(O)W+1x0M@
zLY_9ZGI65)s6`aA_L><k1_>xSwq8ej?n>_|agWt$Dq~&{dMU)y0*W}bi4{}XVB0}M
z`;3zt+o`<zpU!IpyE%(Gko0M=y%tc-7{0`NhX_qqzF?m1RODXgE!78jaXv7L`RunL
ziY=hTG8S<h-G<6j9i#(%>MJ&X`h%OZXvF(8Gp!ceUE_UK&&^Hu<8cVkA(0O%YGvv`
zzsJt5gqJqf<6}Ob?acTM6k5?gASTVDiraN7v;J()y5v}xVn^gymegg~0-L~H1ji8U
zn~#Spv6mU^0*#e%8BO&YS$%tfo!QI%BN0@1VIjYeIC)_lA0+hh#5{~75M%mYJR=D<
zgnxR;p4ogVU46?4n;*Btl|&YQ()Qx<h!i`S53fOOQ_fI59XHA7hHg+bgqY$lv$OdN
zzonv5z#nc$04`43r9~^VrB7ZR4wd7g<*d#0v}*nrHt}mEuuS_Z!G?oHLe(rSN+G>z
z%T=Gnx2Z?};oEf*a_$Z}%a8ZIIptPa>T6`@nzG(w)$4KuNx8JvdYx$epAW25`L9=w
z2;x0(Nr2q(HN2p|^B~!f1!0<*3>r)yBF>syDXWLi3`se^C&#w6T`+kN>EXJs9Nam^
zdE)M9$9_20cYWEne4E=Z`*!`ctj#rZiIAt<`jY|IljMka5ds#BDb6#*5_N1mkz?np
zs>`-qDoID{l4{N_?Fa8{f&s?EX*fk*%zIgt0%a`6ddi1Ep*exZJc_4aVDhcy6g4J*
zYC@~#(iOVfQ>}eF*37rkN<B)gNPZ(}ZOPJLzT`R}MutYBIpcB3W}_y-MtYUr!S*qi
zXp&B58XlKX$eDteIt*Pbk}O?l#Z8zrVMY!~==^*0arB|)q&FAH(M)F|Ao(IktI1&?
zDX0X#E<e1lbuE*gn}5qxnVp9ANQs=Z$oa@YaX?XEI@Z#*S#SquS7)V4eSw%mh7ux~
zz~umufiQP`fNrEF7VP*B3vo*-sos1m1r#Hc>Sx`Aq@HbiZOO_wYzeJe4`h`$(0|~j
z?IP)B`cJJsGuu<yQ^JUQo_jNgO=w{l&iE>n6pPVJ$>>JF7<ieZRD^W1_i3SSV|%0D
z#(X;h-ZZ#_&xV?`%PvSW#%30r^-O}Qd%t|9flN%47m2%|s#d2%suwXN;KeHo<RlV*
zBXK}mW<$tuy)G`8`$Z^ma6?_*MUlX+vO5E;wNYW4i$E((w(Y0Di3`{;1FVUI?;nS;
z{P4i~f}gE_wm|0A%5-c`>NFo@+pZK8+B0(J#0)zTQlOQ!5`L@bxazt5245@e-wYT6
zr>PrR>S%c_xY6XC6+@8kN~Fp3!gl67i90$YQs5BdehC<Lx(!A<EtL5Brz=d4&{noL
zf~ho;0IfRa3Zh-_;p3TxRFF^EUV6e)Q4rYX;|bs?KetMbA8zgHUhV2T<u1EwR)3DA
z@w#obd{5`MN_;D1gEaPTobwP9u*e7XmYtkBE{y@&bCC*qZ096_cK|+*u2*Iv3XX7Z
z1b#z9dw-;Sg@29Trzi%!dO~x)JMim7PC-6K=d-=*K|H8z+KAm)kHf)e6ErLPv@?J?
zJG_am51roEa(h=yD)6cm_h1O9%Qn9p>AdwGW9(t~8|=AiTzbjYl(l_G*ajhD2Yw8t
z-iOhBMNP?+)|m#VGvTC3O3~&@O~U&#IqiofD~`HEtX)h%15q6;D2GHvm9u&P^hK!Y
z63el|S!&r{v=cuIvOP<M`79Z21Ts|5`pz4F#$q$v9_&ecMLuXEQbbKdrXB8i*lU#*
z=j8+7mcy={#LhX&;2jtajT}gIsJ%+LT41aN4TY>;$pR(}O{04erOK8geSZQh!EK>1
zXV>8e_sOJmcCs9XdgOIS`NOFi##!;?<Pes&a{^jx*Ks2I8HV;D7|JT09uWV-7s5@N
zwcv0xLO*_M!zlWmw_{|2++9Q10GZ7BdlY?o*j178HL`~1%iyRF1j^3}9GEAirQm5l
zNpX)s;z=@lJkVvy-*9T@Cn4mmIhbPW=0v@18`D)07}y1Z-=w~$<?F|dMVYBDlz5H`
z3E$1hFH?H*Sr9>7iPlkw&#XjBd?U@7tR093$6PjwU^7q_4KU75jI49VkvR;hk|SvY
zrO%=y2<B^W#U<MYpWgtJHOi5MCC4heeNZ02D@ON>VUkM;eM?=htW}WoId-o6^FR_(
z>a}RxHc0*Ep8<NhbZ&Ui7jj<Vx7wLpHVT7uR?^|S{8esY6N=m=i#q9)$45=7*_+Z~
zQ~uWzNw(vs9vqS$m<^@^;m>NAH!+hqXBi-;!hRw}OpcfJ`E5DfCr@g4#`YI#P#sw7
ztIDgDY44Jz9Dr)J`FW=@HYS28ZSVlzE=F8Um)El%KcI{^yL}Lgv@Ui)pK8I1se&Jz
zI`hCf?Qo#TA>ZsF_Kb_@g2({z-KUp~iPCYxpep{aG_(E~dT8TQLe?ERDub`B5tBK+
zwgygP#z1$MwcCF=!_`79E_{-Hh0Uzj@8y3qgCWU+t$`ns);5R@H%Nev{g^QLPs>*0
z<RPZ7b|8wcI=|eTMG>b>&AsmQk<y=Hi%Pvw>O5A}fZvn&1^Xq9NzAJyggQ!p2NA#K
z=2VHdkCj3SeHMOvm-z69c1_2G9}#+d^G$&w>e5k$(s&6#Y@oVPpF+Xf`j|<7Ft!w1
z@28CP!}T08sOupbW4N8xbPa0XK2w}d?d*iV(_;8H?u_&x%_>Y2a*qF(bhxcwaWQMy
z%)`HogdA>>XS;79li;-w?_3WL)+u<@Je>%z5Jy9IEPCoxL#SKfAXgbG{wizDLa%Wq
z@oLoXnp0~1k)F1REljvvTjf-C(PA`~b*ysN28W~eN0}p8aRcN}TW#T~>GW{teSaBv
z?JUn&!$rPz!fmBnKt7#&1@>J!Es^S1v?}trk?CHUsMY1A)gmzvA60|$nEmnmL6sb!
zQD*b<D6SzqX<!@ym^gEt5!18S623xa{^OZndq*v^zmZ_*+(phr$_vAhPR?@0G6N5;
zqU^tV<Ixk^n&4*;D=_jO?(oAr|KHr<N<f`TL{qAvr!g1tZ=)UgvnyO$%LP|chNH4h
zoi7nbpgv=XPlt{#2;(9p2e?9qHeywI%<cn(pBg9QJwHuA^1rA9);)%d<PW5I%n45A
z<k$@VoZSh7$nxWGNS8P^t98BK_-#e-N;j-kO!{JTu;~glAnU!k0OO!cw;Yg8rw6US
z)x`QjXa9JIBdo)7xqaInG{^rD54bokn^nAPA(F^TH!F3{3+jzLb1Kg2AC~KLP_;Ja
z%(+g5WJ$G1@S;{C@@{JzmX1TK6liBSM9R$8O9E?o4mk+s4ul5Hj~c}X2p}DBnNlNR
zFSf*NG*B0-_-CeRi%r`Ji0jxZ<e9~|?IPTDyvA>$jShU>)A&`PY{8FkQl5IB!I{k_
z@TBAu0_OMCqv`L$4!=w^msdYGSC9UI4xWW`@~3~2W0|14@yRqKqB2TEDF4SfgwcF(
zy0AzG+pbO!Md961C^;LafxD0*wGF+FP+Ub`Qn@hGTb6sLq87}M<P2p)!JwIFA)Qh^
zRSbj9fc-9m9LYwH$?aoa<6BqT<q&ZTaA;U!Mik2X+JdQ8ve{g$bb*R>P-EROcrI%Z
zWVOd@U-#zG_vT8CNd47d<cdf|N`M%=^J*yXTwL>%Zen=-_V}e73=Wqs{<m@n8888n
z$k*i)9{mjmtEXw`u7G*>>M>u_IMSOcD5T(3X1K7ll+Zh_YxU6FVwkZg&l98Z4FCU4
z9URBMsKc#>c9Hy4bS)OojidMY;2q%Qa^WFXc2ge-hGpg%#yx{Pq?o=59Gak|X-oG~
z)7}D6s89eOS5bN*|LyZa&ianA#@mKxNt$nz2RZ@oNIS^tK4aP*^PAz`3jiDWF--h0
z^?a(3jP!`hS@yA5B`(5ssXBUwIs&F((Rig-p}XDft{Xp02X#;gRd_@KYnK!>r8I`K
zSK<obyisS{vTj~w6sU+#hhYJ>KpasFo@^6@s;jR+_tjvM4I9)PY<E<CyzXapoahe1
zd9fi|c2N8K(RYmj=yo1Y==_77SgA)g7fA+1rAv2u>l@H{%l78%aJczWll<2|)S<PJ
zUnd2Bj=w=UZ86%d;oRjZE2k^V$vGSZR+;CD`G6Yzra{>`uSg>VP25SRo3>hq@hW$T
zOGj)jJj_h3@qC}$pi^@tT4^d)I+$LK(K0DO_dBEIxKh2lGPpjm7&a$J#5Y<3*OUw*
zpNRnUtnnUn)Kke6p?z6zgJBjrt#1T2e<aKK|Dzr15?x;x9cD(dDR|kiPB{0%H)hBz
zvZ?;@4&$sIhyXys@%tt3oR)%c#tWR5_apnV-r%w10Kfl1@jy_}bPCHYf(K*YX>Pgt
zjBvb6hnp_(Qes4_Z3D5hrqx@kLf{SwTMcK<b4}cob3~bWVr(EopX)BYj5CP2zSr_c
zx2d6>?q2+zWwrv6FwT5k$u&l3ZwbRW3l)SpSPhP%5%)**%4c}-UY0U_hmP#vKv{0*
zS#l*lb8%w3u}@T>c3ymqg7^$9(}{{{(MP@;)``5N(UcaYQ_J5b`c3-j!kN5^Zq!$v
zJPR9v2_7NIy_Z7nP}bLcr#s=3ec!r+x8s*)j3<eu3Jj%*;--y_1HEX569wdwKxRq8
zOX)3U6n~#auO3hHNYIg1%V~F>C*|hWY9h%)6yY|nOqACRzU;bC)792MHml=17;#x4
z%vOmNRK>||=NoDCt(N37RPV#+&a0(qPoEWm^E8G}t<JyQ)$-LB)s1|@&~`0`$5P_K
zTVLz}LV(+WliTC7LoMg?&o%Z3Dz|P4mis0^D;!IcaobShYyVyO{}1&b74RSRkaz5P
zob1}_;X2iH&VT-2^WfcPlBxa03Z6(#J3~Df^S`*l<4I?zaQVf5FP}(Wy&%s2?^T(v
z4^4mB{~G_VQyhvfCjpuLb^F)&gR5UxVk+MM{<;5-{I_{fXx5Rf_^)~RG7KAY{{|SP
zY#VokiCXpl`ieo|-$ufh5+WOz%aixN#(y!5p2mN9h5zv)Ur+L)<lmfO-inawfhFQU
zV&q>g;#Ko|`TqhE|2nlywI-xOcl);|N$KwUy7}S%Nhy4Oo+J~8Impx<xHidw<5yia
z^e^Ud<yT`<bV8a0U!cl5-e5gowz@d?9I0{Q3EF|TT<DAmb~~94;DPI)du0vt6#b$&
zZd6ZCrEnODs@+d`lZ+C~i9<^_3b2?jMrcX3??J$gMF#b)ofYOaad9MrSumBoWeYYi
zJQ^{gfR8cXrD$G3zzm`|2?)0yQ7OeYc13hL{Z^+8=}##p=q76YFVm1-ZgyAJeCMnw
z7LfWwDbaX!B#^gl060t+bm~%t8}JLJh+#Pw0+DpXTa|VYGogmVCw`cR_o}4L{uO?|
z_tOB<n|F#3#Wpp6MDCcPg}6XK%Soe1#h!j3R<I>AWwJIWEzwwdVS?!Db1AF+_vc0D
z*k|(0{?jqVsk;Qfqb%vt^x#?L2UCyZBa#D4?lCCa08s4Fckd?k9qu;^jS;^&=~G-k
z0Z=yJa!H<p@R&0vB8w1{tpK|1oS*QRn>Fye;6^5fia-bfzXlEvVz71ccV3a773iEk
zI9TwvD?&KutV|(V2cvD@?hpFUxu#YvNfU8o^&f)>zs#1YruPJZnonsBx&njE3g>5u
zG>4qat?`<cT+6s33H$cLe|Kkn3a&(b#3g*ke}q#=Np1X$>Bn8?M`I4S1#gsqL27)0
zp+lwMBP$?&0ioR_OrRC?+@0>Kn);&>S(q%d_*DjzmS6w6T7I7yki>*PlNe_%gdPR2
z%z31K48#>)7!uS@VKptF8?aeaSYP>lP03m3YHg`$Wr}oR=PUD{e3WR(cA&}#78BfS
zO{fn`Dm67cYHgn+&PK1mr<kqm4DrhYVSpP>J^KBVRh@tNnp3|2TS-~_X;cY9Ta_u7
zcSv>|qy+-qpt4s#2c?h^0vPo>TBj3UO$d7h()~f@6Ef98Yp6Q}%F+hduKw7#-U`gH
zD%HR3LITp4T~LD}M7{3^7yh7bd}@<gBu9P+ps9arRZ9*{CyM(y>8sz)LW7RX>&|>H
z{|v~Op#!9E=hIEA;2m;Dk+~)(X0@+ky1-Vi=RE%6>P=S15v*ob#BBcomgRt8W+M8z
ziv`1jB+#q>J6cvd1RibMN01KeCiSau_q3?pfGj^*D)1^o@0*^7@FA`LX14Xzo~o`z
z*hHABsfpB>=~1H<yy3thL{kVjo16izVlO<tum7{kK?r)m<GN^b&?GfxA26r0*i#<&
zscGsRJ$*lqkuBDzuzj5pR(^~Xlp*%=ilckQFqmEtRr^+&9bqlwt$AxEZr={oynbVY
z=RrivT9bR0i+hWkoi&&5xyP&{g~FmO+QDXD=l8fik+_Q}T4=@KJl~}i`N}&oXm(CW
zHVFf{E~Lvm-Hk*iQ%tD3737Hp8-)-)Yg2k;nigD%1FBnB4jlMcDqIKgVRWQ@=3kFv
zKbV`LH1)S==I-B<_ax#%B)<%NJTg!I7M|w;-&bclQMT}o<~X#cy0*wKhh>KP;Gwfp
zgOI&+i}qmjT~a6O63LQn6rL~m5Cf}m3)U`N81=hDeA_o{U$)fk7&dv^-MnueFUHh2
z)G--zob_E8^}0Pm+7$R!+Gyhd7*lOqylU<az}PYS%*9qNjA@Z!@R3<f%fkvu!w4}t
zo<sicgIQPQzy{Ku1=E?BRUPYO_xK<Cvz9xdtB#f5Bofz$f<W_{uYBTdMtRyJk~irB
zMF)8^k?}?FP?++P5aR>{U?*8ripF7y=*g{BJ*NXaOS*m#e{GBn&nE1c3Yxsv-fyRm
zw$xNQPMfm}tx&+!3=8~tTi*-sDYRuYNxC|(vLoJ49l2m|V%$s)I!V(cKwiv==I>0$
zv{j$;wQ*=1aTpVK9KM3t*b$U+?{go+UcvUQd@?!wwPLvsoI+2f7!uAQoQ_Q`McEpc
z1qTfnry^__)E`*NH3d_)4P=lGYIy7#T8R$Dg4w-6DDW-xmdUsWU9YHURm4EeOH_*$
zS!E;G<wFsT3P4Fdn>tL~pn?mkW4jWvCs{djVrOk)J-=a+#fo~u4^^I1MR6qN;a`c%
zB|RDJ>0O&mb+adtgqD~GoyHFJcR9|16M49GkIF3j#zC|Ij-`lZ6%Au`CtaR+BD^M>
zk;bD>#N)JKXxVwW62UCuuf;UFsAeBhBeW@1z}DiYR!NptA&fJo<Bq#29>|&<E6N`o
zwk1v)0>w$z10r)<ObQ|kEkS>7PgNo?x4Es^I9>v(zXGKqt$1Ue%vYR}<vwIWkfe)|
zB*s_D#qh(oA@}xyH-nTby$D{eT}+K^J3O)FCNnO*#HnER8K`9cRv!GKuG9FM6C*X8
zCVad^>)m=*^Z9i9P#&Q!_Hnga_jY@M^l{~>Bla;>;?5-_c%%=wM6I03I(t9;&eBG~
zES@-m1?|sD(H>tO5{P^QW*EkwAlPYA*8{Z|x2lHAX#<l3fQZiD)SN@ut#GdDn<7pI
zAWw_45rI)-5lzM+jd}{@uQo=Za6$B{R@9cbi7Qd3tIFMuVa{jA`B7nm+b;rzx+!@n
zj(75skgW6Djm7X<Qvfj9!)~w$L(fv&oJ!I~>0V{-7<;7KKRPEnRo#)WM>t}V20B*G
zOw*eu+`cO|wFX1|(%-*YCJ^!R9lJ)H1E~g^6_Ji>NM$uh>{nCtD}gG?zgEI3X+x-o
zup|#}J<s#2+u!8fa=^w7Qyngeb{7<F?Hc83>v4q`5!KLIjnxQHJEHV=LEa?-5p?K6
z87gFboKBsRTgzNmyhWmojq_A6VW<^G_%ia2y-P1V*}2@4A>La6X7%sjpe7mbC9cL>
zBH(wzTTfgG2|uI7_NLuqH#~RAZ;-!Z;<p&(Zo?}x5ssQm0*Qu?ax`T{0^T811g)i@
z$Y;b2a)=mW6~OYDuJx%XgkrbU022HXSXn~OF%6z?y_!YA=(Sgl3N-k#BdRO4lvE~^
zyRQmI>lE#ZlXzV&^Wg1;trAy|kHd-IMnAZI#H&9lF0n>H90Ux$3Hkk*kI3bq_(eTL
zGTor2w*Qy85UdoGP{v&~E{>YLF&{p{OY#w~CC)=-SIY{=ZwLbmvt|@8o2>xQ$wN@U
z#XI+XKAus3);oOiUMG3*tPRar#DwnAtR#wn0ImDA&<4e5*dsDph0#W6`>jUje5Oz2
zO0W;hj@7e1Wj4EZHyg-xc1?BZ7U`mv=nOw@_5}w}nrJN@kGKT}QWGuhZzE6~F9sP-
z3SCs8_GTQIu=VMOK5&~0Ap>S+Ma(dDE3+F^yQMMtXrsEB_L5`4COuOH!7WGqA~yyY
z6ILWZ%<sDp(`kG9${5Or+Iwas>T=>%?-&qz4|jTI7?(Q0ItGm9UsaOX=%?bC9~RnZ
z8Q`RZEXW{fKHkY1=T%}(DL-!>vv_dZ;at1$6hdrCNluFqZC66L`s%5poB3jiZ6HI_
zoh_hX9XTSjS*JDD426>JE&FFDb|3Bh)A7Ta$C%`$=h9&F&!r0x|BOSP8)1J3BVJ)s
zuN37IKU}KPu2Qjn>cxSM-#_sk3M3=rU^_WOgk8{$@{7)odEaEv4$w+uI<25`^r9g+
z3-2dz8jxIPC{8iX0-&UD*XN+A<E5>qg!_mGT$&5AL$1j&T5UZgeYN%v^Sweiii-%j
zZu|VL-2s$|i3Y_}A1BXvvhEWX!B4b)+_OUz&%|z0A23fX6Kf&xLnr_YzrpFp`E8O`
zK}#u{9C{w+eLAU_+?@HXU%72RgDlTExX(S=XLe0LgEaeYN);YMtoMOld*113+vao&
zPT`k+E^_!EseG_;+-K$hJs>O=8B+>|%LEb7)5|N)mcA#bm&1;uP>c=A(6BjJBF_zM
zz$Ph7IaZ4X*g+tg&_v{)TfGKQ0y1@i^&G3qM^sCx&D<7<s%x^%MgyW!NDLc@@N)bv
z=dXv5br<V|?b*2dD#>1)FBBve1$7Ls<ZmQRiu`{6$(BKUi}>^cq_vI>bQdF(iJ%WR
zD2FOwSa<R|X<<;4Ld1q#o03|~E6^CAr(j2h)O$SJ9$h+cV>75m80E>3r8($#&cLrS
zrVgG!zY%H{=)V>W+*&eg7ezSJk>voQs#~yDKQnfIzz&yk|5jq{YR?AjpSwqXQyzu%
zc=B1zg?_A-2n<t&l-PS3bN%R%aOLH7IT#--w!V`ue#XmXzG$0vPEKlqrOvj}ou*1b
zEzDj5_xxI)X{k?e@w-XcKj{WbZEDve8bymx9bAG7GD=8jhbpBCHA*l}49HT8PXt7t
z`FA>0O8~W^iy}VTtz7vXt4%N8`^-CjndQ7L4GAL!#*7<$=^0U52|9|OzXL-~=3{(G
z)Zq4#ziVrD0jAKKg(AOqdj$;kvRcmGoyy|%)y<f<c}9^;29CD`j8l_?$A6n)`<aO>
z`qzG1T=}wKhP4ty?R0s~K`IqtOR=;ZuVKa@Vnuu?%o+fhz++=gGXbABN57fWZnECO
zA<G7ZTBA*?1sHkg=8Db}8!G5}uGBrvZy=SJQ>ZRZ7;#R@%l_)D$kA_NWbn0gUE7!(
zFmXr!t<rl5J;u6?o0_|S-264$cW^2`?b~hJCPJ_D{bE&DY3RVwZ67-ud3!3buk2hF
zF_V6v>dSL0Qe&t$$A)Gj604KnRBwI@^ykr?4=k|oIM#cxtH!)^<IIX2j2PJOGwwP@
z!YCMdCVM3~t+nB+f&~6GSzq#FWd^ht6`WiuePxa3k^FhnecCd&<ckwlcKhjD+A}kZ
zrvgc&7^?^D$B8L(a_~V;JZ^n1eH_dR2D*;|)6TM+T$a38)G6?zo*Wgv&$j#=5E5wl
zI2(X=ttdHRHNE%WCfaNxnnWDNBE2H%NupYb7tN3D5Ae7JQJGuWAJp~wWp~7J`I8-I
zyc_CoDGrKw#|$_>m=$u6FG8_CONqxtqG8o*!I?X76hCT9&UQ$o(H>21QUT{4c201Y
z4Z9XyA+_2iilNLA<y*qq0P0^Rsog!lX=X9sM2U+S(No50GQg9REboOHn5GeVT4jqK
zvxcHjF8y0`#K^R6%U|E*@MsE&y;$)NvO^K99EYNA?)wRr7G4{ulr7HSv4W#(=gC;Q
zN&VaB<)HAo_;WESq)xB72~7BJ$I(nA2P)U9C(8t_jApd+=~*5#f2kGi%1)sWV~Yz0
zY2~Yr*Se1}vV~7E5ktuSz7?@s$p(tX4yaN4^Im%%*VTwG7bCE&58B^nt8{UqTIh?s
zn!W%q?U6p#KVFVz!Np|xAo%0MQTL`<V;(jjofcqPb5vrO%;OP`M@xOHikJ<1x{4Bi
z*nf+wne6=PcLsgBv>XB;WTr!{2yW-`GR-2wVad(OUU2fz;l(i(H;q`3mj3ZHCTsN2
z2gF|rw!7|UCpo5^6;(V!Z|<Y!(*UUAn8Fr8O(P+w;@E%4K<DHU6rtKeFc(WWd<dE<
z=9+)6Yo}>sq5nIbfV~~YD^}FZ&Ua2h!)|pije)PdUAO2X;kGtq^-I5tv*^^t9iEQ8
zZn+b@qAeSt+$WLmiL9e__pFXqAPXLtxg8#L(yY1i)t&3Xe}VM5e^Y)Cp=@*1CP2`>
z)OT=vN=EfLevD(vsWJPoN2HL#@$updr1wLtedi+v!!)+3ul_J+0Dg<HI}Aw^AY{+k
ztBj~QA||R`8mZ5fr$zGZA@{ZF(#SXJMi*COyia@&&I?~_)Qski8OaRfWB<l-1h~01
zFJ^NX<BH4+)Flw@kO#EogQkUowj@~A7;srZW_nZ<-*1)Y)smWT!e_$mAPur1H^2HF
z^!zD_@aKjWNrrAOj|nv0#s%s)s?<q`H*$;deaCSYp&=r*((fTGi?_@|QPMlJOl*X@
z_#NQ71#9CisVu@8yx&8Ne!N4RF#)9LdZ#qq`g~Bg`K;D3ys}X8-SOCeUs_YQ(@VMa
z)$i`~x+4WXdFl)u0lBGF8zyHYbC5)qO}AkQVp*BeJZWV{yk}-%oM<_-QPx<vUz#X-
z0F|uf@*yY4ro2SK4SIgilsCz6ufG|x)A4D_4_^;A(0(ne@r}+7IjJ%CTM+^6MSh~$
z>vv7B6uo9DUXCIDGKQ15@7$Im^E?(Xqxey^n{A()a}VvbG<v7JLAt(*Tszv?;x9sQ
zG|YW)1e&<j8*m(We^$|zRM1!RXB_;FuiNo0uW4E(lHUJP`Q!#4*|R=iLRsoe2!za;
z$#-%=!(sb=m|8}a!S}EbeW%RGB!8?o2je@ITw^=Z8xP4(nz=ASzuLU90shsWD^=UZ
zmM9>9500M~_kMGNv*5nv5mTJIi%Kga8_97{_0L$`7i=k4v!Ra6WPyG--&3cyvEhsK
zqo_^6eG9qY0X&6`>`wkkrM<9ApqEY5o_EwP0J()OWbnUC>wr~WBzgjsZoEMQANF=;
zIs1w^UmYD|KEs3iH3fT|TdF#Sk-aeXO|QzOLmm^7JI}F>rkHYvEV4ANRQLxhWv@?B
zd?4Tz4zoC9^e;}71hPpSU~i*;Vy=J<t~ZN1Fy}_~C(TGo6B3)T9tsN|QYw()jE8uf
zSz4B2cRaG%v53CnN^bvN)HN+nZnr35_H0@eMJ5(be$}+ecVIlJlqO^i=R~^gwr^3w
z&}d!aRx0OBA{#=_*etQK5_O7xtTU5VufEj*L8*SgJ{QS9A+pd!qns@=5BR?Drdbd1
z*Cn~@`eK=Z@r4+Tqf*AANN-b~x~3q(EmJDCPU^V$=B&E^FW9Kp@~l**#R6zq{OYNH
z&C+?^cS(qqPHTNj=b=Em;;aI6p@1MS39kgmcplMS>;T?OVN*%`DNf|LiT1J@mY7~u
z8LL+H!TM}<s;L=P|F&JGhxL_Rn>tHR-g7sd?+lgDZS}CvWd%sZ&LQhE!k!MD+sn*t
z4p_XEuvUCerLP`s?`~ilJLWsLqBLPiI5=Tfi7z0*2j$D-*03RgN+)GFR>IC=D~D^5
zUze=;`H@6>SB)$J(?(+i9Fxit*bB`5ffIF04zg#v4dJn@gjy;QuJ^pS>SY$7k@dGQ
zM>)-l*_H^OmfCMuZVRuz(k{=<9svY5Kqp2$-NbhRyLLODXWy<d)kC<GOGca8kSw54
e{YQ(BjzAURlED3I_doC21XA9m27{P`gZv-4GZ{kw

literal 0
HcmV?d00001

diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/Chart.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/Chart.yaml
new file mode 100755
index 0000000..f6f675b
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+appVersion: v3.21.2
+description: Install Canal Network Plugin.
+home: https://www.projectcalico.org/
+keywords:
+- canal
+maintainers:
+- email: charts@rancher.com
+  name: Rancher Labs
+name: rke2-canal
+sources:
+- https://github.com/rancher/rke2-charts
+version: v3.21.2-build2022020409
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/NOTES.txt b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/NOTES.txt
new file mode 100755
index 0000000..12a30ff
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/NOTES.txt
@@ -0,0 +1,3 @@
+Canal network plugin has been installed.
+
+NOTE: It may take few minutes until Canal image install CNI files and node become in ready state.
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/_helpers.tpl b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/_helpers.tpl
new file mode 100755
index 0000000..b647c75
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/_helpers.tpl
@@ -0,0 +1,7 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/config.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/config.yaml
new file mode 100755
index 0000000..02e0ac7
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/config.yaml
@@ -0,0 +1,84 @@
+---
+# Source: calico/templates/calico-config.yaml
+# This ConfigMap is used to configure a self-hosted Canal installation.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-config
+  namespace: kube-system
+data:
+  # Typha is disabled.
+  typha_service_name: {{ .Values.calico.typhaServiceName | quote }}
+  # The interface used by canal for host <-> host communication.
+  # If left blank, then the interface is chosen using the node's
+  # default route.
+  canal_iface: {{ .Values.flannel.iface | quote }}
+
+  # Whether or not to masquerade traffic to destinations not within
+  # the pod network.
+  masquerade: {{ .Values.calico.masquerade | quote }}
+
+  # Configure the MTU to use
+  veth_mtu: {{ .Values.calico.vethuMTU | quote }}
+
+  # The CNI network configuration to install on each node.  The special
+  # values in this config will be automatically populated.
+  cni_network_config: |-
+    {
+      "name": "k8s-pod-network",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "calico",
+          "log_level": "info",
+          "datastore_type": "kubernetes",
+          "nodename": "__KUBERNETES_NODE_NAME__",
+          "mtu": __CNI_MTU__,
+          "ipam": {
+              "type": "host-local",
+              "ranges": [
+                  [
+                      {
+                          "subnet": "usePodCidr"
+                      }
+{{- if coalesce .Values.global.clusterCIDRv6 .Values.podCidrv6 }}
+                  ],
+                  [
+                      {
+                          "subnet": "usePodCidrIPv6"
+                      }
+{{- end }}
+                  ]
+              ]
+          },
+          "policy": {
+              "type": "k8s"
+          },
+          "kubernetes": {
+              "kubeconfig": "__KUBECONFIG_FILEPATH__"
+          }
+        },
+        {
+          "type": "portmap",
+          "snat": true,
+          "capabilities": {"portMappings": true}
+        },
+        {
+          "type": "bandwidth",
+          "capabilities": {"bandwidth": true}
+        }
+      ]
+    }
+
+  # Flannel network configuration. Mounted into the flannel container.
+  net-conf.json: |
+    {
+      "Network": {{ coalesce .Values.global.clusterCIDRv4 .Values.podCidr | quote }},
+{{- if coalesce .Values.global.clusterCIDRv6 .Values.podCidrv6 }}
+      "IPv6Network": {{ coalesce .Values.global.clusterCIDRv6 .Values.podCidrv6 | quote }},
+      "EnableIPv6": true,
+{{- end }}
+      "Backend": {
+        "Type": {{ .Values.flannel.backend | quote }}
+      }
+    }
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/bgpconfigurations.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/bgpconfigurations.crd.yaml
new file mode 100755
index 0000000..589c3a2
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/bgpconfigurations.crd.yaml
@@ -0,0 +1,144 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_bgpconfigurations.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: bgpconfigurations.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: BGPConfiguration
+    listKind: BGPConfigurationList
+    plural: bgpconfigurations
+    singular: bgpconfiguration
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: BGPConfiguration contains the configuration for any BGP routing.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BGPConfigurationSpec contains the values of the BGP configuration.
+            properties:
+              asNumber:
+                description: 'ASNumber is the default AS number used by a node. [Default:
+                  64512]'
+                format: int32
+                type: integer
+              communities:
+                description: Communities is a list of BGP community values and their
+                  arbitrary names for tagging routes.
+                items:
+                  description: Community contains standard or large community value
+                    and its name.
+                  properties:
+                    name:
+                      description: Name given to community value.
+                      type: string
+                    value:
+                      description: Value must be of format `aa:nn` or `aa:nn:mm`.
+                        For standard community use `aa:nn` format, where `aa` and
+                        `nn` are 16 bit number. For large community use `aa:nn:mm`
+                        format, where `aa`, `nn` and `mm` are 32 bit number. Where,
+                        `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
+                      pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
+                      type: string
+                  type: object
+                type: array
+              listenPort:
+                description: ListenPort is the port where BGP protocol should listen.
+                  Defaults to 179
+                maximum: 65535
+                minimum: 1
+                type: integer
+              logSeverityScreen:
+                description: 'LogSeverityScreen is the log severity above which logs
+                  are sent to the stdout. [Default: INFO]'
+                type: string
+              nodeToNodeMeshEnabled:
+                description: 'NodeToNodeMeshEnabled sets whether full node to node
+                  BGP mesh is enabled. [Default: true]'
+                type: boolean
+              prefixAdvertisements:
+                description: PrefixAdvertisements contains per-prefix advertisement
+                  configuration.
+                items:
+                  description: PrefixAdvertisement configures advertisement properties
+                    for the specified CIDR.
+                  properties:
+                    cidr:
+                      description: CIDR for which properties should be advertised.
+                      type: string
+                    communities:
+                      description: Communities can be list of either community names
+                        already defined in `Specs.Communities` or community value
+                        of format `aa:nn` or `aa:nn:mm`. For standard community use
+                        `aa:nn` format, where `aa` and `nn` are 16 bit number. For
+                        large community use `aa:nn:mm` format, where `aa`, `nn` and
+                        `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
+                        `mm` are per-AS identifier.
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              serviceClusterIPs:
+                description: ServiceClusterIPs are the CIDR blocks from which service
+                  cluster IPs are allocated. If specified, Calico will advertise these
+                  blocks, as well as any cluster IPs within them.
+                items:
+                  description: ServiceClusterIPBlock represents a single allowed ClusterIP
+                    CIDR block.
+                  properties:
+                    cidr:
+                      type: string
+                  type: object
+                type: array
+              serviceExternalIPs:
+                description: ServiceExternalIPs are the CIDR blocks for Kubernetes
+                  Service External IPs. Kubernetes Service ExternalIPs will only be
+                  advertised if they are within one of these blocks.
+                items:
+                  description: ServiceExternalIPBlock represents a single allowed
+                    External IP CIDR block.
+                  properties:
+                    cidr:
+                      type: string
+                  type: object
+                type: array
+              serviceLoadBalancerIPs:
+                description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
+                  Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
+                  IPs will only be advertised if they are within one of these blocks.
+                items:
+                  description: ServiceLoadBalancerIPBlock represents a single allowed
+                    LoadBalancer IP CIDR block.
+                  properties:
+                    cidr:
+                      type: string
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/bgppeers.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/bgppeers.crd.yaml
new file mode 100755
index 0000000..bdbd2ee
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/bgppeers.crd.yaml
@@ -0,0 +1,115 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_bgppeers.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: bgppeers.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: BGPPeer
+    listKind: BGPPeerList
+    plural: bgppeers
+    singular: bgppeer
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BGPPeerSpec contains the specification for a BGPPeer resource.
+            properties:
+              asNumber:
+                description: The AS Number of the peer.
+                format: int32
+                type: integer
+              keepOriginalNextHop:
+                description: Option to keep the original nexthop field when routes
+                  are sent to a BGP Peer. Setting "true" configures the selected BGP
+                  Peers node to use the "next hop keep;" instead of "next hop self;"(default)
+                  in the specific branch of the Node on "bird.cfg".
+                type: boolean
+              maxRestartTime:
+                description: Time to allow for software restart.  When specified, this
+                  is configured as the graceful restart timeout.  When not specified,
+                  the BIRD default of 120s is used.
+                type: string
+              node:
+                description: The node name identifying the Calico node instance that
+                  is targeted by this peer. If this is not set, and no nodeSelector
+                  is specified, then this BGP peer selects all nodes in the cluster.
+                type: string
+              nodeSelector:
+                description: Selector for the nodes that should have this peering.  When
+                  this is set, the Node field must be empty.
+                type: string
+              password:
+                description: Optional BGP password for the peerings generated by this
+                  BGPPeer resource.
+                properties:
+                  secretKeyRef:
+                    description: Selects a key of a secret in the node pod's namespace.
+                    properties:
+                      key:
+                        description: The key of the secret to select from.  Must be
+                          a valid secret key.
+                        type: string
+                      name:
+                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Add other useful fields. apiVersion, kind, uid?'
+                        type: string
+                      optional:
+                        description: Specify whether the Secret or its key must be
+                          defined
+                        type: boolean
+                    required:
+                    - key
+                    type: object
+                type: object
+              peerIP:
+                description: The IP address of the peer followed by an optional port
+                  number to peer with. If port number is given, format should be `[<IPv6>]:port`
+                  or `<IPv4>:<port>` for IPv4. If optional port number is not set,
+                  and this peer IP and ASNumber belongs to a calico/node with ListenPort
+                  set in BGPConfiguration, then we use that port to peer.
+                type: string
+              peerSelector:
+                description: Selector for the remote nodes to peer with.  When this
+                  is set, the PeerIP and ASNumber fields must be empty.  For each
+                  peering between the local node and selected remote nodes, we configure
+                  an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
+                  and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified.  The
+                  remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
+                  or the global default if that is not set.
+                type: string
+              sourceAddress:
+                description: Specifies whether and how to configure a source address
+                  for the peerings generated by this BGPPeer resource.  Default value
+                  "UseNodeIP" means to configure the node IP as the source address.  "None"
+                  means not to configure a source address.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/blockaffinities.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/blockaffinities.crd.yaml
new file mode 100755
index 0000000..dbaaebc
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/blockaffinities.crd.yaml
@@ -0,0 +1,62 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_blockaffinities.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: blockaffinities.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: BlockAffinity
+    listKind: BlockAffinityList
+    plural: blockaffinities
+    singular: blockaffinity
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BlockAffinitySpec contains the specification for a BlockAffinity
+              resource.
+            properties:
+              cidr:
+                type: string
+              deleted:
+                description: Deleted indicates that this block affinity is being deleted.
+                  This field is a string for compatibility with older releases that
+                  mistakenly treat this field as a string.
+                type: string
+              node:
+                type: string
+              state:
+                type: string
+            required:
+            - cidr
+            - deleted
+            - node
+            - state
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/clusterinformations.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/clusterinformations.crd.yaml
new file mode 100755
index 0000000..2f25897
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/clusterinformations.crd.yaml
@@ -0,0 +1,65 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_clusterinformations.yaml 
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterinformations.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: ClusterInformation
+    listKind: ClusterInformationList
+    plural: clusterinformations
+    singular: clusterinformation
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ClusterInformation contains the cluster specific information.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterInformationSpec contains the values of describing
+              the cluster.
+            properties:
+              calicoVersion:
+                description: CalicoVersion is the version of Calico that the cluster
+                  is running
+                type: string
+              clusterGUID:
+                description: ClusterGUID is the GUID of the cluster
+                type: string
+              clusterType:
+                description: ClusterType describes the type of the cluster
+                type: string
+              datastoreReady:
+                description: DatastoreReady is used during significant datastore migrations
+                  to signal to components such as Felix that it should wait before
+                  accessing the datastore.
+                type: boolean
+              variant:
+                description: Variant declares which variant of Calico should be active.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/felixconfigurations.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/felixconfigurations.crd.yaml
new file mode 100755
index 0000000..a1c3d6d
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/felixconfigurations.crd.yaml
@@ -0,0 +1,565 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_felixconfigurations.yaml 
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: felixconfigurations.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: FelixConfiguration
+    listKind: FelixConfigurationList
+    plural: felixconfigurations
+    singular: felixconfiguration
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Felix Configuration contains the configuration for Felix.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: FelixConfigurationSpec contains the values of the Felix configuration.
+            properties:
+              allowIPIPPacketsFromWorkloads:
+                description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
+                  will add a rule to drop IPIP encapsulated traffic from workloads
+                  [Default: false]'
+                type: boolean
+              allowVXLANPacketsFromWorkloads:
+                description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
+                  will add a rule to drop VXLAN encapsulated traffic from workloads
+                  [Default: false]'
+                type: boolean
+              awsSrcDstCheck:
+                description: 'Set source-destination-check on AWS EC2 instances. Accepted
+                  value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
+                  DoNothing]'
+                enum:
+                - DoNothing
+                - Enable
+                - Disable
+                type: string
+              bpfConnectTimeLoadBalancingEnabled:
+                description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
+                  controls whether Felix installs the connection-time load balancer.  The
+                  connect-time load balancer is required for the host to be able to
+                  reach Kubernetes services and it improves the performance of pod-to-service
+                  connections.  The only reason to disable it is for debugging purposes.  [Default:
+                  true]'
+                type: boolean
+              bpfDataIfacePattern:
+                description: BPFDataIfacePattern is a regular expression that controls
+                  which interfaces Felix should attach BPF programs to in order to
+                  catch traffic to/from the network.  This needs to match the interfaces
+                  that Calico workload traffic flows over as well as any interfaces
+                  that handle incoming traffic to nodeports and services from outside
+                  the cluster.  It should not match the workload interfaces (usually
+                  named cali...).
+                type: string
+              bpfDisableUnprivileged:
+                description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
+                  sysctl to disable unprivileged use of BPF.  This ensures that unprivileged
+                  users cannot access Calico''s BPF maps and cannot insert their own
+                  BPF programs to interfere with Calico''s. [Default: true]'
+                type: boolean
+              bpfEnabled:
+                description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
+                  [Default: false]'
+                type: boolean
+              bpfExternalServiceMode:
+                description: 'BPFExternalServiceMode in BPF mode, controls how connections
+                  from outside the cluster to services (node ports and cluster IPs)
+                  are forwarded to remote workloads.  If set to "Tunnel" then both
+                  request and response traffic is tunneled to the remote node.  If
+                  set to "DSR", the request traffic is tunneled but the response traffic
+                  is sent directly from the remote node.  In "DSR" mode, the remote
+                  node appears to use the IP of the ingress node; this requires a
+                  permissive L2 network.  [Default: Tunnel]'
+                type: string
+              bpfExtToServiceConnmark:
+                description: 'BPFExtToServiceConnmark in BPF mode, controls a
+                  32bit mark that is set on connections from an external client to
+                  a local service. This mark allows us to control how packets of
+                  that connection are routed within the host and how is routing
+                  intepreted by RPF check. [Default: 0]'
+                type: integer
+
+              bpfKubeProxyEndpointSlicesEnabled:
+                description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
+                  whether Felix's embedded kube-proxy accepts EndpointSlices or not.
+                type: boolean
+              bpfKubeProxyIptablesCleanupEnabled:
+                description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
+                  mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
+                  iptables chains.  Should only be enabled if kube-proxy is not running.  [Default:
+                  true]'
+                type: boolean
+              bpfKubeProxyMinSyncPeriod:
+                description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
+                  minimum time between updates to the dataplane for Felix''s embedded
+                  kube-proxy.  Lower values give reduced set-up latency.  Higher values
+                  reduce Felix CPU usage by batching up more work.  [Default: 1s]'
+                type: string
+              bpfLogLevel:
+                description: 'BPFLogLevel controls the log level of the BPF programs
+                  when in BPF dataplane mode.  One of "Off", "Info", or "Debug".  The
+                  logs are emitted to the BPF trace pipe, accessible with the command
+                  `tc exec bpf debug`. [Default: Off].'
+                type: string
+              chainInsertMode:
+                description: 'ChainInsertMode controls whether Felix hooks the kernel''s
+                  top-level iptables chains by inserting a rule at the top of the
+                  chain or by appending a rule at the bottom. insert is the safe default
+                  since it prevents Calico''s rules from being bypassed. If you switch
+                  to append mode, be sure that the other rules in the chains signal
+                  acceptance by falling through to the Calico rules, otherwise the
+                  Calico policy will be bypassed. [Default: insert]'
+                type: string
+              dataplaneDriver:
+                type: string
+              debugDisableLogDropping:
+                type: boolean
+              debugMemoryProfilePath:
+                type: string
+              debugSimulateCalcGraphHangAfter:
+                type: string
+              debugSimulateDataplaneHangAfter:
+                type: string
+              defaultEndpointToHostAction:
+                description: 'DefaultEndpointToHostAction controls what happens to
+                  traffic that goes from a workload endpoint to the host itself (after
+                  the traffic hits the endpoint egress policy). By default Calico
+                  blocks traffic from workload endpoints to the host itself with an
+                  iptables "DROP" action. If you want to allow some or all traffic
+                  from endpoint to host, set this parameter to RETURN or ACCEPT. Use
+                  RETURN if you have your own rules in the iptables "INPUT" chain;
+                  Calico will insert its rules at the top of that chain, then "RETURN"
+                  packets to the "INPUT" chain once it has completed processing workload
+                  endpoint egress policy. Use ACCEPT to unconditionally accept packets
+                  from workloads after processing workload endpoint egress policy.
+                  [Default: Drop]'
+                type: string
+              deviceRouteProtocol:
+                description: This defines the route protocol added to programmed device
+                  routes, by default this will be RTPROT_BOOT when left blank.
+                type: integer
+              deviceRouteSourceAddress:
+                description: This is the source address to use on programmed device
+                  routes. By default the source address is left blank, leaving the
+                  kernel to choose the source address used.
+                type: string
+              disableConntrackInvalidCheck:
+                type: boolean
+              endpointReportingDelay:
+                type: string
+              endpointReportingEnabled:
+                type: boolean
+              externalNodesList:
+                description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
+                  which may source tunnel traffic and have the tunneled traffic be
+                  accepted at calico nodes.
+                items:
+                  type: string
+                type: array
+              failsafeInboundHostPorts:
+                description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
+                  and CIDRs that Felix will allow incoming traffic to host endpoints
+                  on irrespective of the security policy. This is useful to avoid
+                  accidentally cutting off a host with incorrect configuration. For
+                  back-compatibility, if the protocol is not specified, it defaults
+                  to "tcp". If a CIDR is not specified, it will allow traffic from
+                  all addresses. To disable all inbound host ports, use the value
+                  none. The default value allows ssh access and DHCP. [Default: tcp:22,
+                  udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
+                items:
+                  description: ProtoPort is combination of protocol, port, and CIDR.
+                    Protocol and port must be specified.
+                  properties:
+                    net:
+                      type: string
+                    port:
+                      type: integer
+                    protocol:
+                      type: string
+                  required:
+                  - port
+                  - protocol
+                  type: object
+                type: array
+              failsafeOutboundHostPorts:
+                description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
+                  and CIDRs that Felix will allow outgoing traffic from host endpoints
+                  to irrespective of the security policy. This is useful to avoid
+                  accidentally cutting off a host with incorrect configuration. For
+                  back-compatibility, if the protocol is not specified, it defaults
+                  to "tcp". If a CIDR is not specified, it will allow traffic from
+                  all addresses. To disable all outbound host ports, use the value
+                  none. The default value opens etcd''s standard ports to ensure that
+                  Felix does not get cut off from etcd as well as allowing DHCP and
+                  DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
+                  tcp:6667, udp:53, udp:67]'
+                items:
+                  description: ProtoPort is combination of protocol, port, and CIDR.
+                    Protocol and port must be specified.
+                  properties:
+                    net:
+                      type: string
+                    port:
+                      type: integer
+                    protocol:
+                      type: string
+                  required:
+                  - port
+                  - protocol
+                  type: object
+                type: array
+              featureDetectOverride:
+                description: FeatureDetectOverride is used to override the feature
+                  detection. Values are specified in a comma separated list with no
+                  spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
+                  "true" or "false" will force the feature, empty or omitted values
+                  are auto-detected.
+                type: string
+              genericXDPEnabled:
+                description: 'GenericXDPEnabled enables Generic XDP so network cards
+                  that don''t support XDP offload or driver modes can use XDP. This
+                  is not recommended since it doesn''t provide better performance
+                  than iptables. [Default: false]'
+                type: boolean
+              healthEnabled:
+                type: boolean
+              healthHost:
+                type: string
+              healthPort:
+                type: integer
+              interfaceExclude:
+                description: 'InterfaceExclude is a comma-separated list of interfaces
+                  that Felix should exclude when monitoring for host endpoints. The
+                  default value ensures that Felix ignores Kubernetes'' IPVS dummy
+                  interface, which is used internally by kube-proxy. If you want to
+                  exclude multiple interface names using a single value, the list
+                  supports regular expressions. For regular expressions you must wrap
+                  the value with ''/''. For example having values ''/^kube/,veth1''
+                  will exclude all interfaces that begin with ''kube'' and also the
+                  interface ''veth1''. [Default: kube-ipvs0]'
+                type: string
+              interfacePrefix:
+                description: 'InterfacePrefix is the interface name prefix that identifies
+                  workload endpoints and so distinguishes them from host endpoint
+                  interfaces. Note: in environments other than bare metal, the orchestrators
+                  configure this appropriately. For example our Kubernetes and Docker
+                  integrations set the ''cali'' value, and our OpenStack integration
+                  sets the ''tap'' value. [Default: cali]'
+                type: string
+              interfaceRefreshInterval:
+                description: InterfaceRefreshInterval is the period at which Felix
+                  rescans local interfaces to verify their state. The rescan can be
+                  disabled by setting the interval to 0.
+                type: string
+              ipipEnabled:
+                type: boolean
+              ipipMTU:
+                description: 'IPIPMTU is the MTU to set on the tunnel device. See
+                  Configuring MTU [Default: 1440]'
+                type: integer
+              ipsetsRefreshInterval:
+                description: 'IpsetsRefreshInterval is the period at which Felix re-checks
+                  all iptables state to ensure that no other process has accidentally
+                  broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
+                  90s]'
+                type: string
+              iptablesBackend:
+                description: IptablesBackend specifies which backend of iptables will
+                  be used. The default is legacy.
+                type: string
+              iptablesFilterAllowAction:
+                type: string
+              iptablesLockFilePath:
+                description: 'IptablesLockFilePath is the location of the iptables
+                  lock file. You may need to change this if the lock file is not in
+                  its standard location (for example if you have mapped it into Felix''s
+                  container at a different path). [Default: /run/xtables.lock]'
+                type: string
+              iptablesLockProbeInterval:
+                description: 'IptablesLockProbeInterval is the time that Felix will
+                  wait between attempts to acquire the iptables lock if it is not
+                  available. Lower values make Felix more responsive when the lock
+                  is contended, but use more CPU. [Default: 50ms]'
+                type: string
+              iptablesLockTimeout:
+                description: 'IptablesLockTimeout is the time that Felix will wait
+                  for the iptables lock, or 0, to disable. To use this feature, Felix
+                  must share the iptables lock file with all other processes that
+                  also take the lock. When running Felix inside a container, this
+                  requires the /run directory of the host to be mounted into the calico/node
+                  or calico/felix container. [Default: 0s disabled]'
+                type: string
+              iptablesMangleAllowAction:
+                type: string
+              iptablesMarkMask:
+                description: 'IptablesMarkMask is the mask that Felix selects its
+                  IPTables Mark bits from. Should be a 32 bit hexadecimal number with
+                  at least 8 bits set, none of which clash with any other mark bits
+                  in use on the system. [Default: 0xff000000]'
+                format: int32
+                type: integer
+              iptablesNATOutgoingInterfaceFilter:
+                type: string
+              iptablesPostWriteCheckInterval:
+                description: 'IptablesPostWriteCheckInterval is the period after Felix
+                  has done a write to the dataplane that it schedules an extra read
+                  back in order to check the write was not clobbered by another process.
+                  This should only occur if another application on the system doesn''t
+                  respect the iptables lock. [Default: 1s]'
+                type: string
+              iptablesRefreshInterval:
+                description: 'IptablesRefreshInterval is the period at which Felix
+                  re-checks the IP sets in the dataplane to ensure that no other process
+                  has accidentally broken Calico''s rules. Set to 0 to disable IP
+                  sets refresh. Note: the default for this value is lower than the
+                  other refresh intervals as a workaround for a Linux kernel bug that
+                  was fixed in kernel version 4.11. If you are using v4.11 or greater
+                  you may want to set this to, a higher value to reduce Felix CPU
+                  usage. [Default: 10s]'
+                type: string
+              ipv6Support:
+                type: boolean
+              kubeNodePortRanges:
+                description: 'KubeNodePortRanges holds list of port ranges used for
+                  service node ports. Only used if felix detects kube-proxy running
+                  in ipvs mode. Felix uses these ranges to separate host and workload
+                  traffic. [Default: 30000:32767].'
+                items:
+                  anyOf:
+                  - type: integer
+                  - type: string
+                  pattern: ^.*
+                  x-kubernetes-int-or-string: true
+                type: array
+              logFilePath:
+                description: 'LogFilePath is the full path to the Felix log. Set to
+                  none to disable file logging. [Default: /var/log/calico/felix.log]'
+                type: string
+              logPrefix:
+                description: 'LogPrefix is the log prefix that Felix uses when rendering
+                  LOG rules. [Default: calico-packet]'
+                type: string
+              logSeverityFile:
+                description: 'LogSeverityFile is the log severity above which logs
+                  are sent to the log file. [Default: Info]'
+                type: string
+              logSeverityScreen:
+                description: 'LogSeverityScreen is the log severity above which logs
+                  are sent to the stdout. [Default: Info]'
+                type: string
+              logSeveritySys:
+                description: 'LogSeveritySys is the log severity above which logs
+                  are sent to the syslog. Set to None for no logging to syslog. [Default:
+                  Info]'
+                type: string
+              maxIpsetSize:
+                type: integer
+              metadataAddr:
+                description: 'MetadataAddr is the IP address or domain name of the
+                  server that can answer VM queries for cloud-init metadata. In OpenStack,
+                  this corresponds to the machine running nova-api (or in Ubuntu,
+                  nova-api-metadata). A value of none (case insensitive) means that
+                  Felix should not set up any NAT rule for the metadata path. [Default:
+                  127.0.0.1]'
+                type: string
+              metadataPort:
+                description: 'MetadataPort is the port of the metadata server. This,
+                  combined with global.MetadataAddr (if not ''None''), is used to
+                  set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
+                  In most cases this should not need to be changed [Default: 8775].'
+                type: integer
+              mtuIfacePattern:
+                description: MTUIfacePattern is a regular expression that controls
+                  which interfaces Felix should scan in order to calculate the host's
+                  MTU. This should not match workload interfaces (usually named cali...).
+                type: string
+              natOutgoingAddress:
+                description: NATOutgoingAddress specifies an address to use when performing
+                  source NAT for traffic in a natOutgoing pool that is leaving the
+                  network. By default the address used is an address on the interface
+                  the traffic is leaving on (ie it uses the iptables MASQUERADE target)
+                type: string
+              natPortRange:
+                anyOf:
+                - type: integer
+                - type: string
+                description: NATPortRange specifies the range of ports that is used
+                  for port mapping when doing outgoing NAT. When unset the default
+                  behavior of the network stack is used.
+                pattern: ^.*
+                x-kubernetes-int-or-string: true
+              netlinkTimeout:
+                type: string
+              openstackRegion:
+                description: 'OpenstackRegion is the name of the region that a particular
+                  Felix belongs to. In a multi-region Calico/OpenStack deployment,
+                  this must be configured somehow for each Felix (here in the datamodel,
+                  or in felix.cfg or the environment on each compute node), and must
+                  match the [calico] openstack_region value configured in neutron.conf
+                  on each node. [Default: Empty]'
+                type: string
+              policySyncPathPrefix:
+                description: 'PolicySyncPathPrefix is used to by Felix to communicate
+                  policy changes to external services, like Application layer policy.
+                  [Default: Empty]'
+                type: string
+              prometheusGoMetricsEnabled:
+                description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
+                  collection, which the Prometheus client does by default, when set
+                  to false. This reduces the number of metrics reported, reducing
+                  Prometheus load. [Default: true]'
+                type: boolean
+              prometheusMetricsEnabled:
+                description: 'PrometheusMetricsEnabled enables the Prometheus metrics
+                  server in Felix if set to true. [Default: false]'
+                type: boolean
+              prometheusMetricsHost:
+                description: 'PrometheusMetricsHost is the host that the Prometheus
+                  metrics server should bind to. [Default: empty]'
+                type: string
+              prometheusMetricsPort:
+                description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+                  metrics server should bind to. [Default: 9091]'
+                type: integer
+              prometheusProcessMetricsEnabled:
+                description: 'PrometheusProcessMetricsEnabled disables process metrics
+                  collection, which the Prometheus client does by default, when set
+                  to false. This reduces the number of metrics reported, reducing
+                  Prometheus load. [Default: true]'
+                type: boolean
+              removeExternalRoutes:
+                description: Whether or not to remove device routes that have not
+                  been programmed by Felix. Disabling this will allow external applications
+                  to also add device routes. This is enabled by default which means
+                  we will remove externally added routes.
+                type: boolean
+              reportingInterval:
+                description: 'ReportingInterval is the interval at which Felix reports
+                  its status into the datastore or 0 to disable. Must be non-zero
+                  in OpenStack deployments. [Default: 30s]'
+                type: string
+              reportingTTL:
+                description: 'ReportingTTL is the time-to-live setting for process-wide
+                  status reports. [Default: 90s]'
+                type: string
+              routeRefreshInterval:
+                description: 'RouteRefreshInterval is the period at which Felix re-checks
+                  the routes in the dataplane to ensure that no other process has
+                  accidentally broken Calico''s rules. Set to 0 to disable route refresh.
+                  [Default: 90s]'
+                type: string
+              routeSource:
+                description: 'RouteSource configures where Felix gets its routing
+                  information. - WorkloadIPs: use workload endpoints to construct
+                  routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
+                type: string
+              routeTableRange:
+                description: Calico programs additional Linux route tables for various
+                  purposes.  RouteTableRange specifies the indices of the route tables
+                  that Calico should use.
+                properties:
+                  max:
+                    type: integer
+                  min:
+                    type: integer
+                required:
+                - max
+                - min
+                type: object
+              serviceLoopPrevention:
+                description: 'When service IP advertisement is enabled, prevent routing
+                  loops to service IPs that are not in use, by dropping or rejecting
+                  packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
+                  in which case such routing loops continue to be allowed. [Default:
+                  Drop]'
+                type: string
+              sidecarAccelerationEnabled:
+                description: 'SidecarAccelerationEnabled enables experimental sidecar
+                  acceleration [Default: false]'
+                type: boolean
+              usageReportingEnabled:
+                description: 'UsageReportingEnabled reports anonymous Calico version
+                  number and cluster size to projectcalico.org. Logs warnings returned
+                  by the usage server. For example, if a significant security vulnerability
+                  has been discovered in the version of Calico being used. [Default:
+                  true]'
+                type: boolean
+              usageReportingInitialDelay:
+                description: 'UsageReportingInitialDelay controls the minimum delay
+                  before Felix makes a report. [Default: 300s]'
+                type: string
+              usageReportingInterval:
+                description: 'UsageReportingInterval controls the interval at which
+                  Felix makes reports. [Default: 86400s]'
+                type: string
+              useInternalDataplaneDriver:
+                type: boolean
+              vxlanEnabled:
+                type: boolean
+              vxlanMTU:
+                description: 'VXLANMTU is the MTU to set on the tunnel device. See
+                  Configuring MTU [Default: 1440]'
+                type: integer
+              vxlanPort:
+                type: integer
+              vxlanVNI:
+                type: integer
+              wireguardEnabled:
+                description: 'WireguardEnabled controls whether Wireguard is enabled.
+                  [Default: false]'
+                type: boolean
+              wireguardInterfaceName:
+                description: 'WireguardInterfaceName specifies the name to use for
+                  the Wireguard interface. [Default: wg.calico]'
+                type: string
+              wireguardListeningPort:
+                description: 'WireguardListeningPort controls the listening port used
+                  by Wireguard. [Default: 51820]'
+                type: integer
+              wireguardMTU:
+                description: 'WireguardMTU controls the MTU on the Wireguard interface.
+                  See Configuring MTU [Default: 1420]'
+                type: integer
+              wireguardRoutingRulePriority:
+                description: 'WireguardRoutingRulePriority controls the priority value
+                  to use for the Wireguard routing rule. [Default: 99]'
+                type: integer
+              xdpEnabled:
+                description: 'XDPEnabled enables XDP acceleration for suitable untracked
+                  incoming deny rules. [Default: true]'
+                type: boolean
+              xdpRefreshInterval:
+                description: 'XDPRefreshInterval is the period at which Felix re-checks
+                  all XDP state to ensure that no other process has accidentally broken
+                  Calico''s BPF maps or attached programs. Set to 0 to disable XDP
+                  refresh. [Default: 90s]'
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/globalnetworkpolicies.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/globalnetworkpolicies.crd.yaml
new file mode 100755
index 0000000..1cf624f
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/globalnetworkpolicies.crd.yaml
@@ -0,0 +1,856 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_globalnetworkpolicies.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: globalnetworkpolicies.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: GlobalNetworkPolicy
+    listKind: GlobalNetworkPolicyList
+    plural: globalnetworkpolicies
+    singular: globalnetworkpolicy
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              applyOnForward:
+                description: ApplyOnForward indicates to apply the rules in this policy
+                  on forward traffic.
+                type: boolean
+              doNotTrack:
+                description: DoNotTrack indicates whether packets matched by the rules
+                  in this policy should go through the data plane's connection tracking,
+                  such as Linux conntrack.  If True, the rules in this policy are
+                  applied before any data plane connection tracking, and packets allowed
+                  by this policy are marked as not to be tracked.
+                type: boolean
+              egress:
+                description: The ordered set of egress rules.  Each rule contains
+                  a set of packet match criteria and a corresponding action to apply.
+                items:
+                  description: "A Rule encapsulates a set of match criteria and an
+                    action.  Both selector-based security Policy and security Profiles
+                    reference rules - separated out as a list of rules for both ingress
+                    and egress packet matching. \n Each positive match criteria has
+                    a negated version, prefixed with \"Not\". All the match criteria
+                    within a rule must be satisfied for a packet to match. A single
+                    rule can contain the positive and negative version of a match
+                    and both must be satisfied for the rule to match."
+                  properties:
+                    action:
+                      type: string
+                    destination:
+                      description: Destination contains the match criteria that apply
+                        to destination entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                    http:
+                      description: HTTP contains match criteria that apply to HTTP
+                        requests.
+                      properties:
+                        methods:
+                          description: Methods is an optional field that restricts
+                            the rule to apply only to HTTP requests that use one of
+                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+                            methods are OR'd together.
+                          items:
+                            type: string
+                          type: array
+                        paths:
+                          description: 'Paths is an optional field that restricts
+                            the rule to apply to HTTP requests that use one of the
+                            listed HTTP Paths. Multiple paths are OR''d together.
+                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+                            ONLY specify either a `exact` or a `prefix` match. The
+                            validator will check for it.'
+                          items:
+                            description: 'HTTPPath specifies an HTTP path to match.
+                              It may be either of the form: exact: <path>: which matches
+                              the path exactly or prefix: <path-prefix>: which matches
+                              the path prefix'
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    icmp:
+                      description: ICMP is an optional field that restricts the rule
+                        to apply to a specific type and code of ICMP traffic.  This
+                        should only be specified if the Protocol field is set to "ICMP"
+                        or "ICMPv6".
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    ipVersion:
+                      description: IPVersion is an optional field that restricts the
+                        rule to only match a specific IP version.
+                      type: integer
+                    metadata:
+                      description: Metadata contains additional information for this
+                        rule
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          description: Annotations is a set of key value pairs that
+                            give extra information about the rule
+                          type: object
+                      type: object
+                    notICMP:
+                      description: NotICMP is the negated version of the ICMP field.
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    notProtocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: NotProtocol is the negated version of the Protocol
+                        field.
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: "Protocol is an optional field that restricts the
+                        rule to only apply to traffic of a specific IP protocol. Required
+                        if any of the EntityRules contain Ports (because ports only
+                        apply to certain protocols). \n Must be one of these string
+                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+                        \"UDPLite\" or an integer in the range 1-255."
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    source:
+                      description: Source contains the match criteria that apply to
+                        source entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                  required:
+                  - action
+                  type: object
+                type: array
+              ingress:
+                description: The ordered set of ingress rules.  Each rule contains
+                  a set of packet match criteria and a corresponding action to apply.
+                items:
+                  description: "A Rule encapsulates a set of match criteria and an
+                    action.  Both selector-based security Policy and security Profiles
+                    reference rules - separated out as a list of rules for both ingress
+                    and egress packet matching. \n Each positive match criteria has
+                    a negated version, prefixed with \"Not\". All the match criteria
+                    within a rule must be satisfied for a packet to match. A single
+                    rule can contain the positive and negative version of a match
+                    and both must be satisfied for the rule to match."
+                  properties:
+                    action:
+                      type: string
+                    destination:
+                      description: Destination contains the match criteria that apply
+                        to destination entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                    http:
+                      description: HTTP contains match criteria that apply to HTTP
+                        requests.
+                      properties:
+                        methods:
+                          description: Methods is an optional field that restricts
+                            the rule to apply only to HTTP requests that use one of
+                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+                            methods are OR'd together.
+                          items:
+                            type: string
+                          type: array
+                        paths:
+                          description: 'Paths is an optional field that restricts
+                            the rule to apply to HTTP requests that use one of the
+                            listed HTTP Paths. Multiple paths are OR''d together.
+                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+                            ONLY specify either a `exact` or a `prefix` match. The
+                            validator will check for it.'
+                          items:
+                            description: 'HTTPPath specifies an HTTP path to match.
+                              It may be either of the form: exact: <path>: which matches
+                              the path exactly or prefix: <path-prefix>: which matches
+                              the path prefix'
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    icmp:
+                      description: ICMP is an optional field that restricts the rule
+                        to apply to a specific type and code of ICMP traffic.  This
+                        should only be specified if the Protocol field is set to "ICMP"
+                        or "ICMPv6".
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    ipVersion:
+                      description: IPVersion is an optional field that restricts the
+                        rule to only match a specific IP version.
+                      type: integer
+                    metadata:
+                      description: Metadata contains additional information for this
+                        rule
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          description: Annotations is a set of key value pairs that
+                            give extra information about the rule
+                          type: object
+                      type: object
+                    notICMP:
+                      description: NotICMP is the negated version of the ICMP field.
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    notProtocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: NotProtocol is the negated version of the Protocol
+                        field.
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: "Protocol is an optional field that restricts the
+                        rule to only apply to traffic of a specific IP protocol. Required
+                        if any of the EntityRules contain Ports (because ports only
+                        apply to certain protocols). \n Must be one of these string
+                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+                        \"UDPLite\" or an integer in the range 1-255."
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    source:
+                      description: Source contains the match criteria that apply to
+                        source entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                  required:
+                  - action
+                  type: object
+                type: array
+              namespaceSelector:
+                description: NamespaceSelector is an optional field for an expression
+                  used to select a pod based on namespaces.
+                type: string
+              order:
+                description: Order is an optional field that specifies the order in
+                  which the policy is applied. Policies with higher "order" are applied
+                  after those with lower order.  If the order is omitted, it may be
+                  considered to be "infinite" - i.e. the policy will be applied last.  Policies
+                  with identical order will be applied in alphanumerical order based
+                  on the Policy "Name".
+                type: number
+              preDNAT:
+                description: PreDNAT indicates to apply the rules in this policy before
+                  any DNAT.
+                type: boolean
+              selector:
+                description: "The selector is an expression used to pick pick out
+                  the endpoints that the policy should be applied to. \n Selector
+                  expressions follow this syntax: \n \tlabel == \"string_literal\"
+                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
+                  \  ->  not equal; also matches if label is not present \tlabel in
+                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
+                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
+                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
+                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
+                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
+                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+                  or the empty selector -> matches all endpoints. \n Label names are
+                  allowed to contain alphanumerics, -, _ and /. String literals are
+                  more permissive but they do not support escape characters. \n Examples
+                  (with made-up labels): \n \ttype == \"webserver\" && deployment
+                  == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
+                  \"dev\" \t! has(label_name)"
+                type: string
+              serviceAccountSelector:
+                description: ServiceAccountSelector is an optional field for an expression
+                  used to select a pod based on service accounts.
+                type: string
+              types:
+                description: "Types indicates whether this policy applies to ingress,
+                  or to egress, or to both.  When not explicitly specified (and so
+                  the value on creation is empty or nil), Calico defaults Types according
+                  to what Ingress and Egress rules are present in the policy.  The
+                  default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
+                  (including the case where there are   also no Ingress rules) \n
+                  - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
+                  rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
+                  both Ingress and Egress rules. \n When the policy is read back again,
+                  Types will always be one of these values, never empty or nil."
+                items:
+                  description: PolicyType enumerates the possible values of the PolicySpec
+                    Types field.
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/globalnetworksets.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/globalnetworksets.crd.yaml
new file mode 100755
index 0000000..6024037
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/globalnetworksets.crd.yaml
@@ -0,0 +1,55 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_globalnetworksets.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: globalnetworksets.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: GlobalNetworkSet
+    listKind: GlobalNetworkSetList
+    plural: globalnetworksets
+    singular: globalnetworkset
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
+          that share labels to allow rules to refer to them via selectors.  The labels
+          of GlobalNetworkSet are not namespaced.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: GlobalNetworkSetSpec contains the specification for a NetworkSet
+              resource.
+            properties:
+              nets:
+                description: The list of IP networks that belong to this set.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/hostendpoints.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/hostendpoints.crd.yaml
new file mode 100755
index 0000000..797801d
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/hostendpoints.crd.yaml
@@ -0,0 +1,109 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_hostendpoints.yaml 
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: hostendpoints.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: HostEndpoint
+    listKind: HostEndpointList
+    plural: hostendpoints
+    singular: hostendpoint
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HostEndpointSpec contains the specification for a HostEndpoint
+              resource.
+            properties:
+              expectedIPs:
+                description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
+                  If \"InterfaceName\" is not present, Calico will look for an interface
+                  matching any of the IPs in the list and apply policy to that. Note:
+                  \tWhen using the selector match criteria in an ingress or egress
+                  security Policy \tor Profile, Calico converts the selector into
+                  a set of IP addresses. For host \tendpoints, the ExpectedIPs field
+                  is used for that purpose. (If only the interface \tname is specified,
+                  Calico does not learn the IPs of the interface for use in match
+                  \tcriteria.)"
+                items:
+                  type: string
+                type: array
+              interfaceName:
+                description: "Either \"*\", or the name of a specific Linux interface
+                  to apply policy to; or empty.  \"*\" indicates that this HostEndpoint
+                  governs all traffic to, from or through the default network namespace
+                  of the host named by the \"Node\" field; entering and leaving that
+                  namespace via any interface, including those from/to non-host-networked
+                  local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
+                  only governs traffic that enters or leaves the host through the
+                  specific interface named by InterfaceName, or - when InterfaceName
+                  is empty - through the specific interface that has one of the IPs
+                  in ExpectedIPs. Therefore, when InterfaceName is empty, at least
+                  one expected IP must be specified.  Only external interfaces (such
+                  as \"eth0\") are supported here; it isn't possible for a HostEndpoint
+                  to protect traffic through a specific local workload interface.
+                  \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
+                  initially just pre-DNAT policy.  Please check Calico documentation
+                  for the latest position."
+                type: string
+              node:
+                description: The node name identifying the Calico node instance.
+                type: string
+              ports:
+                description: Ports contains the endpoint's named ports, which may
+                  be referenced in security policy rules.
+                items:
+                  properties:
+                    name:
+                      type: string
+                    port:
+                      type: integer
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                  required:
+                  - name
+                  - port
+                  - protocol
+                  type: object
+                type: array
+              profiles:
+                description: A list of identifiers of security Profile objects that
+                  apply to this endpoint. Each profile is applied in the order that
+                  they appear in this list.  Profile rules are applied after the selector-based
+                  security policy.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamblocks.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamblocks.crd.yaml
new file mode 100755
index 0000000..efc9f1f
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamblocks.crd.yaml
@@ -0,0 +1,82 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ipamblocks.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamblocks.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPAMBlock
+    listKind: IPAMBlockList
+    plural: ipamblocks
+    singular: ipamblock
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPAMBlockSpec contains the specification for an IPAMBlock
+              resource.
+            properties:
+              affinity:
+                type: string
+              allocations:
+                items:
+                  type: integer
+                  # TODO: This nullable is manually added in. We should update controller-gen
+                  # to handle []*int properly itself.
+                  nullable: true
+                type: array
+              attributes:
+                items:
+                  properties:
+                    handle_id:
+                      type: string
+                    secondary:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
+                type: array
+              cidr:
+                type: string
+              deleted:
+                type: boolean
+              strictAffinity:
+                type: boolean
+              unallocated:
+                items:
+                  type: integer
+                type: array
+            required:
+            - allocations
+            - attributes
+            - cidr
+            - strictAffinity
+            - unallocated
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamconfigs.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamconfigs.crd.yaml
new file mode 100755
index 0000000..b03a308
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamconfigs.crd.yaml
@@ -0,0 +1,57 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ipamconfigs.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamconfigs.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPAMConfig
+    listKind: IPAMConfigList
+    plural: ipamconfigs
+    singular: ipamconfig
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPAMConfigSpec contains the specification for an IPAMConfig
+              resource.
+            properties:
+              autoAllocateBlocks:
+                type: boolean
+              maxBlocksPerHost:
+                description: MaxBlocksPerHost, if non-zero, is the max number of blocks
+                  that can be affine to each host.
+                type: integer
+              strictAffinity:
+                type: boolean
+            required:
+            - autoAllocateBlocks
+            - strictAffinity
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamhandles.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamhandles.crd.yaml
new file mode 100755
index 0000000..06a6306
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipamhandles.crd.yaml
@@ -0,0 +1,57 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ipamhandles.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ipamhandles.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPAMHandle
+    listKind: IPAMHandleList
+    plural: ipamhandles
+    singular: ipamhandle
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPAMHandleSpec contains the specification for an IPAMHandle
+              resource.
+            properties:
+              block:
+                additionalProperties:
+                  type: integer
+                type: object
+              deleted:
+                type: boolean
+              handleID:
+                type: string
+            required:
+            - block
+            - handleID
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ippools.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ippools.crd.yaml
new file mode 100755
index 0000000..6b8c9d1
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ippools.crd.yaml
@@ -0,0 +1,100 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ippools.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ippools.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPPool
+    listKind: IPPoolList
+    plural: ippools
+    singular: ippool
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPPoolSpec contains the specification for an IPPool resource.
+            properties:
+              blockSize:
+                description: The block size to use for IP address assignments from
+                  this pool. Defaults to 26 for IPv4 and 112 for IPv6.
+                type: integer
+              cidr:
+                description: The pool CIDR.
+                type: string
+              disabled:
+                description: When disabled is true, Calico IPAM will not assign addresses
+                  from this pool.
+                type: boolean
+              ipip:
+                description: 'Deprecated: this field is only used for APIv1 backwards
+                  compatibility. Setting this field is not allowed, this field is
+                  for internal use only.'
+                properties:
+                  enabled:
+                    description: When enabled is true, ipip tunneling will be used
+                      to deliver packets to destinations within this pool.
+                    type: boolean
+                  mode:
+                    description: The IPIP mode.  This can be one of "always" or "cross-subnet".  A
+                      mode of "always" will also use IPIP tunneling for routing to
+                      destination IP addresses within this pool.  A mode of "cross-subnet"
+                      will only use IPIP tunneling when the destination node is on
+                      a different subnet to the originating node.  The default value
+                      (if not specified) is "always".
+                    type: string
+                type: object
+              ipipMode:
+                description: Contains configuration for IPIP tunneling for this pool.
+                  If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
+                  is disabled).
+                type: string
+              nat-outgoing:
+                description: 'Deprecated: this field is only used for APIv1 backwards
+                  compatibility. Setting this field is not allowed, this field is
+                  for internal use only.'
+                type: boolean
+              natOutgoing:
+                description: When nat-outgoing is true, packets sent from Calico networked
+                  containers in this pool to destinations outside of this pool will
+                  be masqueraded.
+                type: boolean
+              nodeSelector:
+                description: Allows IPPool to allocate for a specific node by label
+                  selector.
+                type: string
+              vxlanMode:
+                description: Contains configuration for VXLAN tunneling for this pool.
+                  If not specified, then this is defaulted to "Never" (i.e. VXLAN
+                  tunneling is disabled).
+                type: string
+            required:
+            - cidr
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipreservations.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipreservations.crd.yaml
new file mode 100755
index 0000000..107268a
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/ipreservations.crd.yaml
@@ -0,0 +1,52 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_ipreservations.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: ipreservations.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: IPReservation
+    listKind: IPReservationList
+    plural: ipreservations
+    singular: ipreservation
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPReservationSpec contains the specification for an IPReservation
+              resource.
+            properties:
+              reservedCIDRs:
+                description: ReservedCIDRs is a list of CIDRs and/or IP addresses
+                  that Calico IPAM will exclude from new allocations.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/kubecontrollersconfigurations.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/kubecontrollersconfigurations.crd.yaml
new file mode 100755
index 0000000..f19216f
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/kubecontrollersconfigurations.crd.yaml
@@ -0,0 +1,244 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_kubecontrollersconfigurations.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: kubecontrollersconfigurations.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: KubeControllersConfiguration
+    listKind: KubeControllersConfigurationList
+    plural: kubecontrollersconfigurations
+    singular: kubecontrollersconfiguration
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubeControllersConfigurationSpec contains the values of the
+              Kubernetes controllers configuration.
+            properties:
+              controllers:
+                description: Controllers enables and configures individual Kubernetes
+                  controllers
+                properties:
+                  namespace:
+                    description: Namespace enables and configures the namespace controller.
+                      Enabled by default, set to nil to disable.
+                    properties:
+                      reconcilerPeriod:
+                        description: 'ReconcilerPeriod is the period to perform reconciliation
+                          with the Calico datastore. [Default: 5m]'
+                        type: string
+                    type: object
+                  node:
+                    description: Node enables and configures the node controller.
+                      Enabled by default, set to nil to disable.
+                    properties:
+                      hostEndpoint:
+                        description: HostEndpoint controls syncing nodes to host endpoints.
+                          Disabled by default, set to nil to disable.
+                        properties:
+                          autoCreate:
+                            description: 'AutoCreate enables automatic creation of
+                              host endpoints for every node. [Default: Disabled]'
+                            type: string
+                        type: object
+                      leakGracePeriod:
+                        description: 'LeakGracePeriod is the period used by the controller
+                          to determine if an IP address has been leaked. Set to 0
+                          to disable IP garbage collection. [Default: 15m]'
+                        type: string
+                      reconcilerPeriod:
+                        description: 'ReconcilerPeriod is the period to perform reconciliation
+                          with the Calico datastore. [Default: 5m]'
+                        type: string
+                      syncLabels:
+                        description: 'SyncLabels controls whether to copy Kubernetes
+                          node labels to Calico nodes. [Default: Enabled]'
+                        type: string
+                    type: object
+                  policy:
+                    description: Policy enables and configures the policy controller.
+                      Enabled by default, set to nil to disable.
+                    properties:
+                      reconcilerPeriod:
+                        description: 'ReconcilerPeriod is the period to perform reconciliation
+                          with the Calico datastore. [Default: 5m]'
+                        type: string
+                    type: object
+                  serviceAccount:
+                    description: ServiceAccount enables and configures the service
+                      account controller. Enabled by default, set to nil to disable.
+                    properties:
+                      reconcilerPeriod:
+                        description: 'ReconcilerPeriod is the period to perform reconciliation
+                          with the Calico datastore. [Default: 5m]'
+                        type: string
+                    type: object
+                  workloadEndpoint:
+                    description: WorkloadEndpoint enables and configures the workload
+                      endpoint controller. Enabled by default, set to nil to disable.
+                    properties:
+                      reconcilerPeriod:
+                        description: 'ReconcilerPeriod is the period to perform reconciliation
+                          with the Calico datastore. [Default: 5m]'
+                        type: string
+                    type: object
+                type: object
+              etcdV3CompactionPeriod:
+                description: 'EtcdV3CompactionPeriod is the period between etcdv3
+                  compaction requests. Set to 0 to disable. [Default: 10m]'
+                type: string
+              healthChecks:
+                description: 'HealthChecks enables or disables support for health
+                  checks [Default: Enabled]'
+                type: string
+              logSeverityScreen:
+                description: 'LogSeverityScreen is the log severity above which logs
+                  are sent to the stdout. [Default: Info]'
+                type: string
+              prometheusMetricsPort:
+                description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+                  metrics server should bind to. Set to 0 to disable. [Default: 9094]'
+                type: integer
+            required:
+            - controllers
+            type: object
+          status:
+            description: KubeControllersConfigurationStatus represents the status
+              of the configuration. It's useful for admins to be able to see the actual
+              config that was applied, which can be modified by environment variables
+              on the kube-controllers process.
+            properties:
+              environmentVars:
+                additionalProperties:
+                  type: string
+                description: EnvironmentVars contains the environment variables on
+                  the kube-controllers that influenced the RunningConfig.
+                type: object
+              runningConfig:
+                description: RunningConfig contains the effective config that is running
+                  in the kube-controllers pod, after merging the API resource with
+                  any environment variables.
+                properties:
+                  controllers:
+                    description: Controllers enables and configures individual Kubernetes
+                      controllers
+                    properties:
+                      namespace:
+                        description: Namespace enables and configures the namespace
+                          controller. Enabled by default, set to nil to disable.
+                        properties:
+                          reconcilerPeriod:
+                            description: 'ReconcilerPeriod is the period to perform
+                              reconciliation with the Calico datastore. [Default:
+                              5m]'
+                            type: string
+                        type: object
+                      node:
+                        description: Node enables and configures the node controller.
+                          Enabled by default, set to nil to disable.
+                        properties:
+                          hostEndpoint:
+                            description: HostEndpoint controls syncing nodes to host
+                              endpoints. Disabled by default, set to nil to disable.
+                            properties:
+                              autoCreate:
+                                description: 'AutoCreate enables automatic creation
+                                  of host endpoints for every node. [Default: Disabled]'
+                                type: string
+                            type: object
+                          leakGracePeriod:
+                            description: 'LeakGracePeriod is the period used by the
+                              controller to determine if an IP address has been leaked.
+                              Set to 0 to disable IP garbage collection. [Default:
+                              15m]'
+                            type: string
+                          reconcilerPeriod:
+                            description: 'ReconcilerPeriod is the period to perform
+                              reconciliation with the Calico datastore. [Default:
+                              5m]'
+                            type: string
+                          syncLabels:
+                            description: 'SyncLabels controls whether to copy Kubernetes
+                              node labels to Calico nodes. [Default: Enabled]'
+                            type: string
+                        type: object
+                      policy:
+                        description: Policy enables and configures the policy controller.
+                          Enabled by default, set to nil to disable.
+                        properties:
+                          reconcilerPeriod:
+                            description: 'ReconcilerPeriod is the period to perform
+                              reconciliation with the Calico datastore. [Default:
+                              5m]'
+                            type: string
+                        type: object
+                      serviceAccount:
+                        description: ServiceAccount enables and configures the service
+                          account controller. Enabled by default, set to nil to disable.
+                        properties:
+                          reconcilerPeriod:
+                            description: 'ReconcilerPeriod is the period to perform
+                              reconciliation with the Calico datastore. [Default:
+                              5m]'
+                            type: string
+                        type: object
+                      workloadEndpoint:
+                        description: WorkloadEndpoint enables and configures the workload
+                          endpoint controller. Enabled by default, set to nil to disable.
+                        properties:
+                          reconcilerPeriod:
+                            description: 'ReconcilerPeriod is the period to perform
+                              reconciliation with the Calico datastore. [Default:
+                              5m]'
+                            type: string
+                        type: object
+                    type: object
+                  etcdV3CompactionPeriod:
+                    description: 'EtcdV3CompactionPeriod is the period between etcdv3
+                      compaction requests. Set to 0 to disable. [Default: 10m]'
+                    type: string
+                  healthChecks:
+                    description: 'HealthChecks enables or disables support for health
+                      checks [Default: Enabled]'
+                    type: string
+                  logSeverityScreen:
+                    description: 'LogSeverityScreen is the log severity above which
+                      logs are sent to the stdout. [Default: Info]'
+                    type: string
+                  prometheusMetricsPort:
+                    description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+                      metrics server should bind to. Set to 0 to disable. [Default:
+                      9094]'
+                    type: integer
+                required:
+                - controllers
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/networkpolicies.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/networkpolicies.crd.yaml
new file mode 100755
index 0000000..f729b6e
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/networkpolicies.crd.yaml
@@ -0,0 +1,838 @@
+---
+# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_networkpolicies.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: networkpolicies.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: NetworkPolicy
+    listKind: NetworkPolicyList
+    plural: networkpolicies
+    singular: networkpolicy
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              egress:
+                description: The ordered set of egress rules.  Each rule contains
+                  a set of packet match criteria and a corresponding action to apply.
+                items:
+                  description: "A Rule encapsulates a set of match criteria and an
+                    action.  Both selector-based security Policy and security Profiles
+                    reference rules - separated out as a list of rules for both ingress
+                    and egress packet matching. \n Each positive match criteria has
+                    a negated version, prefixed with \"Not\". All the match criteria
+                    within a rule must be satisfied for a packet to match. A single
+                    rule can contain the positive and negative version of a match
+                    and both must be satisfied for the rule to match."
+                  properties:
+                    action:
+                      type: string
+                    destination:
+                      description: Destination contains the match criteria that apply
+                        to destination entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                    http:
+                      description: HTTP contains match criteria that apply to HTTP
+                        requests.
+                      properties:
+                        methods:
+                          description: Methods is an optional field that restricts
+                            the rule to apply only to HTTP requests that use one of
+                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+                            methods are OR'd together.
+                          items:
+                            type: string
+                          type: array
+                        paths:
+                          description: 'Paths is an optional field that restricts
+                            the rule to apply to HTTP requests that use one of the
+                            listed HTTP Paths. Multiple paths are OR''d together.
+                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+                            ONLY specify either a `exact` or a `prefix` match. The
+                            validator will check for it.'
+                          items:
+                            description: 'HTTPPath specifies an HTTP path to match.
+                              It may be either of the form: exact: <path>: which matches
+                              the path exactly or prefix: <path-prefix>: which matches
+                              the path prefix'
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    icmp:
+                      description: ICMP is an optional field that restricts the rule
+                        to apply to a specific type and code of ICMP traffic.  This
+                        should only be specified if the Protocol field is set to "ICMP"
+                        or "ICMPv6".
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    ipVersion:
+                      description: IPVersion is an optional field that restricts the
+                        rule to only match a specific IP version.
+                      type: integer
+                    metadata:
+                      description: Metadata contains additional information for this
+                        rule
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          description: Annotations is a set of key value pairs that
+                            give extra information about the rule
+                          type: object
+                      type: object
+                    notICMP:
+                      description: NotICMP is the negated version of the ICMP field.
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    notProtocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: NotProtocol is the negated version of the Protocol
+                        field.
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: "Protocol is an optional field that restricts the
+                        rule to only apply to traffic of a specific IP protocol. Required
+                        if any of the EntityRules contain Ports (because ports only
+                        apply to certain protocols). \n Must be one of these string
+                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+                        \"UDPLite\" or an integer in the range 1-255."
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    source:
+                      description: Source contains the match criteria that apply to
+                        source entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                  required:
+                  - action
+                  type: object
+                type: array
+              ingress:
+                description: The ordered set of ingress rules.  Each rule contains
+                  a set of packet match criteria and a corresponding action to apply.
+                items:
+                  description: "A Rule encapsulates a set of match criteria and an
+                    action.  Both selector-based security Policy and security Profiles
+                    reference rules - separated out as a list of rules for both ingress
+                    and egress packet matching. \n Each positive match criteria has
+                    a negated version, prefixed with \"Not\". All the match criteria
+                    within a rule must be satisfied for a packet to match. A single
+                    rule can contain the positive and negative version of a match
+                    and both must be satisfied for the rule to match."
+                  properties:
+                    action:
+                      type: string
+                    destination:
+                      description: Destination contains the match criteria that apply
+                        to destination entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                    http:
+                      description: HTTP contains match criteria that apply to HTTP
+                        requests.
+                      properties:
+                        methods:
+                          description: Methods is an optional field that restricts
+                            the rule to apply only to HTTP requests that use one of
+                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+                            methods are OR'd together.
+                          items:
+                            type: string
+                          type: array
+                        paths:
+                          description: 'Paths is an optional field that restricts
+                            the rule to apply to HTTP requests that use one of the
+                            listed HTTP Paths. Multiple paths are OR''d together.
+                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+                            ONLY specify either a `exact` or a `prefix` match. The
+                            validator will check for it.'
+                          items:
+                            description: 'HTTPPath specifies an HTTP path to match.
+                              It may be either of the form: exact: <path>: which matches
+                              the path exactly or prefix: <path-prefix>: which matches
+                              the path prefix'
+                            properties:
+                              exact:
+                                type: string
+                              prefix:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    icmp:
+                      description: ICMP is an optional field that restricts the rule
+                        to apply to a specific type and code of ICMP traffic.  This
+                        should only be specified if the Protocol field is set to "ICMP"
+                        or "ICMPv6".
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    ipVersion:
+                      description: IPVersion is an optional field that restricts the
+                        rule to only match a specific IP version.
+                      type: integer
+                    metadata:
+                      description: Metadata contains additional information for this
+                        rule
+                      properties:
+                        annotations:
+                          additionalProperties:
+                            type: string
+                          description: Annotations is a set of key value pairs that
+                            give extra information about the rule
+                          type: object
+                      type: object
+                    notICMP:
+                      description: NotICMP is the negated version of the ICMP field.
+                      properties:
+                        code:
+                          description: Match on a specific ICMP code.  If specified,
+                            the Type value must also be specified. This is a technical
+                            limitation imposed by the kernel's iptables firewall,
+                            which Calico uses to enforce the rule.
+                          type: integer
+                        type:
+                          description: Match on a specific ICMP type.  For example
+                            a value of 8 refers to ICMP Echo Request (i.e. pings).
+                          type: integer
+                      type: object
+                    notProtocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: NotProtocol is the negated version of the Protocol
+                        field.
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    protocol:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      description: "Protocol is an optional field that restricts the
+                        rule to only apply to traffic of a specific IP protocol. Required
+                        if any of the EntityRules contain Ports (because ports only
+                        apply to certain protocols). \n Must be one of these string
+                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+                        \"UDPLite\" or an integer in the range 1-255."
+                      pattern: ^.*
+                      x-kubernetes-int-or-string: true
+                    source:
+                      description: Source contains the match criteria that apply to
+                        source entity.
+                      properties:
+                        namespaceSelector:
+                          description: "NamespaceSelector is an optional field that
+                            contains a selector expression. Only traffic that originates
+                            from (or terminates at) endpoints within the selected
+                            namespaces will be matched. When both NamespaceSelector
+                            and another selector are defined on the same rule, then
+                            only workload endpoints that are matched by both selectors
+                            will be selected by the rule. \n For NetworkPolicy, an
+                            empty NamespaceSelector implies that the Selector is limited
+                            to selecting only workload endpoints in the same namespace
+                            as the NetworkPolicy. \n For NetworkPolicy, `global()`
+                            NamespaceSelector implies that the Selector is limited
+                            to selecting only GlobalNetworkSet or HostEndpoint. \n
+                            For GlobalNetworkPolicy, an empty NamespaceSelector implies
+                            the Selector applies to workload endpoints across all
+                            namespaces."
+                          type: string
+                        nets:
+                          description: Nets is an optional field that restricts the
+                            rule to only apply to traffic that originates from (or
+                            terminates at) IP addresses in any of the given subnets.
+                          items:
+                            type: string
+                          type: array
+                        notNets:
+                          description: NotNets is the negated version of the Nets
+                            field.
+                          items:
+                            type: string
+                          type: array
+                        notPorts:
+                          description: NotPorts is the negated version of the Ports
+                            field. Since only some protocols have ports, if any ports
+                            are specified it requires the Protocol match in the Rule
+                            to be set to "TCP" or "UDP".
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        notSelector:
+                          description: NotSelector is the negated version of the Selector
+                            field.  See Selector field for subtleties with negated
+                            selectors.
+                          type: string
+                        ports:
+                          description: "Ports is an optional field that restricts
+                            the rule to only apply to traffic that has a source (destination)
+                            port that matches one of these ranges/values. This value
+                            is a list of integers or strings that represent ranges
+                            of ports. \n Since only some protocols have ports, if
+                            any ports are specified it requires the Protocol match
+                            in the Rule to be set to \"TCP\" or \"UDP\"."
+                          items:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            pattern: ^.*
+                            x-kubernetes-int-or-string: true
+                          type: array
+                        selector:
+                          description: "Selector is an optional field that contains
+                            a selector expression (see Policy for sample syntax).
+                            \ Only traffic that originates from (terminates at) endpoints
+                            matching the selector will be matched. \n Note that: in
+                            addition to the negated version of the Selector (see NotSelector
+                            below), the selector expression syntax itself supports
+                            negation.  The two types of negation are subtly different.
+                            One negates the set of matched endpoints, the other negates
+                            the whole match: \n \tSelector = \"!has(my_label)\" matches
+                            packets that are from other Calico-controlled \tendpoints
+                            that do not have the label \"my_label\". \n \tNotSelector
+                            = \"has(my_label)\" matches packets that are not from
+                            Calico-controlled \tendpoints that do have the label \"my_label\".
+                            \n The effect is that the latter will accept packets from
+                            non-Calico sources whereas the former is limited to packets
+                            from Calico-controlled endpoints."
+                          type: string
+                        serviceAccounts:
+                          description: ServiceAccounts is an optional field that restricts
+                            the rule to only apply to traffic that originates from
+                            (or terminates at) a pod running as a matching service
+                            account.
+                          properties:
+                            names:
+                              description: Names is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account whose name is in the list.
+                              items:
+                                type: string
+                              type: array
+                            selector:
+                              description: Selector is an optional field that restricts
+                                the rule to only apply to traffic that originates
+                                from (or terminates at) a pod running as a service
+                                account that matches the given label selector. If
+                                both Names and Selector are specified then they are
+                                AND'ed.
+                              type: string
+                          type: object
+                        services:
+                          description: "Services is an optional field that contains
+                            options for matching Kubernetes Services. If specified,
+                            only traffic that originates from or terminates at endpoints
+                            within the selected service(s) will be matched, and only
+                            to/from each endpoint's port. \n Services cannot be specified
+                            on the same rule as Selector, NotSelector, NamespaceSelector,
+                            Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
+                            Only valid on egress rules."
+                          properties:
+                            name:
+                              description: Name specifies the name of a Kubernetes
+                                Service to match.
+                              type: string
+                            namespace:
+                              description: Namespace specifies the namespace of the
+                                given Service. If left empty, the rule will match
+                                within this policy's namespace.
+                              type: string
+                          type: object
+                      type: object
+                  required:
+                  - action
+                  type: object
+                type: array
+              order:
+                description: Order is an optional field that specifies the order in
+                  which the policy is applied. Policies with higher "order" are applied
+                  after those with lower order.  If the order is omitted, it may be
+                  considered to be "infinite" - i.e. the policy will be applied last.  Policies
+                  with identical order will be applied in alphanumerical order based
+                  on the Policy "Name".
+                type: number
+              selector:
+                description: "The selector is an expression used to pick pick out
+                  the endpoints that the policy should be applied to. \n Selector
+                  expressions follow this syntax: \n \tlabel == \"string_literal\"
+                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
+                  \  ->  not equal; also matches if label is not present \tlabel in
+                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
+                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
+                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
+                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
+                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
+                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+                  or the empty selector -> matches all endpoints. \n Label names are
+                  allowed to contain alphanumerics, -, _ and /. String literals are
+                  more permissive but they do not support escape characters. \n Examples
+                  (with made-up labels): \n \ttype == \"webserver\" && deployment
+                  == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
+                  \"dev\" \t! has(label_name)"
+                type: string
+              serviceAccountSelector:
+                description: ServiceAccountSelector is an optional field for an expression
+                  used to select a pod based on service accounts.
+                type: string
+              types:
+                description: "Types indicates whether this policy applies to ingress,
+                  or to egress, or to both.  When not explicitly specified (and so
+                  the value on creation is empty or nil), Calico defaults Types according
+                  to what Ingress and Egress are present in the policy.  The default
+                  is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
+                  the case where there are   also no Ingress rules) \n - [ PolicyTypeEgress
+                  ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
+                  PolicyTypeEgress ], if there are both Ingress and Egress rules.
+                  \n When the policy is read back again, Types will always be one
+                  of these values, never empty or nil."
+                items:
+                  description: PolicyType enumerates the possible values of the PolicySpec
+                    Types field.
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/networksets.crd.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/networksets.crd.yaml
new file mode 100755
index 0000000..2e545a1
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/crds/networksets.crd.yaml
@@ -0,0 +1,52 @@
+---
+# Source:  calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_networksets.yaml
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: networksets.crd.projectcalico.org
+spec:
+  group: crd.projectcalico.org
+  names:
+    kind: NetworkSet
+    listKind: NetworkSetList
+    plural: networksets
+    singular: networkset
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: NetworkSetSpec contains the specification for a NetworkSet
+              resource.
+            properties:
+              nets:
+                description: The list of IP networks that belong to this set.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/daemonset.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/daemonset.yaml
new file mode 100755
index 0000000..1a49610
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/daemonset.yaml
@@ -0,0 +1,266 @@
+---
+# Source: calico/templates/calico-node.yaml
+# This manifest installs the canal container, as well
+# as the CNI plugins and network config on
+# each master and worker node in a Kubernetes cluster.
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: {{ .Release.Name | quote }}
+  namespace: kube-system
+  labels:
+    k8s-app: canal
+spec:
+  selector:
+    matchLabels:
+      k8s-app: canal
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        k8s-app: canal
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      hostNetwork: true
+      tolerations:
+        # Make sure canal gets scheduled on all nodes.
+        - effect: NoSchedule
+          operator: Exists
+        # Mark the pod as a critical add-on for rescheduling.
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      serviceAccountName: canal
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 0
+      priorityClassName: system-node-critical
+      initContainers:
+        # This container installs the CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+          image: {{ template "system_default_registry" . }}{{ .Values.calico.cniImage.repository }}:{{ .Values.calico.cniImage.tag }}
+          command: ["/opt/cni/bin/install"]
+          env:
+            # Name of the CNI config file to create.
+            - name: CNI_CONF_NAME
+              value: "10-canal.conflist"
+            # The CNI network config to install on each node.
+            - name: CNI_NETWORK_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Release.Name }}-config
+                  key: cni_network_config
+            # Set the hostname based on the k8s node name.
+            - name: KUBERNETES_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # CNI MTU Config variable
+            - name: CNI_MTU
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Release.Name }}-config
+                  key: veth_mtu
+            # Prevents the container from sleeping forever.
+            - name: SLEEP
+              value: "false"
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+          securityContext:
+            privileged: true
+        # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
+        # to communicate with Felix over the Policy Sync API.
+        - name: flexvol-driver
+          image: {{ template "system_default_registry" . }}{{ .Values.calico.flexvolImage.repository }}:{{ .Values.calico.flexvolImage.tag }}
+          command: ['/usr/local/bin/flexvol.sh', '-s', '/usr/local/bin/flexvol', '-i', 'flexvoldriver']
+          volumeMounts:
+          - name: flexvol-driver-host
+            mountPath: /host/driver
+          securityContext:
+            privileged: true
+      containers:
+        # Runs canal container on each Kubernetes node.  This
+        # container programs network policy and routes on each
+        # host.
+        - name: calico-node
+          command:
+          - "start_runit"
+          image: {{ template "system_default_registry" . }}{{ .Values.calico.nodeImage.repository }}:{{ .Values.calico.nodeImage.tag }}
+          env:
+            # Use Kubernetes API as the backing datastore.
+            - name: DATASTORE_TYPE
+              value: {{ .Values.calico.datastoreType | quote }}
+            # Configure route aggregation based on pod CIDR.
+            - name: USE_POD_CIDR
+              value: {{ .Values.calico.usePodCIDR | quote }}
+            # Wait for the datastore.
+            - name: WAIT_FOR_DATASTORE
+              value: {{ .Values.calico.waitForDatastore | quote }}
+            # Set based on the k8s node name.
+            - name: NODENAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # Don't enable BGP.
+            - name: CALICO_NETWORKING_BACKEND
+              value: {{ .Values.calico.networkingBackend | quote }}
+            # Cluster type to identify the deployment type
+            - name: CLUSTER_TYPE
+              value: {{ .Values.calico.clusterType | quote}}
+            # Period, in seconds, at which felix re-applies all iptables state
+            - name: FELIX_IPTABLESREFRESHINTERVAL
+              value: {{ .Values.calico.felixIptablesRefreshInterval | quote}}
+            - name: FELIX_IPTABLESBACKEND
+              value: {{ .Values.calico.felixIptablesBackend | quote}}
+            # No IP address needed.
+            - name: IP
+              value: ""
+            # The default IPv4 pool to create on startup if none exists. Pod IPs will be
+            # chosen from this range. Changing this value after installation will have
+            # no effect. This should fall within `--cluster-cidr`.
+            # - name: CALICO_IPV4POOL_CIDR
+            #   value: "192.168.0.0/16"
+            # Disable file logging so `kubectl logs` works.
+            - name: CALICO_DISABLE_FILE_LOGGING
+              value: "true"
+            # Set Felix endpoint to host default action to ACCEPT.
+            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+              value: {{ .Values.calico.felixDefaultEndpointToHostAction | quote }}
+            # Disable IPv6 on Kubernetes.
+            - name: FELIX_IPV6SUPPORT
+              value: {{ .Values.calico.felixIpv6Support | quote }}
+            # Set Felix logging to "info"
+            - name: FELIX_LOGSEVERITYSCREEN
+              value: {{ .Values.calico.felixLogSeverityScreen | quote }}
+            - name: FELIX_HEALTHENABLED
+              value: {{ .Values.calico.felixHealthEnabled | quote }}
+            # enable promentheus metrics
+            - name: FELIX_PROMETHEUSMETRICSENABLED
+              value: {{ .Values.calico.felixPrometheusMetricsEnabled | quote }}
+            - name: FELIX_XDPENABLED
+              value: {{ .Values.calico.felixXDPEnabled | quote }}
+            - name: FELIX_FAILSAFEINBOUNDHOSTPORTS
+              value: {{ .Values.calico.felixFailsafeInboundHostPorts | quote }}
+            - name: FELIX_FAILSAFEOUTBOUNDHOSTPORTS
+              value: {{ .Values.calico.felixFailsafeOutboundHostPorts | quote }}
+            # The method to use to autodetect the IPv4 address for this host.
+            - name: IP_AUTODETECTION_METHOD
+              value: {{ .Values.calico.ipAutoDetectionMethod | quote }}
+            # The method to use to autodetect the IPv6 address for this host.
+            - name: IP6_AUTODETECTION_METHOD
+              value: {{ .Values.calico.ip6AutoDetectionMethod | quote }}
+          securityContext:
+            privileged: true
+          resources:
+            requests:
+              cpu: 250m
+          livenessProbe:
+            exec:
+              command:
+              - /bin/calico-node
+              - -felix-live
+            periodSeconds: 10
+            initialDelaySeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 9099
+              host: localhost
+            periodSeconds: 10
+          volumeMounts:
+            - mountPath: /lib/modules
+              name: lib-modules
+              readOnly: true
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+              readOnly: false
+            - mountPath: /var/run/calico
+              name: var-run-calico
+              readOnly: false
+            - mountPath: /var/lib/calico
+              name: var-lib-calico
+              readOnly: false
+            - name: policysync
+              mountPath: /var/run/nodeagent
+        # This container runs flannel using the kube-subnet-mgr backend
+        # for allocating subnets.
+        - name: kube-flannel
+          image: {{ template "system_default_registry" . }}{{ .Values.flannel.image.repository }}:{{ .Values.flannel.image.tag }}
+          command:
+          - "/opt/bin/flanneld"
+          {{- range .Values.flannel.args }}
+          - {{ . | quote }}
+          {{- end }}
+          securityContext:
+            privileged: true
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: FLANNELD_IFACE
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Release.Name }}-config
+                  key: canal_iface
+            - name: FLANNELD_IP_MASQ
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Release.Name }}-config
+                  key: masquerade
+          volumeMounts:
+          - mountPath: /run/xtables.lock
+            name: xtables-lock
+            readOnly: false
+          - name: flannel-cfg
+            mountPath: /etc/kube-flannel/
+      volumes:
+        # Used by canal.
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: var-run-calico
+          hostPath:
+            path: /var/run/calico
+        - name: var-lib-calico
+          hostPath:
+            path: /var/lib/calico
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+        # Used by flannel.
+        - name: flannel-cfg
+          configMap:
+            name: {{ .Release.Name }}-config
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: /opt/cni/bin
+        - name: cni-net-dir
+          hostPath:
+            path: /etc/cni/net.d
+        # Used to create per-pod Unix Domain Sockets
+        - name: policysync
+          hostPath:
+            type: DirectoryOrCreate
+            path: /var/run/nodeagent
+        # Used to install Flex Volume Driver
+        - name: flexvol-driver-host
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.calico.flexVolumePluginDir }}/nodeagent~uds
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/rbac.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/rbac.yaml
new file mode 100755
index 0000000..2936532
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/rbac.yaml
@@ -0,0 +1,170 @@
+---
+# Source: calico/templates/calico-node-rbac.yaml
+# Include a clusterrole for the calico-node DaemonSet,
+# and bind it to the calico-node serviceaccount.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-node
+rules:
+  # The CNI plugin needs to get pods, nodes, and namespaces.
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+      - namespaces
+    verbs:
+      - get
+  # EndpointSlices are used for Service-based network policy rule
+  # enforcement.
+  - apiGroups: ["discovery.k8s.io"]
+    resources:
+      - endpointslices
+    verbs:
+      - watch
+      - list
+  - apiGroups: [""]
+    resources:
+      - endpoints
+      - services
+    verbs:
+      # Used to discover service IPs for advertisement.
+      - watch
+      - list
+      # Used to discover Typhas.
+      - get
+  # Pod CIDR auto-detection on kubeadm needs access to config maps.
+  - apiGroups: [""]
+    resources:
+      - configmaps
+    verbs:
+      - get
+  - apiGroups: [""]
+    resources:
+      - nodes/status
+    verbs:
+      # Needed for clearing NodeNetworkUnavailable flag.
+      - patch
+      # Calico stores some configuration information in node annotations.
+      - update
+  # Watch for changes to Kubernetes NetworkPolicies.
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - networkpolicies
+    verbs:
+      - watch
+      - list
+  # Used by Calico for policy information.
+  - apiGroups: [""]
+    resources:
+      - pods
+      - namespaces
+      - serviceaccounts
+    verbs:
+      - list
+      - watch
+  # The CNI plugin patches pods/status.
+  - apiGroups: [""]
+    resources:
+      - pods/status
+    verbs:
+      - patch
+  # Calico monitors various CRDs for config.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - globalfelixconfigs
+      - felixconfigurations
+      - bgppeers
+      - globalbgpconfigs
+      - bgpconfigurations
+      - ippools
+      - ipamblocks
+      - globalnetworkpolicies
+      - globalnetworksets
+      - networkpolicies
+      - networksets
+      - clusterinformations
+      - hostendpoints
+      - blockaffinities
+    verbs:
+      - get
+      - list
+      - watch
+  # Calico must create and update some CRDs on startup.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ippools
+      - felixconfigurations
+      - clusterinformations
+    verbs:
+      - create
+      - update
+  # Calico stores some configuration information on the node.
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  # These permissions are only required for upgrade from v2.6, and can
+  # be removed after upgrade or on fresh installations.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - bgpconfigurations
+      - bgppeers
+    verbs:
+      - create
+      - update
+
+---
+# Flannel ClusterRole
+# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: flannel
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups: [""]
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+---
+# Bind the flannel ClusterRole to the canal ServiceAccount.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: canal-flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+- kind: ServiceAccount
+  name: canal
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: canal-calico
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-node
+subjects:
+- kind: ServiceAccount
+  name: canal
+  namespace: kube-system
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/serviceaccount.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/serviceaccount.yaml
new file mode 100755
index 0000000..582d55b
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/templates/serviceaccount.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: canal
+  namespace: kube-system
diff --git a/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/values.yaml b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/values.yaml
new file mode 100755
index 0000000..6598f3f
--- /dev/null
+++ b/charts/rke2-canal/rke2-canal/v3.21.2-build2022020409/values.yaml
@@ -0,0 +1,86 @@
+---
+
+# The IPv4 cidr pool to create on startup if none exists. Pod IPs will be
+# chosen from this range.
+podCidr: "10.42.0.0/16"
+
+flannel:
+  # kube-flannel image
+  image:
+    repository: rancher/hardened-flannel
+    tag: v0.16.1-build20220119
+  # The interface used by canal for host <-> host communication.
+  # If left blank, then the interface is chosen using the node's
+  # default route.
+  iface: ""
+  # kube-flannel command arguments
+  args:
+  - "--ip-masq"
+  - "--kube-subnet-mgr"
+  # Backend for kube-flannel. Backend should not be changed
+  # at runtime.
+  backend: "vxlan"
+
+calico:
+  # CNI installation image.
+  cniImage:
+    repository: rancher/hardened-calico
+    tag: v3.21.2-build20220119
+  # Canal node image.
+  nodeImage:
+    repository: rancher/hardened-calico
+    tag: v3.21.2-build20220119
+  # Flexvol Image.
+  flexvolImage:
+    repository: rancher/hardened-calico
+    tag: v3.21.2-build20220119
+  # Datastore type for canal. It can be either kuberentes or etcd.
+  datastoreType: kubernetes
+  # Wait for datastore to initialize.
+  waitForDatastore: true
+  # Configure route aggregation based on pod CIDR.
+  usePodCIDR: true
+  # Disable BGP routing.
+  networkingBackend: none
+  # Cluster type to identify the deployment type.
+  clusterType: "k8s,canal"
+  # Disable file logging so `kubectl logs` works.
+  disableFileLogging: true
+  # Disable IPv6 on Kubernetes.
+  felixIpv6Support: false
+  # Period, in seconds, at which felix re-applies all iptables state
+  felixIptablesRefreshInterval: 60
+  # iptables backend to use for felix, defaults to auto but can also be set to nft or legacy
+  felixIptablesBackend: auto
+  # Set Felix logging to "info".
+  felixLogSeverityScreen: info
+  # Enable felix healthcheck.
+  felixHealthEnabled: true
+  # Enable prometheus metrics
+  felixPrometheusMetricsEnabled: true
+  # Disable XDP Acceleration as we do not support it with our ubi7 base image
+  felixXDPEnabled: false
+  # Whether or not to masquerade traffic to destinations not within
+  # the pod network.
+  masquerade: true
+  # Set Felix endpoint to host default action to ACCEPT.
+  felixDefaultEndpointToHostAction: ACCEPT
+  # Configure the MTU to use.
+  vethuMTU: 1450
+  # Typha is disabled.
+  typhaServiceName: none
+  # Kubelet flex-volume-plugin-dir
+  flexVolumePluginDir: /var/lib/kubelet/volumeplugins
+  # calico inbound failsafe ports. Empty string means defaults. Use 'none' to disable failsafe if you have your own rules.
+  felixFailsafeInboundHostPorts: ""
+  # calico outbound failsafe ports. Empty string means defaults. Use 'none' to disable failsafe if you have your own rules.
+  felixFailsafeOutboundHostPorts: ""
+  # The method to use to autodetect the IPv4 address for this host.
+  ipAutoDetectionMethod: "first-found"
+  # The method to use to autodetect the IPv6 address for this host.
+  ip6AutoDetectionMethod: "first-found"
+
+global:
+  systemDefaultRegistry: ""
+  clusterCIDRv4: ""
+  clusterCIDRv6: ""
diff --git a/index.yaml b/index.yaml
index cdbd8c8..3e5b218 100755
--- a/index.yaml
+++ b/index.yaml
@@ -445,6 +445,23 @@ entries:
     - assets/rke2-calico/rke2-calico-crd-v1.0.001.tgz
     version: v1.0.001
   rke2-canal:
+  - apiVersion: v1
+    appVersion: v3.21.2
+    created: "2022-02-04T13:57:37.355133054Z"
+    description: Install Canal Network Plugin.
+    digest: 0c781c9528c801e2ac98a34291815240ddfbac9105aa2352c37705d529b22693
+    home: https://www.projectcalico.org/
+    keywords:
+    - canal
+    maintainers:
+    - email: charts@rancher.com
+      name: Rancher Labs
+    name: rke2-canal
+    sources:
+    - https://github.com/rancher/rke2-charts
+    urls:
+    - assets/rke2-canal/rke2-canal-v3.21.2-build2022020409.tgz
+    version: v3.21.2-build2022020409
   - apiVersion: v1
     appVersion: v3.21.2
     created: "2022-01-27T09:07:41.12227446Z"